In the aftermath of the DigiNotar, Comodo and RSA breaches – what have we learned? asks Gregory Webb, Director of Marketing, Venafi.
When a company prides itself in providing the most advanced and sophisticated network security solutionsโand that companyโs own network is hackedโbrand insult is added to data injury. Not only must the company compensate customers for their losses, but the breach of information incurs an unquantified cost to its reputation. No one wants to call on the services of the Fire Brigade whose own buildings burned down, and customers will invariably ask how a companyโs security solutions can protect them if they couldnโt protect the company itself.
In 2011 the world has witnessed several cases in which network security companies โ RSA, Comodo and StartSSLโthemselves fell victim to hacking at a severe cost to their reputation. With DigiNotar recently joining the ranks of as a trusted third-party security organisation successfully compromised by hackers, enterprises need to move past the shock and begin formulating their own compromise recovery and business continuity plans.
All enterprises need to look at their highest-value assetsโservers and applications where sensitive and regulated data flows, and that are protected by certificates. Plans must be in place to recover anytime the trust provider is compromised. This article details how those breaches occurred and the lessons that the victims learned from them.
RSA Breach
RSA, the Security Division of storage vendor EMC, forms a pillar of the security industry. Its name is so synonymous with security that the RSA Conference, considered one of the premier security conferences, bears its name (though there is no longer any official tie). And yet, in mid-March, RSA was hit by a breach that compromised the two-factor authentication product SecurID used by thousands of its customers.
RSA described the breach as an โadvanced persistent threatโ (APT), implying that a group with vast resources had targeted RSA over a long period of time. (However, some critics contend that RSA is saving face with a too liberal use of the term – security analyst Scott Crawford called the scheme โplain old phishing.โ)
According to RSA, the attackers used โsocial engineeringโ tools to glean information on a group of RSA employees by searching social networking sites. The perpetrators fashioned โspear phishing e-mailsโ containing personal information that would entice the targets to open the messages. Clicking on the attached Excel file, โ2011 Recruitment plan.xls,โ unleashed a zero-day exploit that installed a backdoor in victimsโ computers through an Adobe Flash vulnerability, since patched. Once in, the hacker was able to sniff around, seeking accounts with higher access privileges than the person originally duped. These privileged accounts allowed the attacker to extract the SecurID credentials from the network, RSA said.
While RSA Executive Chairman Art Coviello blogged that RSA does not believe the items exposed could be used to steal from a customer, โthis information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.โ Presumably, hackers obtained information that allows them to calculate the passwords generated by a given SecurID product at a given time, thus removing one factor in the authentication, leaving the userโs password to stand on its own.
Sure enough, in late May, news outlets reported an attack on defense contractor Lockheed Martinโs network by hackers who reportedly used duplicate SecurID electronic keys pilfered in the RSA attack. Even though the attack failed, RSA has since offered to replace the SecurID tokens for any customer who wants them.
Comodo Breach
Comodo also operates in the security space as, among other things, a Public Key Infrastructure (PKI) Certificate Authority (CA). As a CA, Comodo issues certificates to other entities, attesting that those entities truly represent who they claim to represent. For example, when a browser attempts to establish a Secure Socket Layer (SSL) connection to a Web site, the site presents its CA-signed certificates to authenticate itself as legitimate. If hackers can trick a CA into signing their fraudulent certificate requests, they can pose as Google, Yahoo or, worse, a bank. They can then freely download malware, for instance, to usersโ computers or trick users into exposing their financial account credentials.
Comodo discovered in March that it had inadvertently granted certificates to an Iranian hacker who called himself โComodo Hackerโ in a blog post. Somewhat like RSA, Comodo has attempted to present the attack as a vast, state-sponsored affair. Comodoโs CEO and founder, Melih Abdulhayoglu, blogged that Comodo interpreted the breach as โโstate driven/fundedโ attacks โฆ from Iran.โโ
However, Comodo Hacker challenged this interpretation. Although supportive of the Iranian regime, Comodo Hacker acted alone. He wrote, โI’m not a group. I’m [a] single hacker with [the] experience of 1,000 hackers. I’m [a] single programmer with [the] experience of 1,000 programmers.โ
News reports stated that the digital certificates were obtained from an affiliate of Comodo by someone who used a valid username and password. Comodo acted quickly by revoking the fraudulent certificates through an update to popular browsers like Internet Explorer, Firefox and Chrome. Comodo further assured its customers that it had suspended the two affiliated businesses that were supposed to vet certificate applications.
But analysts note serious flaws in Comodoโs processes. That the requester had an Iranian IP address should have raised eyebrows, as well as the fact that the requests were for well-known sites such as Google, Yahoo, Mozilla and Skype. Some security experts content that cleaning up the fraudulently obtained Comodo certificates only deals with the known attack; to combat unknown risks, someone should cross-check the work of all CAs โ besides Comodo, the leading ones are VeriSign and GoDaddy โ to catch mistakes like these.
Lessons
The biggest lesson learned is that virtually any company โ security vendor or otherwise โ is vulnerable, such is the insecure nature of the Internet. Comodo, DigiNotar and RSA showed the world that despite, for lack of a better description, โrock-solid security,โ the inevitable can happen. Despite the irony of these successful attacks against two of the worldโs preeminent security companies, these vendors found themselves as vulnerable as any to attacks that targeted employees and practices rather than specific technologies and security systems. Companies that havenโt yet suffered a breach, or who are unaware if they have, should be grateful that RSA, Comodo and now DigiNotar are now shining light on how to improve the situation.
For example, the Comodo and DigiNotar breaches illuminate the key role that humans play in all security efforts. As third-party trust providers, both certificate authorities learned the necessity of counteracting human error with well-documented policies and built in dual controls for issuing and managing certificates.
RSAโs breach followed a slightly different pattern, but the company learned a similar lesson in the importance of confronting security risksโnot merely with new technologiesโbut with better practices. Uri Rivner, Head of New Technologies and Consumer Identity Protection at RSA, blogged that RSA is building a whole new โdefense doctrineโ to respond to the attacks.
In the same way, with advanced and improved defense practices and management, enterprises can continue to send data more securely across the Internet despite new and increasing attacks. Placing particular emphasis on the human element in the latest attacks, Rivner wrote: โItโs time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.โ
Further, few organisations have a management platform in place that gives them the power to replace compromised certificates quickly. Otherwise, the replacement of known, compromised certificates is largely a manual effort. This forces organisations to continue operations in a compromised conditionโpossibly for many monthsโwhile the thousands of compromised certificates are manually replaced. In some cases that may not even be an option and entire systems may have to be shut down until remediated.
With hackers operating on the inside, attempting to extract data by leveraging legitimate usersโ access, enterprises must respond with better processes for managing and auditing all means of access to critical dataโwhether user accounts or the asymmetric encryption keys that are used as credentials by applications and servers. Better access and audit controls will enable companies to contain breaches and to discover them more quickly. And by shoring up this element in defenseโthe neglect of which can cause embarrassing data breaches in the most security-technology-driven of companiesโenterprises reduce the risk of becoming 2011โs next high-profile victim.
About the author
Gregory Webb, Director of Marketing, Venafi – has worked in the high tech and enterprise software industry for nearly a decade and oversees marketing at Venafi. Webb joined the company in 2008. Prior to Venafi, Webb worked at Novell where he promoted the company’s Identity and Workgroup solutions and oversaw the launch of several products. Mr. Webb holds a masters degree from Brigham Young University and a doctorate from the University of California, Los Angeles.
