Hackers Steal SSL Certificates for CIA, MI6, Mossad

September 04, 2011 — Computerworld — The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.
The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates.
Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service.
"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for CIA.gov, I wonder if the US gov will pay attention to this mess," Christopher Soghoian, a Washington D.C.-based researcher noted for his work on online privacy, said in a tweet Saturday.
Soghoian was referring to assumptions by many experts that Iranian hackers, perhaps supported by that country's government, were behind the attack. Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users .
All the certificates were issued by DigiNotar, a Dutch issuing firm that last week admitted its network had been hacked in July .
The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.
Criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.
Google and Mozilla said this weekend that they would permanently block all the digital certificates issued by DigiNotar, including those used by the Dutch government.
Their decisions come less than a week after Google, Mozilla and Microsoft all revoked more than 200 SSL (secure socket layer) certificates for use in their browsers, but left untouched hundreds more, many of which were used by the Dutch government to secure its websites.
"Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar," Heather Adkins, an information security manager for Google, said in a Saturday blog post .
Johnathan Nightingale, director of Firefox engineering, echoed that late on Friday .
"All DigiNotar certificates will be untrusted by Mozilla products," said Nightingale, who also said that the Dutch government had reversed its position of last week -- when it had asked browser makers to exempt its DigiNotar certificates.
"The Dutch government has since audited DigiNotar's performance and rescinded this assessment," Nightingale said. "This is not a temporary suspension, it is a complete removal from our trusted root program."
On Saturday, Piet Hein Donner, the Netherlands's Minister of the Interior, said the government could not guarantee the security of its websites because of the DigiNotar hack, and told citizens not to log into its sites until new certificates had been obtained from other sources.
The DigiNotar breach is being audited by Fox-IT, which told the Dutch government that it was likely certificates for its sites had been fraudulently acquired by hackers.
Several security researchers said the move by browser makers puts an end to DigiNotar's certificate business.
"Effectively a death sentence for DigiNotar," said Jeremiah Grossman, CTO of WhiteHat Security, in a Friday tweet .
Mozilla was scathing in its criticism of DigiNotar.
Nightingale ticked off the missteps that led Mozilla to permanently block all sites signed with the company's certificates, including DigiNotar's failure to notify browser vendors in July and its inability to tell how many certificates had been illegally obtained. "[And] the attack is not theoretical," Nightingale added. "We have received multiple reports of these certificates being used in the wild."
Markham went into greater detail on the hack and its ramifications. "It has now emerged that DigiNotar had not noticed the full extent of the compromise," said Markham in a Saturday post to his personal blog . "The attackers had managed to hide the traces of the misissuance -- perhaps by corrupting log files."
Because the Google certificate that prompted DigiNotar to acknowledge the intrusion was obtained before most of the others, Markham speculated that there had actually been two separate attacks, perhaps by different groups.
"It is at least possible (but entirely speculative) that an initial competent attacker has had access to [DigiNotar's] systems for an unknown amount of time, and a second attacker gained access more recently and their less-subtle, bull-in-a-china shop approach in issuing the [hundreds of] certificates triggered the alarms," he said.
Last week, Helsinki-based antivirus company F-Secure said it had found signs that DigiNotar's network had been compromised as early as May 2009 .
Mozilla will update Firefox 6 and Firefox 3.6 on Tuesday to permanently block all DigiNotar-issued certificates, including those used by the Dutch government.
On Saturday Google updated Chrome to do the same.

Anonymous Claims Hack of Texas Police Website

By John Ribeiro

September 02, 2011 — IDG News Service — Anonymous has attacked the website of the Texas Police Chiefs Association, in retaliation for the arrests of alleged members of the hacker group.
It said Thursday it had defaced the website, and leaked information that was classified as "law enforcement sensitive" and "for official use only". Among the leaked documents were also said to be some private e-mails from police officers, that had racist and sexist content.
Anonymous also claimed in a message on Twitter that it had brought down the police website for over three hours. The site which was subsequently restored, and the defacement removed, was however defaced again late Thursday. "It seems they restored the website somehow without removing the backdoors," Anonymous said in a Twitter message.
The Texas Police Chiefs Association did not respond to a request by e-mail for comment.
Separately, Anonymous claimed it had taken down the website of the United States Courts for the Ninth Circuit on Thursday, as justice argues that "civil disobedience is cyber-terrorism".
The Antisec operation by the hacker group and affiliates is protesting the arrest of people suspected to be its members, including Topiary, the person regarded as the spokesman of Anonymous and another group called LulzSec. Jake Davis, the person suspected to be Topiary, was arrested in July in the U.K. and charged with conspiring with others to conduct DDOS (distributed denial-of-service) attacks against the website of the Serious Organised Crime Agency (SOCA), a British law enforcement institution.
Police in the U.K. said Thursday they had charged two more persons in connection with investigations into online attacks, according to reports. Two others were also charged earlier this week, according to the Metropolitan Police.
Anonymous has been involved in a number of attacks on the websites of U.S. law enforcement agencies and defense contractors, and also government websites in Malaysia, Turkey, and Brazil. Its Antisec program targets governments, law enforcement, and corporations.

“Cyber Attacks, Real or Imagined, and Cyber War”

Excerpt: 
“Assorted “cyber attacks” have attracted much attention in the past few months. One headline in this genre recently proclaimed “Anonymous Declares War on Orlando.” This is wrong on so many levels that it almost defies analysis. A more precise accounting would show that there have been no cyber wars and perhaps two or three cyber attacks since the Internet first appeared.

The most ironic example of hyperbole catching itself involves the new Department of Defense Cyber Strategy, which says that the United States reserves the right to use military force in response to a cyber attack. Since many reports call everything—pranks, embarrassing leaks, fraud, bank robbery, and espionage—a cyber attack, the strategy led to expressions of concern that the United States would be shooting missiles at annoying teenage hackers or starting wars over Wikileaks. In fact, the strategy sets a very high threshold that is derived from the laws of armed conflict for defining a cyber attack. Nothing we have seen this year would qualify as an attack using this threshold.

Only by adopting an exceptionally elastic definition of cyber attack can we say they are frequent. There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyber attack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities. An extortion attempt in Brazil against a public utility may have backfired and temporarily disrupted electrical service. A better way to identify an attack is to rely on “equivalence,” where we judge whether a cyber exploit is an attack by asking if it led to physical damage or casualties. No damage, no casualties, means no attack.

Many militaries are developing attack capabilities, but this is not some revolutionary and immensely destructive new form of warfare that any random citizen or hacker can engage in at will. Nations are afraid of cyber war and are careful to stay below the threshold of what could be considered under international law the use of force or an act of war. Crime, even if state sponsored, does not justify a military response. Countries do not go to war over espionage. There is intense hostile activity in cyberspace, but it stays below the threshold of attack.

The denial-of-service efforts against Estonian and Georgian websites in 2007 and 2008 were not attacks. The Estonian incident had a clear coercive purpose, and it is worth considering whether the denial-of-service exploit against Estonia could have become the equivalent of an attack if it had been extended in scope and duration. The exploits against Georgia, while undertaken with coercive intent and closely coordinated with Russian military activities (and a useful indicator of how Russia will use cyber warfare), did no damage other than to deface government websites…”

Anonymous, LulzSec Vow to Hack on

 By Jaikumar Vijayan
In a defiant statement addressed largely at FBI director Steve Chabinsky, members of the Anonymous and LulzSec hacktivist groups vowed to continue with their hacking campaigns and dared law enforcement to try and stop them.
The statement comes just two days after the FBI arrested 14 alleged members of Anonymous in connection with a series of distributed denial of service (DDoS) attacks against PayPal last year.
The immediate provocation appears to have been some comments made by Chabinsky in a NPR report following the recent arrests.
In it, Chabinsky is quoted as saying that chaos on the Internet is unacceptable. "[Even if] hackers can be believed to have social causes, it's entirely unacceptable to break into websites and commit unlawful acts."
In their response, posted on Pastebin.com , Anonymous and LulzSec members claimed their hactivist campaigns were motivated by a desire to expose what they described as lying governments, corrupt corporations and powerful lobbyists.
"We will continue to fight them, with all methods we have at our disposal, and that certainly includes breaking into their websites and exposing their lies," the letter said.
"We are not scared any more. Your threats to arrest us are meaningless to us as you cannot arrest an idea," the groups claimed. The two groups claimed they were acting like bandits only because they were forced to. "The Anonymous bitchslap rings through your ears like hacktivism movements of the 90s. We're back -- and we're not going anywhere."
Given the highly decentralized and loosely organized nature of the two groups it's hard to say how much of the content in the letter is bluster, how much is real or even how much it represents the true sentiment among members.
Certainly both Anonymous and LulzSec have demonstrated their ability to strike at what appears to be pretty much at will and pretty much against any target.
Just today for instance, Anonymous released a 36-page restricted document that is claimed to have obtained by breaking into a Web server at North Atlantic Treaty Organization (NATO) .
In a Twitter message, the group said that it has 1GB of material from NATO which it would not release because it would be irresponsible.
Over the last week, both groups have claimed credit for breaking into Rupert Murdoch's media sites. In one attack LulzSec compromised DNS servers at News International so that visitors to the group's Sun tabloid site were redirected to a fake story proclaiming Murdoch's death.
And in recent weeks and months both Anonymous and LulzSec have claimed responsibility for breaks-in at military contractor Booz Allen Hamilton, Sony and several other high-profile organizations.

The attacks have been mostly designed to embarrass and to provoke rather than to create any real damage. In most instances, the groups have cited some political or social cause for their attacks.
Recently for instance, when Anonymous attacked police union sites in Arizona , it claimed it was doing so because of the state's tough immigration laws.
However, law enforcement has made some important gains as well. Last weeks raids for instance, netted a total of 14 individuals who are allegedly members of Anonymous. Several arrests have been made overseas as well. Last month U.K police arrested Ryan Cleary, a 19-year old who is believed to be connected to both LulzSec and Anonymous.
Computers seized from last week's arrests and from Cleary's arrests are likely to lead authorities to more people connected with the two groups.
Whether such arrests will dampen their enthusiasm or only spur more attacks remains to be seen.

US federal government to close 800 data centers, walk into the cloud

 By Jesse Hicks

 

Sure, it's been just a few months since the National Security Agency asked for a $900 million supercomputing complex – you know, to help out with all that internet wiretapping. But concern about deficit spending will mean shuttering 800 other federal data centers in the US, or 40 percent of total government capacity. The closures are part of a larger push toward greater efficiency and consolidation, with an estimated savings of $3 billion a year; moving services to the cloud will mean more savings in licensing fees and infrastructure. Single-digit savings might sound like chump change when you realize the federal information technology budget runs around $80 billion a year, but hey, it's a start, right?