Cyber attack on Europe exposes big flaws in Internet security

September 12, 2011 By Ken Dilanian

A major cyber attack in Europe that apparently was launched from Iran has revealed significant vulnerabilities in the Internet security systems used to authenticate websites for banking, email and e-commerce around the world.

The attack over the summer wrought havoc in the Netherlands, where the Justice Minister warned the public last Sunday that the only secure way to communicate with the Dutch government was with pen, paper and fax machine.

The digital assault compromised a Dutch company called DigiNotar, which issues digital certificates, small pieces of computer code that assure browsers that a website is what it appears to be. The certificates also encrypt communications between the user and the site so that they can't be intercepted.

The Dutch government has seized control of DigiNotar, which was recently purchased by Vasco Data , a Chicago-based company that specializes in Web authentication. Vasco said in a statement that it had not integrated DigiNotar's products with its own.

The attackers produced 531 fake DigiNotar certificates for heavily used websites, including , Microsoft, and - as well as the for the CIA, and the spy services for Britain and Israel, according to an interim audit by Fox-IT, a Dutch security company.

The audit showed that nearly all the 300,000 IP addresses using the bogus certificates to visit Google in a single day originated in Iran. On Thursday, Google instructed Iranians to change their Gmail passwords.

Iran's uranium enrichment program was targeted in 2009 by Stuxnet, a highly sophisticated that sent nuclear centrifuges spinning out of control. Outside experts who have studied the case believe U.S. and Israeli engineers designed the worm to derail Iran's nuclear program, but neither government has acknowledged responsibility.

In the latest case, a hacker who said he was a 21-year-old Iranian acting alone, posted comments claiming responsibility for the attack. His identity is unknown, but many U.S. experts are convinced that Iran's government directed the massive operation in an effort to spy on its citizens and ferret out political dissidents.

In April this year, the same hacker claimed credit for an attack on Comodo, an Internet security company based in Jersey City, N.J. In that case, nine certificates were forged, the company said.

The company said the perpetrator had "executed its attacks with clinical accuracy," and that "circumstantial evidence" suggests the attack originated in Iran and was likely "a state-driven attack."

Communications, rather than financial domains, were targeted in both the April attack and the latest cyber invasion, said Roel Schouwenberg, a security specialist with Kaspersky Lab, a Russian-based computer security firm with regional offices in Woburn, Mass.

"It's not about finance," he said. "It's all very clearly aimed towards intelligence, and this has all the hallmarks of a government operation."

Whatever the motivation, the Dutch government, which uses DigiNotar certificates, announced last week that it could no longer trust the security of its own websites, a move that threw communications in the Netherlands into chaos. Dutch lawyers were told to file court documents on paper, for example.

"What somebody has figured out - and if it's the Iranians, that means the Chinese and the Russians, have figured it out too - is that if you can compromise this infrastructure, you immediately get access to all sorts of cool things and people don't necessarily know about it," said Jim Lewis, a cyber expert at the Washington-based Center for Strategic and International Studies.

"This is big deal," said Joel Brenner, former general counsel of the National Security Agency, the Pentagon agency responsible for protecting government communications. "The certificate authorities vouch for who's who. If you can penetrate a certificate authority and falsify certificates, then nobody knows who they are dealing with. You've got to suspect a security service is behind this."

The Fox-IT audit accused DigiNotar of lax security procedures, and the company's certificates were not widely used in the U.S. But experts worry that some of the 500 other providers of certificates also may be compromised.

A Belgium-based company, GlobalSign, suspended production of new certificates last Monday after the hacker claimed to have penetrated it as well. The company said it plans to restore service next Monday, saying it had been the victim of "an industrywide attack."

"What this means is that anybody who uses those certificates cannot be assured of the person who is on the other end," said Jeff Hudson, chief operating officer of Venafi, an encryption company based in Sandy, Utah, that produces software that manages digital certificates. "The whole trust model gets a little shaky. Nobody thought this was going to happen and people aren't ready for it."

VeriSign, which is the largest certificate provider in the United States and is owned by security software giant Symantec Corp., based in Mountain View, Calif., says it is confident it can withstand a .

"Not all certificate authorities are created equal," said Michael Lin, senior director of product management at Symantec. "We've invested heavily in what we feel is a very secure, very robust infrastructure that protects us from these types of attacks."

But hackers have broken into some of the most trusted names in computer security.

In March, RSA was the victim of an attack that stole information related to the company's SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a key fob.

Attacks against three major U.S. defense contractors that used the compromised technology - Lockheed Martin, L-3 Communications and Northrop Grumman - were later discovered, and traced to servers in China.

Explore further: Dutch probing Iranian hacker's claims

Related Stories

Dutch probing Iranian hacker's claims

September 9, 2011

The Dutch government is investigating claims by a suspected Iranian hacker that he falsified Internet security certificates at a Dutch company, a government spokesman said Friday.

Hacked Dutch Internet company declared bankrupt

September 20, 2011

A Dutch judge granted a bankruptcy filing Tuesday for Internet security company DigiNotar, whose servers were apparently breached by an Iranian hacker in July, its parent company said.

Second firm warns of concern after Dutch hack

September 7, 2011

A company that sells certificates guaranteeing the security of websites, GlobalSign, said Tuesday it is temporarily halting the issuance of new certificates over concerns it may have been targeted by hackers.

Experts suspect Iran involvement in Dutch hacking

September 5, 2011

(AP) -- Hackers who broke into a Dutch web security firm have issued hundreds of bogus security certificates for spy agency websites including the CIA as well as for Internet giants like Google, Microsoft and Twitter, the ...

Dutch launch Iran IT hacking probe

September 6, 2011

The Dutch secret service has opened an investigation to determine who falsified 531 Internet security certificates in order to snoop on users in Iran, the Dutch Interior Ministry said Tuesday.

Recommended for you

Cryptocurrency rivals snap at Bitcoin's heels

January 14, 2018

Bitcoin may be the most famous cryptocurrency but, despite a dizzying rise, it's not the most lucrative one and far from alone in a universe that counts 1,400 rivals, and counting.

Top takeaways from Consumers Electronics Show

January 13, 2018

The 2018 Consumer Electronics Show, which concluded Friday in Las Vegas, drew some 4,000 exhibitors from dozens of countries and more than 170,000 attendees, showcased some of the latest from the technology world.

Finnish firm detects new Intel security flaw

January 12, 2018

A new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (1) Sep 13, 2011
Isn't it the Western block where everybody is supposed to be proud of the freedom to express his views? Why then does nobody in Western media have the cojones to tell things everybody anyhow knows?
That every government, including the Western ones, is preparing not only the defense against but also the use of cyber attacks and is capable of executing such hostile operations. Not only Iran, China, and other non-NATO countries.
And that in covert operations the use of red herrings via the mass media is trivial.

Never trust your own government.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.