Hackers Infiltrate SSL Certificates of CIA, MI6

Dennis Faas's picture

The theft of online security certificates by hackers thought to be from Iran may be even more serious than first thought. The stolen certificates include those for security agencies from the United States, United Kingdom and Israel.

The security breach originates with DigiNotar, a Netherlands organization that produces Secure Sockets Layer (SSL) certificates which are used by webites. An SSL, for example, is used when home users connect to their banking web sites. Using the SSL certificate, information to and from the home PC to a bank website is encrypted and cannot be intercepted by a third party.

As well as being part of the system that allows encrypted data to travel to and from websites, SSL certificates also confirm whether or not a particular website can be trusted. SSL information is usually displayed in a browser that operates using https:// instead of http://.

More Than 500 Bogus SSL Certificates Created

Unfortunately, an attack on DigiNotar gave hackers the ability to create fraudulent but effective certificates.

At first, DigiNotar revoked the SSL certificates, meaning the fraudulent SSL certificates would not work. It later turned out they had missed one SSL certificate that covered all Google services, and that hackers were using the certificate to go after Google users in Iran.

It now appears that at least 531 bogus certificates were created as a result of the hacking. Not only were certificates issued for most major tech and social networking sites, but the hackers even got certificates for the CIA, Britain's MI6 and Israel's Mossad agency.

Note that bogus security certificates don't allow hackers to directly breach websites of the organizations concerned.

Instead, the certificates make it possible to create a bogus / copycat website that appears genuine to a user's computer. That, in turn, could make it possible to trick users into attempting to login to a bogus website, and essentially hand over their log-in details.

This is what is referred to as "phishing" for sensitive information. The phished data can later be used to guess passwords on other web sites of users, including online banks since it's not uncommon for users to use the same password on more than one website.

The good news is that, despite the bogus and real websites looking completely identical and passing SSL certification, most of the sites do not store sensitive information that would allow a hacker instant access to online funds. (Source: pcworld.com)

Browser Firms Pull Plug on Certificates (Real or Fake)

At first, Google, Microsoft and Mozilla decided to automatically block hundreds of the certificates from being accepted by their browsers, but continued to accept those from Dutch government websites. At the time of writing, both Google and Mozilla are simply blocking any certificate issued by DigiNotar. (Source: computerworld.com)

There's been widespread criticism of DigiNotar's response to the attacks, with claims it was too slow to admit the security breach, even privately, and that it failed to keep track of which certificates had been breached.

Rate this article: 
No votes yet