A consortium of companies wish to improve the internet's SSL technology
Dec. 17, 2011
Yesterday, a group of internet companies has published a new set of security practices and guidelines that they want all web authentication authorities to follow for their SSL (secure sockets layer) security certificates to be trusted by web browsers and other internet software.
The news were a long time coming and were welcomed by most internet security firms and security consultants. The baseline requirements, published this week by the Certification Authority/Browser Forum, are designed to prevent security attacks that compromise the tangled web of trust that forms the underpinning of the SSL certificate system.
Its release follows years of mismanagement by individual certificate authorities permitted to issue credentials that are trusted by all web browsers. Most notable is this year's breach of DigiNotar, which led to the issuance of a fraudulent certificate used to snoop on 300,000 Gmail users in Iran and at least another country.
However, the forty seven members of the CAB Forum still have a way to go, since their requirements are meaningless unless they are mandated by the software makers who place their trust in the authorities in the first place.
And it's not exactly clear yet that this will come to pass either. Of the five browser makers queried for this article, only Opera has committed to make compliance with the requirements a condition for including an authority's root certificate in its software. Opera is only popular mostly in Europe, and is the least used browser in North America and other parts of the world.
Meanwhile, a Mozilla official said that only the requirements would be discussed among developers in online forums. A Microsoft statement said that the company "will work with the industry Auditors and Certificate authorities to get the new guidelines factored into the Microsoft Root Program."
Some company representatives didn't respond to an email asking what that means. A Google spokesman said that its Chrome browser trusts whatever CAs (certificates of authorities) are trusted by the underlying operating system. And representatives from Apple didn't respond to emails seeking comment regarding its own browser, Safari.
As the terms suggest, the baseline requirements would serve as a minimal set of industry best practices each CA would be required to follow to remain in good standing. Among other things, they would require them to “develop, implement, and maintain a security plan” to prevent the types of breaches that hit DigiNotar.
The guidelines also mandate the reporting of security attacks and the revocation of any fraudulently issued certificates that resulted, and require the use of certificates with RSA signing keys of 1024 bits or higher.
As useful as each requirement is, this week's release only underlines how hopelessly broken the SSL system is. With some 650 entities around the world authorized to issue security certificates trusted by Internet Explorer, Chrome, Firefox, Safari, Opera and other browsers, all it takes is the incompetence or malfeasance of just one of them to bring the entire system down.
Even if the requirements become a condition adopted by all browser makers, it's not clear they have the will or the ability to adequately enforce the measures.
With the many cracks in the internet's foundation of trust too big to ignore, a variety of alternatives are competing for attention. Among the most appealing of them is the Convergence Project devised by security researcher Moxie Marlinspike, which relies on a loose confederation of notaries that independently vouch for the authenticity of any given SSL certificate.
In addition to removing trust in an unwieldy number of CAs, this crowd-sourcing approach has huge privacy benefits as well, since notaries are intentionally kept in the dark about what sites a given IP address is accessing.
Under the current SSL system, CAs get to log each visit an IP address makes to an HTTPS connection protected by one of their certificates, and that represents a big security flaw. Other alternatives include a plan Google researchers already published in late November.
It would simply require that all CAs publicly disclose the cryptographic details of every certificate they issue in order that the credentials can be publicly verified. The proposal, which is in many respects similar to an alternative recommended by the Electronic Frontier Foundation, has already been criticized by some CAs, who object to publishing what they consider to be proprietary information.
With banks, internet merchants, eCommerce websites and millions of other organizations using the SSL certificates to prove they're the rightful owners of websites, and to encrypt data passing between their servers and end users, it's actually difficult to overstate the system's importance.
This week's security requirements probably won't hurt, but it's doubtful they'll do much to fix the structural flaws that put us all at risk.
In other internet security news
A small and very simple electronic device used to control complex machinery in water treatment plants, nuclear power generating stations and other critical industrial facilities contains serious security vulnerabilities that allow hackers and attackers to completely take over the infrastructure remotely, a U.S. agency that safeguards the nation's critical infrastructure has warned.
Certain models of the Modicon Quantum PLC (programmable logic controller) used in complex industrial control systems contain multiple hidden accounts that use predetermined, hard-coded passwords to grant full remote access, the Industrial Control System Cyber Emergency Response Team (ICSCERT) said in an advisory issued yesterday.
Schneider Electric, the maker of the PLC device, has produced numerous fixes for some of the security weaknesses and continues to develop additional mitigations, but the speed at which it produces the fixes may not be fast enough, according to some outside consultants.
The PLCs reside at the lowest levels of an industrial plant, where multiple computerized sensors work with the valves, turbines, and other machinery that's being controlled. The security issues reside in the default passwords that are hard-coded into Ethernet cards (NICs) the systems use to funnel commands into the devices, and temperatures and other data out of them.
The Ethernet modules also allow system administrators to remotely log into the machinery using totally insecure communications protocols such as telnet, FTP, and something called the Windriver Debug port.
According to a blog post published on Monday by independent security researcher Ruben Santamarta, the NOE 100 and the NOE 771 modules made by Schneider Electric contain at least 14 hard-coded passwords, some of which are widely published in support and technical manuals.
Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the security vulnerabilities to log into critical and complex devices and gain full privileged access to its sensitive controls.
Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens in Germany. Because the systems control the machinery connected to electric power dams, oil and gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation, cause massive destruction, cause great risks to the environment and endanger the lives of millions of U.S. residents.
The FBI has said that it is investigating multiple claims that a Houston, Texas–based water utility was breached in November by someone claiming to have accessed the internet-connected computers that control its generators, blowers and other sensitive equipment.
“Default backdoor passwords that give you full administrator rights to a system are extremely severe,” said Reid Wightman, a security assessor with Digital Bond, a consultancy that focuses solely on ICS security. He said it can be hard for attackers to exercise too much control over an ICS by taking over the PLC alone, because there's often no indication what kind of equipment is connected to it.
“You don't have the human machine interface so you don't really know what the PLC is plugged into,” he explained. “I really don't know if the device is a release valve, an input valve, or a lightbulb or any other device for that matter.”
Research Wightman plans to release in January 2012 at the SCADA Security Scientific Symposium in Miami could increase the damage that attackers can do after gaining access to many widely used PLCs. Among other things, he said his findings would show how to tamper with the device so that they attack other systems they are attached to as well, further compounding the issue.
Santamarta added that the hard-coded passwords could be widely exploited to install malicious firmware on the controllers. He also alluded to non-documented functionalities with security implications in the Schneider devices. He said he initially discovered the hidden accounts by reverse engineering the firmware that controls the PLCs.
A rudimentary search on a search engine known as Shodan revealed what appears to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones.
Tuesday's ICS-CERT advisory said that the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services or Telnet access, however.
In other internet security news
Police in the United Kingdom have confirmed that about 800 victims had their mobile phones hacked by journalists at the News of the World tabloid, after initial fears that the number of victims could top 5,800.
A Scotland Yard initial release said that investigators "are confident that we have personally contacted all the people who have been hacked or who are likely to have been hacked."
In November, investigators were saying they had identified 5,795 potential phone-hacking victims in the material collected from Glenn Mulcaire, the private investigator who was jailed in 2007.
Now those same investigators say they have interviewed 2,037 people, of whom about 803 are victims. Their names appeared in notes seized from Mulcaire, who had been working for Rupert Murdoch's News of the World.
Scotland Yard said yesterday that there are still many people who need to be interviewed, although it is unlikely they were hacking victims.
Murdoch closed the tabloid in July after it was revealed that the paper had hacked into the phone of a 13-year-old murder victim, Milly Dowler, in hopes of gathering material for news stories.
The scandal erupted after the Dowler disclosed that celebrities such as Sienna Miller, Hugh Grant and Jude Law had complained of being hacked. Even former British prime minister Gordon Brown complained to the police, who later found his name in Mulcaire's notes.
In the wake of the scandal, two top London police officers and several senior Murdoch executives resigned and more than a dozen News of the World journalists have been arrested, including former editor Andy Coulson, who resigned his post as Prime Minister David Cameron's media chief.
The News of the World paper has since folded, and the proceeds of the last week of revenues were donated to charity, a spokesman said.
Source: The Electronic Frontier Foundation.
You can link to the Internet Security web site as much as you like.