DigiNotar hack attack is wake up call for IT professionals

2 mins read

Following reports that Dutch digital certificate service DigiNotar has joined Comodo, StartSSL and RSA as a trusted security firm itself compromised by hackers, IT insiders are warning that the security of millions of Internet users could have been compromised.

Steve Watts, co-founder of tokenless two-factor authentication specialist SecurEnvoy, says: "Depending on who you talk to there may be 200 fraudulent digital certificates in circulation, and every one of them could be misused for financial gain, eavesdropping and all sorts of electronic hackery." And Jeff Hudson, CEO of Venafi, the enterprise key and certificate management (EKCM) solutions firm, adds: "People have not given much thought to the ramifications of a CA [certificate authority] compromise... The stakes and the targets are higher than ever. There will be more breaches of third-party trust providers like this, and additional organisations … will be affected if they don't take certain steps." Watts asserts that the problem faced by the global Internet community relates to the general reliance on certificates as the prime means of authenticating that the entity at the other end of the IP connection is who they claim to be. "The automated systems at the heart of the Internet have no means of knowing when they are being fooled," he explains. For him, this latest mega-hack cannot be resolved "without a tree-and-branch restructuring of the Internet's architecture". "The problem is that, while cybercriminals are in it for the money – and will move on if the going gets too tough – political hacktivists don't move on. They don't give up… This is what makes me think the scale of this problem may be far larger than previously thought," comments Watts. His solution (unsurprising, but effective) is SecurEnvoy security offerings that do not require manufacturers to store keys online, as the required keys are created within the users' own trusted environment. Meanwhile, Venafi's Hudson states that SSL and PKI remain solid and reliable technologies, but warns that enterprises "need to be aware that any individual third-party trust provider, like a CA, can be compromised and is therefore a known risk". For him, then, the requirement is that IT organisations develop "solid, well-conceived contingency plans". He points out that while Mozilla, Google and others have implemented browser updates that revoke trust in DigiNotar-signed certificates (which will safeguard users of those browsers), the ripple effects of a hack like this do not stop at the browser. "All enterprises need to look at their highest-value assets – servers and applications where sensitive and regulated data flows, and that are protected by certificates. Plans must be in place to recover any time the trust provider is compromised," insists Hudson. He suggest a four-prong approach. First, use multiple CAs so that if one is compromised, the other non-compromised CA and its issued certificates and keys are available for continued use. Second, organisations must have an accounting of all the CAs that they use as third party trust providers. Third, they must have a complete inventory of the owners and locations for each certificate in the enterprise – which might number tens of thousands. And finally, every organisation must have "an actionable and comprehensive plan in place to recover from a CA compromise".