Security firm StartSSL suffered a security breach
June 21, 2011
Another SSL certificate authentication authority has been attacked by hackers with the intent on minting counterfeit security certificates that would allow them to spoof the authenticated pages of high-profile sites. This isn't the first time something like this happens, and probably won't be the last either.
Israel-based StartCom, which operates StartSSL suffered a major security attack that occurred June 15, the company said in an obscure advisory. The certificate authority, which is trusted by the Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox browsers to vouch for the authenticity of sensitive websites, has categorically suspended the issuance of new digital certificates and related services until further notice.
Eddy Nigg, StartCom's CTO and COO, says that the hackers targeted many of the same websites targeted during a similar breach in March against certificate authority Comodo. The hackers in the earlier attack managed to forge certificates for seven addresses, including Google mail, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.com, and Microsoft's login.live.com.
The March breach touched off a frantic effort by the world's biggest browser makers to blacklist the counterfeit credentials before the hackers could use them to create spoof websites that contained a valid cryptographic stamp validating the sites' authenticity.
It took more than a week for the fraudulent credentials to be blocked in all browsers, and even then, many widely used email programs still weren't updated.
The hackers behind the attack on StartCom failed to obtain any certificates that would allow them to spoof websites in a similar fashion, and they were also unsuccessful in generating an intermediate certificate that would allow them to act as their own certificate authority, Nigg said in an email.
The private encryption key at the heart of the company's operations isn't stored on a computer that's attached to the Internet, so they didn't get their hands on that sensitive document, either, he said.
Last week's attack is at least the fifth time an entity that issues SSL, or secure sockets layer, certificates has been targeted. In all, four of Comodo's resellers have suffered security breaches in the past three months.
The susceptibility of certificate authorities (CA) to hackers represents one of the many significant vulnerabilities of the SSL system, which serves as the Internet's foundation of trust. Once a CA's root certificate is included with a browser, it can be responsible for validating tens of thousands or hundreds of thousands of individual websites.
That makes it impractical to remove the root certificate even if there is good reason to be wary of it.
Nigg declined to state how many certificates StartSSL has issued during its tenure, but he did say it is among the top ten issuers. It is unclear when the firm will resume services for now.
In other Internet security news
Google said earlier this month that thousands of personal Gmail email accounts, including those of some senior U.S. government officials, were compromised as a result of a massive phishing attack originating from China.
The accounts that were hacked into were a result of stolen passwords, likely by malware installed on victims' computers or through victims' responses to previous emails from malicious hackers posing as trusted sources.
That type of a hack attack is known as phishing. Google believes the phishing attack emanated from Jinan, China. In addition to the U.S. government personnel, other targets included South Korean government officials and federal workers of several other Asian countries, Chinese political activists, military personnel and even journalists.
"The Department of Homeland Security is currently aware of Google's message to its customers," said Chris Ortman, a spokesman for the agency. "We are working with Google and our federal partners to review the matter, offer analysis of any malicious activity, and develop solutions to mitigate further risk."
Secretary of State Hillary Clinton addressed the issue this morning. "Google informed the State Department of this situation yesterday in advance of its public announcement," she said. "These allegations are very serious, and we take them very seriously, we're looking into them right now, and because this will be an ongoing investigation I would refer you to first Google for any details that they are able to share at this time, and to the FBI, which will be conducting the investigation."
FBI spokesman Paul Bresson said the agency is working with Google and with other U.S. government agencies "to review this matter further to identify the origin of this campaign and to see what information and what data may have been compromised to date."
Get the best Linux or Windows Web hosting plan for your website.
As it's almost always the case in situations like these, Bresson declined to comment further on the investigation since it is ongoing.
The news comes a little more than a year after a separate hacking attempt originating from China affected Gmail accounts of Chinese human rights activists. In that particular case, attackers were able to break through Google's security systems, and two Gmail accounts were sucessfully hacked into.
That cyber attack set off a series of events that eventually led to Google ending its agreement with the Chinese government to censor certain search results, and the company physically moved its servers out of China.
Today, and after this most recent cyber attack, a Chinese official insisted that his government takes the attacks seriously.
"We firmly oppose any form of computer hacking or any illegal activity that harms Internet security and will severely punish anyone engaging in such activity according to law," said foreign ministry spokesman Hong Lei.
"Computer hacking is an international problem and China is also a victim. Any accusation linking China to such activity is baseless and with ulterior motives."
And this time, the successful hacking attempt appears much larger in scope, but Google itself was not attacked, the company claims. A person with knowledge of the attack's details said there was no apparent correlation between last year's attack and this one.
A spokesman from Google declined to comment on how the company obtained the information about the most recent hack. Public information, user reports and a third-party hacking blog called Contagio was used to determine the scope, targets and source of the attack.
Google said it notified the victims and disrupted the campaign.
The hackers were attempting to monitor the victims' emails, and some users' forwarding settings were in fact altered. Google urged users to "please spend ten minutes today taking steps to improve your online security so that you can experience all that the Internet offers, while also protecting your data."
Source: StartCom Inc.
You can link to the Internet Security web site as much as you like.