Technology

Web security breaches show better solutions are necessary

WIRED: In two recent hacking cases the targets held secrets for many firms and individuals

DANNY O'BRIEN
Fri Mar 25 2011 - 00:00

WIRED:In two recent hacking cases the targets held secrets for many firms and individuals

THERE HAVE been a couple of serious attacks in recent months on key pieces of modern computer security infrastructure. These go to highlight the challenges of having third parties in charge of key elements of other people’s business and personal security systems, and show we have a long way to go before we can really guarantee the integrity of digital communication.

The first was reported by RSA, perhaps the most respected computer security company in the world, on March 17th. The company announced there had been a successful attack on its computers which it believed could potentially weaken the security of its SecurID system.

SecurID is one brand of those small keychain fobs that give a six-digit number when you press a button. They are used in “two-factor authentication”, where instead of just typing in a password to prove who you are, you also type in the number one of the fobs gives you.

READ MORE

The password is something you know, and the fob is something you have on your person.

While RSA came clean about the attack, it’s not clear what the hackers obtained, and what the threat is. What is clear is that RSA held a secret which was in some way important for protecting other people’s property, and now it has lost control of that vital bit of information.

On Wednesday, Comodo, a company that sells SSL certificates, said one of its resellers had been hacked and had handed out incorrect certificates to an unknown third party. SSL certificates are used to ensure that when you communicate with a secure webserver (the kind that start with “https”, not “http”), you’re not talking to an imposter.

Comodo’s reseller handed out valid certificates for Google, Microsoft, Yahoo, Skype and Mozilla to a complete stranger. For a period of time, and for an unknown number of people, that attacker could have masqueraded as any of these sites.

Both RSA and Comodo have stated their attackers were large, serious, and well-financed. RSA used the technical term “advanced persistent threat”. The implication behind those words is usually that the attacker was a state. Comodo was more blunt, and said it thought the Iranian government was behind the attack on its systems.

It is natural for target firms to assume their assailants are big and scary, but some advanced persistent threats may just come from a very clever set of independent hackers, looking to resell their knowledge on the black market. And just because an attack looks like it came from Iran doesn’t mean it did. The Chinese hacking attempts on Google’s systems were designed to look like they came from China’s arch-enemy, Taiwan.

Nonetheless, it does appear some powerful interests are turning their attention to the most profitable opportunities for high-tech secret-stealing.

In both recent cases, the targets held allure because they held secrets for so many firms and individuals. A potential defence against such sophisticated plots is not to have third parties keep such key secrets. Less vulnerable systems try to make the secret-keeping more decentralised.

It’s possible to build a two-factor fob that uses a unique secret code created by the company that buys the fob, not the fob manufacturer. Similarly, many people are working on ways to ensure web browsers take their cue for a website’s identity not from Comodo or other certificate authorities, but from more resilient, distributed methods.

Toughening these decentralised systems is not an easy problem to solve either.

Companies that use SecurID tags are being instructed by RSA on how to mitigate the problem. Internet browser makers have blacklisted the fake certificates distributed by Comodo.

Ironically, these vulnerabilities don’t affect the vast majority of tech users, because both attacks assume you’ve taken some advanced steps to protect your security already. Most people don’t use SecurID tags, because they only use one factor authentication: a usually easily guessed password.

Most websites send all their data over the internet unprotected by https encryption, making it easy for governments and criminals to masquerade and to steal data.

If you were to ask me last month what my top recommendations for security would be, “use https on the web”, and “use two-factor authentication when you can” would be in my top 10. Even after these attacks, I believe those recommendations are still valid.

Not every two-factor authentication system is built by RSA, and https still protects against pervasive and technically uncomplicated surveillance.

Both systems work better when not depending on a centralised potential point of failure. With two-factor authentication, there is the slight overhead of creating your own secret keys yourself. With https, the work is harder but the first step is ensuring we have at least some protection. We need some advanced solutions, and we need to be persistent at working toward them.

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning