SSL "hack/forgery": Update your sh*t!!!
09-06-2011, 05:05 PM
#1
The sizzle in the Steak
Thread Starter
SSL "hack/forgery": Update your sh*t!!!
Hackers colluding with the Iranian government to spy on democratic activists may have made it easier for cybercrooks to spy on you, a security expert told FoxNews.com.
The Dutch government over the weekend seized control of DigiNotar -- which sells "SSL" security certificates that act as a handshake guaranteeing online transactions -- saying certificates it had issued were forged and could no longer be relied on. The hack targeted Iranian activists, but you might be a victim too, warned Ira Victor, director of the digital forensics practice with Data Clone Labs and a member of the High Technology Crime Investigation Association (HTCIA)
"Millions of websites use SSL to protect their user's information -- that's why the SSL digital certificates are such a tempting target for cybercriminals," Victor told FoxNews.com.
The forgeries were used almost exclusively in Iran for political reasons, mainly to spy on Iranian citizens, according to a recent review by IT firm Fox-IT and experts at security firm Kaspersky Labs. But individuals worldwide might end up in the crosshairs anyway, Victor warned.
"The [hacker] appears to be politically motivated, but that doesn't prevent him from cashing in on SSL certificates for his own profit, directly, or indirectly, and to use those funds for his political goals," he said, noting that "just about every digital asset is for sale in the digital black market."
Experts say most major Internet communications companies had already used the phony forms; fake Google certificates had been used by 300,000 IP addresses, for example, as well as Skype, Microsoft, Facebook and more.
SSL digital certificates govern the basic security of all Internet transactions: Log onto a web browser or an email account and you'll often end up sending data that relies on one. With access to that certificate, a cybercrook could snoop the bits and bytes of what should be a secure transaction.
It's called a "man in the middle" assault -- and it's anything but common, scoffed Anup Ghosh, chief scientist with security company Invincea.
Most hackers never resort to this," he told FoxNews.com. "If I want to capture your email, your online transactions, I don't need to forge a certificate. I can just compromise your machine."
Use of a certificate would require massive rerouting of Internet traffic, Ghosh said -- the sort of thing you'd do to snoop on Iran, not the average citizen.
"The only way for you to employ a forged certificate is if you can reroute my request to your server. You'd have to hack infrastructure," he said.
That hasn't stopped Microsoft from issuing updates to the Internet Explorer web browser on Windows 7 and Windows Vista, which you can install by running Windows Update. Late Tuesday the company issued an emergency patch for Windows XP as well. Google and Mozilla, maker of the Firefox browser, have also issued updates to their software.
Apple has made no official statements about plans to issue a patch for the Safari browser. Victor warns not to wait.
"For Apple, iPhone and iPad users, download the Opera browser. They'll be faster to issue a fix for this than Safari. And it's free," he told FoxNews.com.
DigiNotar, a subsidiary of Chicago-based Vasco Inc., acknowledged it had been hacked on Aug. 30 only after Google stated that fake certificates for Google sites were circulating in Iran. Google marked the company's certificates as dubious, and other web browser makers followed suit.
The hack underscores the increasing importance of what had been an obscure part of computing: digital certificates, which enable nearly all secure transactions online and are a crucial tent pole propping up not just Internet transactions but much of modern business.
"Digital certificates were created by the guys
at Netscape. It was never envisioned to scale up for payroll data … we're pushing the envelope of what these things can do," Victor advised.
"Businesses that are relying on these certificates -- which is just about everybody today -- need to be better prepared," he told FoxNews.com -- one thing he and Gosh can agree upon.
The underpinnings of web security that we take for granted … the people that provide those services are just as susceptible as anyone else, Gosh said.
"Like planning for a hurricane, you can't wait until the water comes rushing in," Victor said.
The Dutch government over the weekend seized control of DigiNotar -- which sells "SSL" security certificates that act as a handshake guaranteeing online transactions -- saying certificates it had issued were forged and could no longer be relied on. The hack targeted Iranian activists, but you might be a victim too, warned Ira Victor, director of the digital forensics practice with Data Clone Labs and a member of the High Technology Crime Investigation Association (HTCIA)
"Millions of websites use SSL to protect their user's information -- that's why the SSL digital certificates are such a tempting target for cybercriminals," Victor told FoxNews.com.
The forgeries were used almost exclusively in Iran for political reasons, mainly to spy on Iranian citizens, according to a recent review by IT firm Fox-IT and experts at security firm Kaspersky Labs. But individuals worldwide might end up in the crosshairs anyway, Victor warned.
"The [hacker] appears to be politically motivated, but that doesn't prevent him from cashing in on SSL certificates for his own profit, directly, or indirectly, and to use those funds for his political goals," he said, noting that "just about every digital asset is for sale in the digital black market."
Experts say most major Internet communications companies had already used the phony forms; fake Google certificates had been used by 300,000 IP addresses, for example, as well as Skype, Microsoft, Facebook and more.
SSL digital certificates govern the basic security of all Internet transactions: Log onto a web browser or an email account and you'll often end up sending data that relies on one. With access to that certificate, a cybercrook could snoop the bits and bytes of what should be a secure transaction.
It's called a "man in the middle" assault -- and it's anything but common, scoffed Anup Ghosh, chief scientist with security company Invincea.
Most hackers never resort to this," he told FoxNews.com. "If I want to capture your email, your online transactions, I don't need to forge a certificate. I can just compromise your machine."
Use of a certificate would require massive rerouting of Internet traffic, Ghosh said -- the sort of thing you'd do to snoop on Iran, not the average citizen.
"The only way for you to employ a forged certificate is if you can reroute my request to your server. You'd have to hack infrastructure," he said.
That hasn't stopped Microsoft from issuing updates to the Internet Explorer web browser on Windows 7 and Windows Vista, which you can install by running Windows Update. Late Tuesday the company issued an emergency patch for Windows XP as well. Google and Mozilla, maker of the Firefox browser, have also issued updates to their software.
Apple has made no official statements about plans to issue a patch for the Safari browser. Victor warns not to wait.
"For Apple, iPhone and iPad users, download the Opera browser. They'll be faster to issue a fix for this than Safari. And it's free," he told FoxNews.com.
DigiNotar, a subsidiary of Chicago-based Vasco Inc., acknowledged it had been hacked on Aug. 30 only after Google stated that fake certificates for Google sites were circulating in Iran. Google marked the company's certificates as dubious, and other web browser makers followed suit.
The hack underscores the increasing importance of what had been an obscure part of computing: digital certificates, which enable nearly all secure transactions online and are a crucial tent pole propping up not just Internet transactions but much of modern business.
"Digital certificates were created by the guys
at Netscape. It was never envisioned to scale up for payroll data … we're pushing the envelope of what these things can do," Victor advised.
"Businesses that are relying on these certificates -- which is just about everybody today -- need to be better prepared," he told FoxNews.com -- one thing he and Gosh can agree upon.
The underpinnings of web security that we take for granted … the people that provide those services are just as susceptible as anyone else, Gosh said.
"Like planning for a hurricane, you can't wait until the water comes rushing in," Victor said.
09-06-2011, 05:43 PM
#3
The sizzle in the Steak
Thread Starter
Microsoft Kills Support for DigiNotar Certificates
http://www.pcmag.com/article2/0,2817,2392491,00.asp
Microsoft continues to investigate the issue, but it said a fake certificate could "be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer."
A recent hack of digital certificates issued by Netherlands-based DigiNotar possibly compromised the Gmail accounts of approximately 300,000 Iranians, according to a Tuesday report. These certificates are used to designate legitimate Web traffic, but the breach allowed the hackers to spoof legitimate Google sites and access peoples' personal data once they signed in.
Most users will not have to take any action; an automatic update will install the fix. The "suggested actions" portion of the advisory, however, provides details for those who want to manually install it.
As security firm Sophos noted in a blog post, this update is different from previous Microsoft updates because it: covers all supported version of Windows (XP, 2003, Vista, 2008, 7 and 2008R2) instead of just Vista and higher; covers all five root certificates from DigiNotar instead of two; and users no longer see a certificate warning, they are just blocked from sites with SSL certificates issued by DigiNotar.
http://www.pcmag.com/article2/0,2817,2392491,00.asp
Microsoft continues to investigate the issue, but it said a fake certificate could "be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer."
A recent hack of digital certificates issued by Netherlands-based DigiNotar possibly compromised the Gmail accounts of approximately 300,000 Iranians, according to a Tuesday report. These certificates are used to designate legitimate Web traffic, but the breach allowed the hackers to spoof legitimate Google sites and access peoples' personal data once they signed in.
Most users will not have to take any action; an automatic update will install the fix. The "suggested actions" portion of the advisory, however, provides details for those who want to manually install it.
As security firm Sophos noted in a blog post, this update is different from previous Microsoft updates because it: covers all supported version of Windows (XP, 2003, Vista, 2008, 7 and 2008R2) instead of just Vista and higher; covers all five root certificates from DigiNotar instead of two; and users no longer see a certificate warning, they are just blocked from sites with SSL certificates issued by DigiNotar.
09-07-2011, 10:30 AM
#5
The sizzle in the Steak
Thread Starter
^^ Pretty much EVERYTHING got an update patch. 
09-07-2011, 10:33 AM
#6
Team Owner
macs will get it in 6 months 
Thread
Thread Starter
Forum
Replies
Last Post
navtool.com
5G TLX Audio, Bluetooth, Electronics & Navigation
31
11-16-2015 08:30 PM
navtool.com
1G RDX Audio, Bluetooth, Electronics & Navigation
1
09-25-2015 05:15 PM
