Displaying items by tag: Certificate

Microsoft has had its share of flaws to deal with over a wide range of products. So it is no surprise when we read that there is another “flaw” making the rounds that is related to an older flaw that someone exposed about a year ago. The first flaw was a laughable encryption scheme that was intended to protect the username and password when using PEAP-MSCHAPv2 authentication. In this flaw someone was able to quickly break the encryption and access the credentials used to log on. This flaw does require access to the device that the user was connecting to (RAIDUS server, Firewall, etc.) so it is a little harder to pull off. Now it looks like there is a further flaw that will remove the need to compromise other equipment.

We told you about the new malware threat in Iran (and some other Middle Eastern countries). This is a new and very sophisticated bit of spyware that appears designed to gather intelligence about the state of Iran’s nuclear program. Kaspersky discovered the worm after being asked to check some systems that appeared to be acting strange. This investigation led to the discovery on Flame and the identification of some 20 plug-ins for the malware that can do everything from capture screens, to turning on a system’s microphone to record anything around the system. It is also able to record VoIP communication through applications like Skype.

Not that long ago Microsoft was the victim of an incorrectly assigned certificate. This was issued to more than just Microsoft and caused some havoc with a few firewalls (like Microsoft’s ISA) that check for security certificate validity. Because of the malformed Cert people were not able to get to Hotmail and other secure Microsoft sites or they received an error saying the certificate could not be trusted. Microsoft quickly remedied the issue, but it had an impact.  

Now we see something similar has happened to Google. A Dutch certificate service by the name of DigiNotar issued a certificate for Google.com to a company that is certainly not Google. The response has been immediate with companies stating that they are going to release patches that will revoke the DigiNotar trust (which is not found in many US systems but is big in Europe apparently.

Some are attributing this attack to the Iranian Government or others inside Iran. This is mostly due to the Comodo issue that happened a few months ago that was claimed by an Iranian Patriot. However, there is no evidence that this was the case this time this could be the work of others, but it does illustrate a fundamental flaw with Security Certificates.  You see as it stands right now a third party is responsible for verification and issuance of the certificate that proves that a website is how it claims it is. It is not all that hard to intercept the confirmation notices in reality. It is also possible that some companies (there are well over 600 Certificate Authorities now) are unscrupulous enough that they might sell off the master keys to a site so that someone could produce their own certificates.

In short there needs to be a serious overhaul of this system to protect against the increasingly sophisticated attacks that are happening on the web.

Discuss in our Forum