Security of web infrastructure under question
DNS hijack hits Microsoft, Vodafone and more, as list of organisations affected by SSL certificate leak grows to include MI6 and the CIA
The security of the web's underlying architecture is under question this week, as two unfolding hacking incidents have exposed its vulnerabilty to attack.
Yesterday, hackers successfully hijacked the domain name server (DNS) records for websites of various organisations, including Microsoft, Vodafone and security companies Kaspersky Labs, Bit Defender and F-Secure.
Affected sites temporarily redirected visitors to a webpage on which a Turkish group claimed responsibility for the attack. "h4ck1n9 is not a cr1m3", the page read.
Zone H, a website that tracks website defacements, reported that the hackers had infiltrated a DNS services provider called NetNames, although the company has yet to comment.
The sites in question were not themselves breached. However, the attack shows that by compromising DNS records, hackers could redirect visitors to spoof versions of legitimate sites in order to steal personal data.
Meanwhile, a security researcher has claimed that the number of organisations whose SSL certificates were stolen during a hacking attack on Dutch certification authority (CA) Diginotar is twice as large as first reported, and now stands at 531.
Organisations whose SSL certificates were compromised in the hack, which took place in July, include MI6, the CIA, Facebook, Google, Yahoo!, Microsoft and many more.
Certain commentators have downplayed the significance of the SSL certificate leak, arguing that the certification system never provided much security in the first place.
Marcus Ranum, CSO of security company Tenable, remarked that "SSL certification scheme was not really designed to implement security at all – it was designed to appear to be good enough that unsophisticated end-users would trust it without understanding its flaws.”
His comments echoed security guru Bruce Schneier, who wrote in 2008 that "SSL doesn't provide much in the way of security, so breaking it doesn't harm security very much. Pretty much no one ever verifies SSL certificates, so there's not much attack value in being able to forge them."
However, both incidents have resulted from security breaches at organisations whose job it is to protect the integrity of the web. Other examples include an attack on another CA, Comodo, earlier this year, and the data breach on security vendor RSA, which had to replace customers' SecurID token following the attack.