Hacker Stole Multiple Ssl Certificates Belonging To Some Of The Web's Biggest Sites, Including Googl

By Author: EC-COUNCIL
Total Articles: 68
Comment this article

Talk about SSL certificates and security of internet communication has surfaced following the recent SSL certificate theft. Some even criticized Mozilla’s silent, others believed that the delay in disclosing a theft of the digital certificates put certain lives at risk. What is certain is that the result of this incident presented a new threat model for information security professionals.
An Iranian hacker claimed responsibility for stealing multiple SSL certificates belonging to some of the Web's biggest sites, including Google, Microsoft, Skype and Yahoo. On March 15, hackers stole nine SSL certificates from a Comodo certificate reseller. Comodo said, at least one of the certificates, for logon.yahoo.com, was used to legitimize a fake Yahoo site hosted by an Iranian ISP (Internet service provider). None of the browser makers went public with the Comodo hack or the existence of the rogue certificates before March 22.
Comodo's chief executive Melih Abdulhayoglu said. "We didn't, however, model for attack from a foreign government. Our security was good in that we picked up the attack and shut it down quickly, but ...
... we should have covered this threat model,"
SSL certificates work on the ground that the issuing body is credible. Organizations such as Verisign, Thawte, Equifax, Entrust, Global Sign, RapidSSL and Comodo promote themselves as sophisticated, guarded operations that can be trusted to issue certificates.
While Comodo deserves credit for admitting what happened, that part of its system used to issue SSL certificates was compromised by a third party getting access to a login and password will raise serious concerns for the firm and its customers.
Appelbaum told Mozilla that the attack was not a normal attack. Disclosure does not allow anyone else to perform this attack. Only the attacker with the certificate is able to take advantage of this situation. Only the attacker will benefit from a delay.
Abdulhayoglu described three clues to the attacker's origin. Firstly the choice of targets was not financial companies but core internet infrastructure sites.
Secondly, in order for the certificates to be of any use, access to the domain name system infrastructure would have been required.
Finally, the attack was very well orchestrated and "too clean". It did not bear the hallmarks of criminal attacks the company had experience with in the past, according to Abdulhayoglu.
"You can't be 100 per cent certain," he said. "But if it looks like a duck, and quacks like a duck, then it probably is a duck."
This recent theft incident goes to show that even SSL certificates are not foolproof for ensuring the security of communications on the Internet.
It is highly critical that organizations perform pen testing more frequently before hackers attack. Organizations that are involved with online transactions, which allow inbound connections and potentially exposing customer information, should be more concerned. They either have to go through a consultant or with hire information security professionals advanced skills and knowledge in penetration testing.

Information security professionals can increase their penetrating testing knowledge and skills from enrolling in a highly technical and intensive information security training that focuses attacking and defending highly secured environments. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals. CAST will provide a highly advanced technical security training called the Advanced Penetration Testing training (APT). This highly sought after and advanced information security course will be offered at all EC-Council hosted conferences and events, and through specially selected training partners. The launch classes for CAST will be at the upcoming TakeDownCon Dallas, from May 15-17, 2011.
About EC-Council
EC-Council is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous Certified Ethical Hacker (CEH) course, Computer Hacking Forensics Investigator (CHFI) program, License Penetration Tester (LPT) program and various otherinformation security training programs offered in over 60 countries around the globe. EC-Council has trained over 80,000 individuals in technical security training and certified more than 30,000 security professionals. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals. www.eccouncil.org.