Archive for September, 2011
DigiNotar
Here is a summary of the DigiNotar hack that has been in the news.
DigiNotar is a Dutch Certificate Authority (CA). They provide a root certificate installed in your IE, Firefox, Safari or Chrome web browser. They are one of several hundred Certificate Authorities.
First of all, someone noticed someone was able to create an unauthorized Google certificate. The certificate was for “*.google.com” and allowed anyone using it to perform a Man-in-the-Middle (MITM) attack. Essentially, someone could intercept any secure traffic to and from Google (Gmail, etc.) It was spotted by someone in Iran Someone in Iran noticed this. The Google certificate was signed by DigiNotar, which was unusual, as Google uses a different CA. This sort of activity would be notices if you had installed a browser add-on like Firefox’s Certificate Patrol.
This created quite a bit of news, similar to the Comodo Hack. According to the Associated Press, “DigiNotar acknowledged it had been hacked in July, though it didn’t disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.” And “But Donner said a review by an external security company had found DigiNotar’s government certificates were in fact compromised, and the government is now taking control of the company’s operations. The government also is trying to shift over to other companies that act as digital notaries, he said.”
It is then revealed that there were 531 forged certificates created, targeting CIA, Yahoo, Twitter, Facebook, WordPress, Microsoft Live, torproject, Mozilla, Skype, and others.
The root certificate to DigiNotar was revoked by Microsoft, Google (Chrome), and Mozilla (Firefox). Firefox was updated to 6.0.2 to address this.
It turns out that someone who calls themselves the ComodoHacker claims to have hacked Comodo and DigiNotar. The hacker has bragged about his intentions in his Pastebin account. Some of his comments
- He is an independent hacker, and not part of an Iranian Cyber Army
- He is a hactivist – he hacks for his own reasons
- He hacked DigiNotar because of their involvement in the Srebrenica genocide 16 years ago.
- He’s protesting “US and Israel’s involvement in Stuxnet”
- He’s protesting HBGary’s CEO for spreading malware in the Middle East, and that the FBI did not “see/find/detect/catch” this.
- He has hacked 4 other CA’s and names one: GlobalSign. In response GlobalSign stopped issuing certificates
- He claims he has hacked Microsoft’s update process. For proof, he has created a modified version of calc.exe that is “signed by Microsoft.”
There is a discussion if this person is really him. We shall see.
Expect more news. Many security experts have stated that the entire Certificate Structure infrastructure is broken. Having 100+ Certificate Authorities – all trusted equally, is just a bad idea. This is the opposite of Defense in Depth, where you need multiple failures to compromise a system. If any CA fails, the entire system fails. Let’s compare the two approaches mathematically.
Suppose you had a system where each certificate was signed by two certificate authorities. For the sake of simplification, let’s assign a probability of a certificate compromise to be 1%. Perhaps it should be 0.1%, but we can look at that later.
In the case of two CA’s signing each certificate, the probability of a certificate compromise is -(CA1)*(CA2), or in this case (1%*1%) or 0.01%.
Compare this to the case where you have ten CA’s, and if ANY are compromised, any certificate may be suspect.
To calculate the probability of a certificate compromise with multiple equivalent CA’s, you need the formula
1-(1-CA1)*(1-CA2)*(1-CA3)*(1-CA4)*(1-CA5)*(1-CA6)*(1-CA7)*(1-CA8)…*(1-CAN)
If there are 10 CA’s, and each has a probability of 1% failure, then the probability of a failure if any are compromised is
1-(99%*99%*99%*99%*99%*99%*99%*99%*99%*99%),
which is
1-0.9910 => 1-0.90438 or about 10%
If you had a hundred CA’s, then the chance of a failure is 1-0.99100 or 1-0.3660 or 73%!
Suppose you change the percentage to 0.1% per CA. 0.999100 is 90.4%, so the change of any single certificate being compromised is 10%.
If you assume is 0.01% per individual CA, the probability becomes 1%.
In any case, the proliferation of CA’s in the browser has seriously broken Internet Security. This is why people and teams like CMU and Moxie Marlinspike to offer suggestions.
How should I secure my Computer?
Several of my non-geeky friends have asked for advice on how to make sure their computer is secure. I decided to write a series of tutorials, written to different levels:
- Beginners – something simple for people who don’t feel comfortable with computers.
- Advanced - Someone with years of experience. See My Advanced Guide
- Expert – someone who goes to extreme levels of protection
This post is the tutorial for beginners. Check the Advanced guide if you want more protection with more work.
1. Make sure your operating system is up to date and all of the security patches are applied.
This is the most important thing you can do. Check your computer, and make sure your system is installing patches regularly. Frankly, if you are using Windows XP, should should use Windows 7 instead. Windows 7 has several advanced protection mechanisms XP does not have.
Windows 7
Click on the Windows Icon in the lower left check, and type Action Center. The click on Windows Update. Make sure your computer is up to date. If not,check your settings. Remember that if you shut down your computer every night, it might not be getting the updates automatically.
2. Install an anti-virus package
Install an Anti-virus package. If you really want to, install a commercial one. However Microsoft’s Anti-virus package – Security Essentials, is free, works well, and doesn;t get in your way. Note that Microsoft monitors what computers get infected with, and they keep their anti-virus packages up to date.
3. Check your Computer Security Status
This will verify you have the system set up correctly.
Window 7 Tips
Go to the Windows Icon, click the mouser and type “Check Security Status” The following items should be “On” or “OK.”
- Network Firewall (Windows Defender) – If you install Microsoft Security essentials, WIndows Defender will not turn on. That’s okay. MSE replaces Windows Defender.
- Windows Update
- Virus Protection
- Spyware and Unwanted software protection
- Internet Security Settings
- User Account Control
4. Keep your software up to date
Certain software needs to be up to date to protect your computer.
Your Browser
This is the most important package, as hackers will generate code thatcan break right through your browser, and gain access to your computer. Check to see if your browser, either Firefox, or Internet Explorer, or Safari, is up to date.
Acrobat Reader
The second biggest target on your computer is Adobe Acrobat. Hackers try to trick you into opening PDF files, which can install malware on your computer.
Java
If you have Java installed on your computer, make sure it’s up to date. Sun/Oracle have a program that will check to see if your copy of Java is up to date. Make sure that when you install it, you don;t install extra software that Oracle is paid to promote.
iTunes/QuickTime
iTunes has a auto-update feature. It checks if you are out of date. That’s good. It also asks you to install Safari and a Mobile Media package, which I don’t like to install because I don’t need it.
Microsoft Office
Microsoft Office files has been used to hack into computers. Opening a Word or Excel document can compromise a computer if you are not up to date.
4. Make sure your browser’s plug-ins are up-to-date
Go to Mozilla’s plug-in checker. This is fast and free. It tells you if your copy of Acrobate Reader, or Java is out of date. It will also check Flash, Silverlight, etc.
The second way to do this is to use the Qualys plugin checker. This requires you to install a plug-in, but it checks for things that Mozilla’s web page can not check. There is a Javascript check they offer, instead.
5. Brian Krebs gives us three rules for remaining safe:
Brian Kregs is a very smart blogger, and I love how his rules are simple yet effective.
- If you didn’t go looking for it, don’t install it!”
- “If you installed it, update it.”
- If you no longer need it, remove it.
If your operating system has a pop-up at the bottom of your screen, it is part of the operating system. If it appears when you go to a web page, it’s not from your computer. It’s from the external site – Don’t trust it! It could be a lie.
He also adds Don’t download illegal software.
6. Get a hardware-based firewall.
This is part of the Advanced step, but I want to mention it hear. Get a hardware based firewall between you and the Internet. Your cable modem doesn’t count. The “Firewall” on your computer doesn’t count. You should get a separate box between your computers and the hardware your ISP provides. This box should be configured to do NAT (Network Address Translation). Some also provide Wireless access.
Make sure you change the default password.
Make sure you keep the firmware up to date.
If it provides Wireless Access, turn on encryption.
Don’t use WEP encryption. WPA is also vulnerable in some cases. Use WPA2 if you can.
7. Check your system using ShieldsUp
GO to Steve Gibson’s Web Site and go to the Services=> ShieldsUp! page.
Click on Service Ports to have his machine probe your machine for open ports.
Don’t be concerned if you get a blue (closed) Icon. However, if any of the ports show up red, then be concerned. You may have something running on you firewall that allows someone to gain access to your computer.