Wednesday, 21 September 2011

Malware Munches on Mitsubishi, and Certificates Can Lie

After breaking into the systems of several U.S.-based military contractors, digital intruders have set their sights on Japanese corporations, including Mitsubishi Heavy Industries. Meanwhile, the reverberations from the DigiNotar breach continue to shake up the security world, with one hacker claiming to be able to slip into Windows through its update system.





In the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan's biggest defense contractor, have been breached.
Mitsubishi's submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers.
Meanwhile, the security community is warning that digital certificates can't be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.
The discovery came when Google (Nasdaq: GOOG) learned that some users of its encrypted services in Iran were targeted by an attacker using a fake DigiNotar certificate.
The ripple effect from the DigiNotar hack continues.
A hacker in Iran calling himself "ComodoHacker" has claimed that he can issue fake Windows updates, a statement that drew an emphatic denial from Microsoft (Nasdaq: MSFT).
Still, some security experts are now expressing concern that the widely used public key infrastructure, which lies at the heart of digital certificates, may not be secure enough

PKI May Not Be Enough

In cryptography, public key infrastructure (PKI) is an arrangement that binds public keys with specific user identities through certificate authorities.
PKI is based on public key cryptography, which requires two separate keys to decrypt a message and access its contents.
Either the encryption or decryption key is publicly available, while the other isn't, and you can't deduce either key if you have the other.
PKI is the underlying technology for Internet standards such as Transport Layer Security, which is the successor to the Secure Sockets Layer (SSL); Pretty Good Privacy (PGP); and Gnu Privacy Guard (GPG), a GPL-licensed alternative to PGP.
Flaws in PKI, therefore, will reverberate through the Internet.
"For all the infrastructure advantages and business benefits of PKI, it doesn't actually deliver the security most people assumes it provides," Mark Yakabuski, a vice president at SafeNet, told TechNewsWorld.
"As many recent breaches have proven, most IT security personnel overlook the fact that their keys are protected in softwarel, and this leaves them vulnerable," Yakabuski explained.
Digital certificates signed by a certificate authority are at the heart of PKI and, if the certificate's compromised, the entire PKI environment's compromised, Yakabuski said.

No comments:

Post a Comment