One stolen Google website authentication certificate would have been reason enough for Web users to worry, but it turns out last week's security breach at the Dutch certificate authority (CA) DigiNotar is far more damaging than first thought, and could signal a new and extremely dangerous cybercrime threat.
On Aug. 30, the news broke that a hacker calling himself "Comodohacker" made off with a Google authentication certificate on July 19, which allowed him to set up fraudulent Web pages under a legitimate Google domain name and harvest the personal information of anyone who visited his spoofed sites.
A bit of background on authentication certificates: DigiNotar, like all certificate authorities, issues digital Secure Sockets Layer (SSL) certificates of trust to websites that authenticate themselves to browsers, which is necessary to establish a secure, HTTPS connection.
Every time you start a secure session online, your computer gets a digital certificate from that site authenticating that it is indeed Google or Amazon or Facebook, and not some hacker just pretending to be those sites. Your browser accepts that certificate, because it has been issued by a trustworthy certificate authority.
The entire online economy depends upon this so-called 'web of trust,' where all digitally certified sites agree to trust one another, and for Web browsers to trust them. It's this trust that allows online businesses like Amazon and the iTunes Store to flourish, and if there's a single rip in that web, the whole thing could come apart.
The DigiNotar problem, it turns out, extends beyond Google: Hackers stole not just one SSL certificate, but 531, including ones for Facebook, Skype, Mozilla, Microsoft, Yahoo, Android, Twitter, and Web domains owned by the CIA, Israel's Mossad and the UK's M16, Computerworld reported.
The makers of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and the Opera browser have revoked recognition of DigiNotar certificates last week. Apple did as well for the PC version of its Safari browser, but has not for the Mac version — to do so would require an update of the entire Mac OS X operating system.
As a result, security experts are warning Mac owners to avoid using Safari until Apple does so, and to use the Mac versions of Firefox, Chrome or Opera instead.
The situation is similarly blurry on the mobile front. Smartphone and tablet makers are notoriously slow to update Google's Android software, and Apple has made no announcements regarding revocation of DigiNotar certificates for iOS. (IDG writer Robert McMillan noted that BlackBerry and Windows Phone smartphones are better protected.)
Who is behind this monstrous hack?
In a message posted on Pastebin, the Iranian man who in March hacked into the certificate authority Comodo to steal SSL certificates for Google, Yahoo, Skype and Microsoft took credit for the DigiNotar breach.
In broken English, Comodohacker, as he calls himself, claimed that the hack was in retaliation for the Dutch involvement in the Srebrenica massacre in 1995, in which, he wrote, the "Dutch government exchanged 8,000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8,000 Muslims in same day.
"Dutch government have to pay for it, nothing is changed, just 16 years has been passed," he wrote.
Comodohacker wrote that DigiNotar is just the beginning, and that he has access to four more high-profile CAs, including GlobalSign. (GlobalSign yesterday (Sept. 6) stopped issuing all certificates until the investigation is complete.)
How devastating is this?
"The attack on DigiNotar will put cyberwar on or near the top of the political agenda for Western governments," said Roel Schouwenberg, senior anti-virus researcher for the security firm Kaspersky Lab.
Schouwenberg believes that, although the "attack on DigiNotar doesn't rival Stuxnet in terms of sophistication or coordination," its consequences will "far outweigh those of Stuxnet," the worm that last year disrupted operations at an Iranian nuclear power plant.
What Comodohacker hacker did, in one swift move, was fracture the implicit trust Web users have when logging on to a site, especially one as high profile as Google or Facebook.
How did it happen?
The DigiNotar hack essentially blew a hurricane-strength breeze at the fragile house of cards built by certificate authorities. There are too many of them around the world, and many of them subcontract the issuing of certificates to third parties who aren't thoroughly vetted.
One would think DigiNotar, which was so prominent that the Dutch government had it handle its own certificates, would take extra precaution s to keep itself secure, seeing as so many important Web domains rely on it, but clearly, that wasn't the case.
A report from Fox-IT, the security auditors hired to investigate the DigiNotar breach — Fox-IT called the hack "Operation Black Tulip" — found that DigiNotar had been compromised for more than a month without taking action.
That's not the most glaring oversight; all of the SSL certificates belonged to a single Windows domain with a weak password, allowing the hacker to access them all in one swoop, Fox-IT found.
Perhaps the most disturbing findings: "The software installed on the public Web servers was outdated and not patched," Fox-IT wrote, and "No anti-virus protection was present on the investigated servers."
The Dutch government has since taken control of DigiNotar, and with DigiNotar down and out, government business in the Netherlands has taken an interesting step into a pre-Internet world.
While the incident is under investigation, Dutch courts have advised lawyers to use fax machines and snail mail instead of email, the Wall Street Journal reported.
"Most of our work is digital. But now we have to use notes, which is like a step back in time," Diederik Maat, a lawyer, told the WSJ. "For courts and law firms, this is an administrative nightmare."