Cyber attack on Europe exposes big flaws in Internet security

Sep 12, 2011 By Ken Dilanian

A major cyber attack in Europe that apparently was launched from Iran has revealed significant vulnerabilities in the Internet security systems used to authenticate websites for banking, email and e-commerce around the world.

The attack over the summer wrought havoc in the Netherlands, where the Justice Minister warned the public last Sunday that the only secure way to communicate with the Dutch government was with pen, paper and fax machine.

The digital assault compromised a Dutch company called DigiNotar, which issues digital certificates, small pieces of computer code that assure browsers that a website is what it appears to be. The certificates also encrypt communications between the user and the site so that they can't be intercepted.

The Dutch government has seized control of DigiNotar, which was recently purchased by Vasco Data , a Chicago-based company that specializes in Web authentication. Vasco said in a statement that it had not integrated DigiNotar's products with its own.

The attackers produced 531 fake DigiNotar certificates for heavily used websites, including , Microsoft, and - as well as the for the CIA, and the spy services for Britain and Israel, according to an interim audit by Fox-IT, a Dutch security company.

The audit showed that nearly all the 300,000 IP addresses using the bogus certificates to visit Google in a single day originated in Iran. On Thursday, Google instructed Iranians to change their Gmail passwords.

Iran's uranium enrichment program was targeted in 2009 by Stuxnet, a highly sophisticated that sent nuclear centrifuges spinning out of control. Outside experts who have studied the case believe U.S. and Israeli engineers designed the worm to derail Iran's nuclear program, but neither government has acknowledged responsibility.

In the latest case, a hacker who said he was a 21-year-old Iranian acting alone, posted comments claiming responsibility for the attack. His identity is unknown, but many U.S. experts are convinced that Iran's government directed the massive operation in an effort to spy on its citizens and ferret out political dissidents.

In April this year, the same hacker claimed credit for an attack on Comodo, an Internet security company based in Jersey City, N.J. In that case, nine certificates were forged, the company said.

The company said the perpetrator had "executed its attacks with clinical accuracy," and that "circumstantial evidence" suggests the attack originated in Iran and was likely "a state-driven attack."

Communications, rather than financial domains, were targeted in both the April attack and the latest cyber invasion, said Roel Schouwenberg, a security specialist with Kaspersky Lab, a Russian-based computer security firm with regional offices in Woburn, Mass.

"It's not about finance," he said. "It's all very clearly aimed towards intelligence, and this has all the hallmarks of a government operation."

Whatever the motivation, the Dutch government, which uses DigiNotar certificates, announced last week that it could no longer trust the security of its own websites, a move that threw communications in the Netherlands into chaos. Dutch lawyers were told to file court documents on paper, for example.

"What somebody has figured out - and if it's the Iranians, that means the Chinese and the Russians, have figured it out too - is that if you can compromise this infrastructure, you immediately get access to all sorts of cool things and people don't necessarily know about it," said Jim Lewis, a cyber expert at the Washington-based Center for Strategic and International Studies.

"This is big deal," said Joel Brenner, former general counsel of the National Security Agency, the Pentagon agency responsible for protecting government communications. "The certificate authorities vouch for who's who. If you can penetrate a certificate authority and falsify certificates, then nobody knows who they are dealing with. You've got to suspect a security service is behind this."

The Fox-IT audit accused DigiNotar of lax security procedures, and the company's certificates were not widely used in the U.S. But experts worry that some of the 500 other providers of certificates also may be compromised.

A Belgium-based company, GlobalSign, suspended production of new certificates last Monday after the hacker claimed to have penetrated it as well. The company said it plans to restore service next Monday, saying it had been the victim of "an industrywide attack."

"What this means is that anybody who uses those certificates cannot be assured of the person who is on the other end," said Jeff Hudson, chief operating officer of Venafi, an encryption company based in Sandy, Utah, that produces software that manages digital certificates. "The whole trust model gets a little shaky. Nobody thought this was going to happen and people aren't ready for it."

VeriSign, which is the largest certificate provider in the United States and is owned by security software giant Symantec Corp., based in Mountain View, Calif., says it is confident it can withstand a .

"Not all certificate authorities are created equal," said Michael Lin, senior director of product management at Symantec. "We've invested heavily in what we feel is a very secure, very robust infrastructure that protects us from these types of attacks."

But hackers have broken into some of the most trusted names in computer security.

In March, RSA was the victim of an attack that stole information related to the company's SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a key fob.

Attacks against three major U.S. defense contractors that used the compromised technology - Lockheed Martin, L-3 Communications and Northrop Grumman - were later discovered, and traced to servers in China.

Explore further: 'Twilight' to be revived in Facebook short films

5 /5 (5 votes)
add to favorites email to friend print save as pdf

Related Stories

Hacked Dutch Internet company declared bankrupt

Sep 20, 2011

A Dutch judge granted a bankruptcy filing Tuesday for Internet security company DigiNotar, whose servers were apparently breached by an Iranian hacker in July, its parent company said.

Dutch probing Iranian hacker's claims

Sep 09, 2011

The Dutch government is investigating claims by a suspected Iranian hacker that he falsified Internet security certificates at a Dutch company, a government spokesman said Friday.

Inside the secret Symantec building that keeps websites safe

May 29, 2013

Hidden within a nondescript building here is a highly secret Symantec facility protected by the sort of measures found in nuclear missile silos. Dubbed "the vault" by some employees, the bunkerlike operation bristles with ...

Second firm warns of concern after Dutch hack

Sep 07, 2011

A company that sells certificates guaranteeing the security of websites, GlobalSign, said Tuesday it is temporarily halting the issuance of new certificates over concerns it may have been targeted by hackers.

Dutch launch Iran IT hacking probe

Sep 06, 2011

The Dutch secret service has opened an investigation to determine who falsified 531 Internet security certificates in order to snoop on users in Iran, the Dutch Interior Ministry said Tuesday.

Recommended for you

Unlocking the geoblock with VPNs

4 hours ago

In recent months there have been many reports of Australians covertly signing up for the US streaming service Netflix, using fake postcodes and software workarounds to fool its geo-blocking system.

Twitter-funded lab to seek social media insights

18 hours ago

A new Twitter-funded research project unveiled Wednesday, with access to every tweet ever sent, will look for patterns and insights from the billions of messages sent on social media.

Facebook makes peace with gays over 'real names'

20 hours ago

Facebook on Wednesday vowed to ease its "real names" policy that prompted drag queen performers to quit the social network and sparked wider protests in the gay community and beyond.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

frajo
5 / 5 (1) Sep 13, 2011
Isn't it the Western block where everybody is supposed to be proud of the freedom to express his views? Why then does nobody in Western media have the cojones to tell things everybody anyhow knows?
That every government, including the Western ones, is preparing not only the defense against but also the use of cyber attacks and is capable of executing such hostile operations. Not only Iran, China, and other non-NATO countries.
And that in covert operations the use of red herrings via the mass media is trivial.

Never trust your own government.