Regarding reports that Dutch digital certificate service DigiNotar, part of VASCO Data Security International, was hacked by politically-motivated cybercriminals, the scale of the attack could be far larger than was originally thought and compromises the security of millions of Internet users.
As the facts start to emerge about the hack, the various pieces of the digital jigsaw are now coming together – and it doesn’t look good.
Depending on who you talk to – and which newswire you read – there may be as many as 200 fraudulent digital certificates in circulation, and every one of them could be misused for financial gain, politically-motivated eavesdropping and all sorts of electronic hackery.
The problem the global Internet faces is that such is the reliance on certificates as a means of authenticating that the entity at the other end of the IP connection is who they claim to be, the automated systems at the heart of the Internet have no means of knowing when they are being fooled.
The fact that a digital certificate issuer has been hacked into is of great concern – and should be of concern to anyone interested in the ongoing security of the Internet.
This saga is similar to the RSA Security hacking incident earlier this year – where stored security keys were compromised – in its potential to affect a large number of end users of Internet services.
Unfortunately, whilst RSA has been able to re-issue new hardware tokens to its clients and so partially remediate the situation, this latest mega-hack cannot be resolved without a tree-and-branch restructuring of the Internet’s architecture.
Initially I thought the hacking of DigiNotar’s systems was driven by so-called hacktivists that simply wanted to prove that it could be done. Then, further facts started pointing towards financially-motivated cybercriminals who were looking for revenue.
But now, the latest pieces of the jigsaw emerge with newswires reporting that political hacktivists were responsible – causing my brow to furrow – as politically-motivated hackers are the worst of the worst.
The problem is that, whilst cybercriminals are in it for the money – and will move on if the going gets too tough – political hacktivists don’t move on. They don’t give up. They are fanatics and driven by forces far greater than human greed and avarice. This is what makes me think the scale of this problem may be far larger than previously thought.
This latest digital certificate fiasco aside, however, the bottom line here is that authentication systems should not be reliant on third party manufactures storing any security keys. Some vendors have well-designed security offerings that do not require manufacturers to store any keys online, as the required keys are created within the customers’ own trusted environment.
Incidents like this highlight the shortcomings of the current digital certificate architecture and also show that more innovative solutions could have prevented certification authority incursions like those affecting DigitNotar and RSA from causing problems for millions of users of the Internet.