Make in-app payments easy and secure with Apple Pay. Click here to see how.
Welcome Guest | Sign In
LinuxInsider.com

Malware Munches on Mitsubishi, and Certificates Can Lie

Malware Munches on Mitsubishi, and Certificates Can Lie

After breaking into the systems of several U.S.-based military contractors, digital intruders have set their sights on Japanese corporations, including Mitsubishi Heavy Industries. Meanwhile, the reverberations from the DigiNotar breach continue to shake up the security world, with one hacker claiming to be able to slip into Windows through its update system.

By Richard Adhikari TechNewsWorld ECT News Network
09/20/11 5:00 AM PT

In the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan's biggest defense contractor, have been breached.

Mitsubishi's submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers.

Meanwhile, the security community is warning that digital certificates can't be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.

The discovery came when Google learned that some users of its encrypted services in Iran were targeted by an attacker using a fake DigiNotar certificate.

The ripple effect from the DigiNotar hack continues.

A hacker in Iran calling himself "ComodoHacker" has claimed that he can issue fake Windows updates, a statement that drew an emphatic denial from Microsoft.

Still, some security experts are now expressing concern that the widely used public key infrastructure, which lies at the heart of digital certificates, may not be secure enough.

Little Things May Mean a Lot

About 80 computers were reportedly infected with at least eight different kinds of malware in the attack on Mitsubishi.

The infected computers are reportedly located at the company's headquarters in Tokyo and manufacturing and research and development sites in Kobe, Nagasaki and Nagoya.

The Kobe site reportedly builds submarines and makes components for nuclear power stations, the Nagasaki site makes escort ships, and the Nagoya plant makes guided missiles and rocket engines.

Mitsubishi has also been working closely with Boeing, but it's not yet clear whether that association was one of the factors that played into the attack.

Are Digital Certs Just Empty Claims?

In the wake of the DigiNotar attack, Iranian hacker ComodoHacker has claimed that he owns about 300 code signing certificates and "a lot" of SSL certificates with code-signing permission. He also claimed to be able to issue fake Windows updates.

However, those claims are false, Jerry Bryant, group manager of trustworthy computing at Microsoft, told TechNewsWorld.

"Windows Update is not at risk from fraudulent certificates, as the update client will only install binaries signed by our own root certificate authority certificate," Bryant explained.

That's backed up by Don DeBolt, director of threat research at Total Defense.

"Based on publicly available information, I believe ComodoHacker can issue fraudulent certificates, but not manipulate the Windows Update process as he claims," DeBolt told TechNewsWorld.

However, in security, "there is no such thing as 100 percent secure," DeBolt warned.

If the Windows update client code can be tricked somehow into believing update packages are signed by the Microsoft Root Certificate Authority when they're not, then attackers could install their own software through Windows update, DeBolt suggested.

PKI May Not Be Enough

In cryptography, public key infrastructure (PKI) is an arrangement that binds public keys with specific user identities through certificate authorities.

PKI is based on public key cryptography, which requires two separate keys to decrypt a message and access its contents.

Either the encryption or decryption key is publicly available, while the other isn't, and you can't deduce either key if you have the other.

PKI is the underlying technology for Internet standards such as Transport Layer Security, which is the successor to the Secure Sockets Layer (SSL); Pretty Good Privacy (PGP); and Gnu Privacy Guard (GPG), a GPL-licensed alternative to PGP.

Flaws in PKI, therefore, will reverberate through the Internet.

"For all the infrastructure advantages and business benefits of PKI, it doesn't actually deliver the security most people assumes it provides," Mark Yakabuski, a vice president at SafeNet, told TechNewsWorld.

"As many recent breaches have proven, most IT security personnel overlook the fact that their keys are protected in softwarel, and this leaves them vulnerable," Yakabuski explained.

Digital certificates signed by a certificate authority are at the heart of PKI and, if the certificate's compromised, the entire PKI environment's compromised, Yakabuski said.

IT should add hardware security modules to protect certificate private keys, Yakabuski recommended.


Facebook Twitter LinkedIn Google+ RSS