Page 2 of 2
Meanwhile, an interim report by security auditor Fox-IT later revealed that numerous DigiNotar servers had been compromised by hackers originating from Iran between June 17 and July 22, resulting in more than 530 compromised domains.
In addition, the Fox-IT report revealed that Google web mail had been compromised for more than 300,000 Iranian customers . The Fox-IT report identified 300,000 unique IP requests to the phony Google.com domain, with 99 percent originating from Iran, suggesting that the hacks were intentionally executed to intercept and spy on Web communication of Iranian citizens.
Cyber criminals who hacked the DigiNotar SSL certificates were then given the ability to impersonate compromised domains, which allowed them to take control over all entered user content in order to execute spoofing and man-in-the-middle attacks.
Security experts contend that the fallout from the DigiNotar, Comodo and other SSL hacks could compel organizations to become more cautious and limit the number of CAs they deem trustworthy.
Terence Spies, chief technology officer and data protection expert at Voltage Security, said that the DigiNotar hack could likely encourage vendors to be more discerning and implement more stringent requirements for their partnering CAs.
Spies said that the problem didn’t fundamentally reside with the SSL technology itself, but that "all those certificates could be signed by any number of authorities,” Spies said. “The main technical fallout of this has been a lot of soul searching and looking for solutions to the problem. How do we reduce the size that that trust store?”
In the wake of Fox-IT’s report, Google warned Iranian Gmail customers in a blog post last week to take a myriad of precautions to protect themselves from possible compromise or attack as a result of the bogus SSL certificates. Among other things, Google advised Iranian users to change their account passwords, check web sites and applications that allowed to access Google accounts and check Gmail settings for suspicious forwarding addresses or delegated accounts.
“While Google’s internal systems were not compromised, we are directly contacting possibly affected user and providing similar information below because our top priority is to protect the privacy and security of our users,” said Eric Grosse, vice president of security engineering, in a Google blog post.
Subsequently, Spies said that it would be incumbent upon vendors to partner with trusted SSL CAs, reputed to have passed security audits and implementd security mechanisms, which were more likely to be resistant to state sponsored attacks and social engineering.
“The other thing is that people are now wondering how do you undersign security systems designed to resist malicious actions by state actors?” Spies said. “You can’t build a system that’s going to be completely resilient. You’re going to have to start more actively looking at who are the people you trust.”