The Data Breach you may not have heard about, but should definitely care about
About two weeks ago a company called DigiNotar reported to the world that they had a problem. It was August 30, 2011 and the company was discussing an “intrusion” that had occurred on or about July 19, 2011. DigiNotar, located in Netherlands, is a subsidiary of VASCO, an American company. DigiNotar issues what are called “Certificate Authorities” or CA’s.
As you will see, this is scary.
Imagine you are walking down the street and have $1,000.00 cash in your pocket that you want to deposit into your bank. As you turn the corner, you see a new bank location that appears to be open. It’s not the one you usually go to, but it has all the right signs and colors and it looks like your bank just opened another location – how convenient for you. You walk in and hand them your money as a deposit and go about your day. Later that day you walk by the same location, except now it's not your bank anymore, it appears to be a tax preparation service location with people walking in with their tax information.
Man, how’d that happen so fast…
Now imagine that the whole story above happened on the Internet. Since you can’t “see” on the Internet you are at the mercy of certain organizations in order to “trust” where you are on the Internet. Anyone can copy a website, but there are technologies to assure you that when you are visiting your bank or downloading your latest Amazon purchase you actually are doing just that. This “trust” happens because of the existence of Certificate Authorities.
But on August 30, 2011, DigiNotar told us that back in July some one broke in and stole their CA’s, some 500 of them. (PS - another company, NJ-based Comodo suffered a breach losing about nine Certificate Authorities. The real difference is that DigiNotar didn't tell anyone for a wwwhile.)
Whose were stolen? They don’t say.
Who stole it? The Iranians, they say.
Why were they stolen? So the Iranian Government could snoop on their possible protest planning people… that was one story.
Picture courtesy of the Internet, although it's a fairly accurante representation of the error message generated by Firefox if the CA is invalid - please hit the "get me outta here" button if you see this in your travels.
These Certificate Authorities are kinda key to the safety of the Internet. I say “kinda” just to be funny, because they’re not “kinda” key – they’re essential. They’re essential and so is their authenticity. Their whole purpose of existence is to deliver one message and one message only: “HEY YOU, YA YOU, YOU ARE DEFINITELY WHERE YOU THINK YOU ARE…” (well, it has more than one purpose, it also provides for encrypted communication and some other details but I don't want to confuse the issue further)
How would having one of these CAs be helpful? You could easily set up a look-a-like website, send a link purporting to come from the actual site and when the traffic arrives, they will all think they are in the right location because of the stolen Certificate. The bad guys would simply be collecting your user-name and passwords and then showing you a message that says something like “Error 612, Please try again later”. (remember, there’s no site to enter)
If the Iranians really did it, then they could collect email addresses and passwords for lots of people and then read the emails and do what oppressive regimes do.
If a cyber crook did it, they could collect user-names and passwords at the bank and then log into the real bank, transfer your money, and disappear.
This scam WILL WORK. There's no way to stop it once the CA is compromised (well, unless the CA issuer tells the world and the various Internet browser providers make some very quick adjustments).
Let’s just try something for kicks: click this link to “Bank of America Home Personal” and see what happens.
It somewhat appears that you are at Bank of America’s site, right? I left it incomplete so as to avoid any “issues” with the powers that be (see generally: Law Enforcement), but if I cleaned up the file, at first blush you’d think you were at Bank of America’s site, right? It’s not the site, not even close. It’s a sub-file of my blog’s site, uploaded from my computer. I could disguise the name on the link so it looked legit, could clean up the site so it appeared to be the real bank…even fix the address bar so you wouldn’t see the real location you were visiting.
Note what’s clearly missing: the little “LOCK” that appears at the real Bank of America site and the associated SSL (secure socket layer). Now imagine that you can set up a duplicate Bank of America site AND have that “lock” and the SSL (https)? The Certificate Authority will take care of all that for you. Here's a link to the real bank, with the "lock" and SSL intact.
I am only slightly above the "digital idiot" level and could probably figure a way to make that work, imagine what the real bad guys could do...
The digital world “revoked” trust in DigiNotar, and now we all should be updating our Internet browsers (IE, Firefox, Chrome, Safari, etc.) so that our little innocent PC’s know about the “trust issue.”
Is it a case of the trusted trust givers dropping the ball? Or is it simply impossible to lock anything useful down in the digital world?
Man, oh man, or Woman, oh woman, whatever. I think I am starting to see what it was like to live in the Western United States in the 1800’s…. and why everyone carried a gun.
UPDATE: Department of Homeland Security has issued a warning... about this very issue.