Explore Technology Certificate Programs That Fit Your Needs /// Click here to learn more.
Welcome Guest | Sign In

Malware Munches on Mitsubishi, and Certificates Can Lie

By Richard Adhikari TechNewsWorld ECT News Network
Sep 20, 2011 5:00 AM PT

In the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan's biggest defense contractor, have been breached.

Malware Munches on Mitsubishi, and Certificates Can Lie

Mitsubishi's submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers.

Meanwhile, the security community is warning that digital certificates can't be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.

The discovery came when Google learned that some users of its encrypted services in Iran were targeted by an attacker using a fake DigiNotar certificate.

The ripple effect from the DigiNotar hack continues.

A hacker in Iran calling himself "ComodoHacker" has claimed that he can issue fake Windows updates, a statement that drew an emphatic denial from Microsoft.

Still, some security experts are now expressing concern that the widely used public key infrastructure, which lies at the heart of digital certificates, may not be secure enough.

Little Things May Mean a Lot

About 80 computers were reportedly infected with at least eight different kinds of malware in the attack on Mitsubishi.

The infected computers are reportedly located at the company's headquarters in Tokyo and manufacturing and research and development sites in Kobe, Nagasaki and Nagoya.

The Kobe site reportedly builds submarines and makes components for nuclear power stations, the Nagasaki site makes escort ships, and the Nagoya plant makes guided missiles and rocket engines.

Mitsubishi has also been working closely with Boeing, but it's not yet clear whether that association was one of the factors that played into the attack.

Are Digital Certs Just Empty Claims?

In the wake of the DigiNotar attack, Iranian hacker ComodoHacker has claimed that he owns about 300 code signing certificates and "a lot" of SSL certificates with code-signing permission. He also claimed to be able to issue fake Windows updates.

However, those claims are false, Jerry Bryant, group manager of trustworthy computing at Microsoft, told TechNewsWorld.

"Windows Update is not at risk from fraudulent certificates, as the update client will only install binaries signed by our own root certificate authority certificate," Bryant explained.

That's backed up by Don DeBolt, director of threat research at Total Defense.

"Based on publicly available information, I believe ComodoHacker can issue fraudulent certificates, but not manipulate the Windows Update process as he claims," DeBolt told TechNewsWorld.

However, in security, "there is no such thing as 100 percent secure," DeBolt warned.

If the Windows update client code can be tricked somehow into believing update packages are signed by the Microsoft Root Certificate Authority when they're not, then attackers could install their own software through Windows update, DeBolt suggested.

PKI May Not Be Enough

In cryptography, public key infrastructure (PKI) is an arrangement that binds public keys with specific user identities through certificate authorities.

PKI is based on public key cryptography, which requires two separate keys to decrypt a message and access its contents.

Either the encryption or decryption key is publicly available, while the other isn't, and you can't deduce either key if you have the other.

PKI is the underlying technology for Internet standards such as Transport Layer Security, which is the successor to the Secure Sockets Layer (SSL); Pretty Good Privacy (PGP); and Gnu Privacy Guard (GPG), a GPL-licensed alternative to PGP.

Flaws in PKI, therefore, will reverberate through the Internet.

"For all the infrastructure advantages and business benefits of PKI, it doesn't actually deliver the security most people assumes it provides," Mark Yakabuski, a vice president at SafeNet, told TechNewsWorld.

"As many recent breaches have proven, most IT security personnel overlook the fact that their keys are protected in softwarel, and this leaves them vulnerable," Yakabuski explained.

Digital certificates signed by a certificate authority are at the heart of PKI and, if the certificate's compromised, the entire PKI environment's compromised, Yakabuski said.

IT should add hardware security modules to protect certificate private keys, Yakabuski recommended.

Facebook Twitter LinkedIn Google+ RSS
Should social media sites be held accountable for terrorists' communications?
Yes -- They are providing a platform to facilitate murder and mayhem.
Yes -- Everything must be done to protect society from danger.
Maybe -- I'm not sure they have the technological capability to stop them.
Maybe -- I'm not convinced terrorists are using them for serious plotting.
No -- Authorities should monitor social networks to gather intelligence.
No -- Social networks are no different than phone carriers or mail services.