London: Commenting on reports that Google and Microsoft have started warning users about active phishing attacks against Google’s online properties, Venafi says this cybercriminal fraud is a complex one that will fool most Internet users, as well as side-stepping most of their IT security systems and placing organisations at increased risk of costly breaches and reputational damage.
According to Jeff Hudson, CEO of the Enterprise Key and Certificate Management (EKCM) solution specialist, this latest attack stems from a fraudulent digital certificate mistakenly issued by a Turkish domain registrar in the `*.google.com’ domain.
“The certificate was issued by an intermediate certificate authority (CA) linking back to Turkish CA TURKTRUST. Since an intermediate CA certificate taps the full authority of the CA, it can effectively be used to create a certificate for any Web site that the cybercriminals wish to impersonate,” he said.
“This TURKTRUST compromise is comparable to the DigiNotar problem in that, if organisation B reports that organisation A is sound, and relays that information to organisation C, then organisation A is effectively being peer certified to organisation C,” he added.“The bottom line here is that the fraudulent certificate can be used to spoof content, perform drive-by or phishing attacks, as well as staging man-in-the-middle attacks,” he said.
The Venafi CEO went on to say that, once again, Internet users are left wide open, since a cybercriminal attacker with CA signing abilities can sign certificates for virtually any domain. Enterprises need to recognise that certificate-based attacks are no longer hypothetical and have become a preferred attack vector. Every organisation needs to be prepared for this inevitable fact of IT security life.
Recent guidance from the US-based National Institutes of Standard and Technologies (NIST) provides a clear roadmap for organisations to be prepared for an attack on their internal or external CAs and how to respond. These attacks demand a response within minutes, otherwise any enterprise from a bank to retailer to manufacturer is vulnerable to additional breaches.
Hudson explained that, as Venafi said in the wake of the now infamous 2011 DigiNotar CA incident, it is situations like that this that highlight the problem of certificate issuers publishing digital certificates without completely verifying the identity of the person requesting the certificate.
In the September 2011 incident, he said, the attacker who penetrated the Dutch CA DigiNotar had complete control of all eight of the company’s certificate-issuing servers during the operation – meaning that s/he could issue as many rogue certificates as they wished.
“The take-out is that enterprises need to have security systems in place to handle these trust compromises. All enterprises need to be looking at their highest-value assets - the servers and applications where sensitive and regulated data flows - and ensure they are protected by certificates,” he added.“ Plans should also be in place to recover the security in the event the integrity of the trust provider is compromised.