January 07, 2013, 2:40 PM —
The holidays are over, and everyone is plugging back into work - digging through a mountain of unanswered e-mail and otherwise taking the lay of the land. For those of you still emerging from your egg nog fog, here are some of the top security news stories worth following this week:
Expect more fallout from last week's revelation that the Turkish Certificate Authority (CA) mistakenly issued intermediate CA certificates for the Google.com domain to two organizations instead of regular SSL (Secure Socket Layer) certificates that are used to secure web traffic.
The certificates were issued more than a year ago - in August, 2011, by TurkTrust, an intermediate Certificate Authority. The incident came to light on December 24, when Google detected and blocked an unauthorized digital certificate for the .google.com domain. On January 3, the company went public with the news, after having revoked the certificates and notified the major web browser vendors - who did the same. The faulty certificates could have been used by a malicious actor to impersonate google.com domains or perform man in the middle attacks against google properties. TurkTrust maintains that they were not used maliciously, though subsequent reports suggest that at least one mistakenly-issued certificate was used to enable HTTPS inspection on a Check Point firewall - a kind of "man in the middle" attack.
The incident is bound to renew calls for a revamp of an already shaky online identity system in which private certificate authorities have been shown to be vulnerable to security lapses - accidental and otherwise. The past two years has seen high profile breaches at CAs such as Comodo and Diginotar, among others. In the wake of the latest incident, browser makers revoked trust in the fraudulent certificates, and Google said it would no longer allow Extended Validation certificates (EV) for TurkTrust-issued certificates, however other browser makers continue to list TurkTrust among their trusted certificate authorities.
All eyes on IE
A second major story from last week is likely to continue playing out this week. Namely: a string of sophisticated attacks against high value organizations that exploited a previously unknown ("zero day") hole affecting recent versions of the Internet Explorer web browser. That story began with reports of a compromise at the web site of the Washington DC think tank The Council of Foreign Relations. Before the week was through, however, it became clear that the CFR was just one of many targets, which also included a California maker of energy efficient, gas-powered turbines and other sites. The attacks are believed to be the work of a group of sophisticated Chinese hackers that security firm Symantec has dubbed the Elderwood Group, and that are believed to have been behind attacks on the Tibetan government in exile and other groups.
Microsoft moved quickly to issue a quick fix for the IE vulnerability - a kind of temporary remediation that will prevent vulnerable systems from being compromised. However, the Quick Fix doesn't address the underlying vulnerability, which Microsoft missed an opportunity to get a full patch for the hole into their January patch update. In the meantime, security experts at the firm Exodus have figured out a way around the temporary fix, allowing even systems that have applied the Fix It to exploit vulnerable IE instances. Though Exodus isn't releasing the details of its workaround, the fact that one exists will turn up the heat on Microsoft to release a full patch for the IE vulnerability - possibly before next month's scheduled patch release.
Anonymous blitzes Big Red
One of the end of year memes that circulated just before the New Year was the "death of Anonymous," with more than one security luminary predicting the demise - or at least the decline - of hacktivism and the world's most famous hacking group. At least in the case of Anonymous, here's good reason for skepticism about the future. The group's senior ranks have been decimated by arrests and defections. The revelation, in 2012, that "Sabu," (aka Hector Xavier Monsegur) was an FBI informant was a devastating blow to the senior ranks of Anonymous and its sister group Lulz Security.
But Anonymous has always maintained that it's hardly a group at all - more a loose association of like-minded activists. And "hacktivism" was always bigger than one group, anyway. Each week brings us new reminders that hacktivism isn't going away, even if Sabu and his friends are. The latest example was the entrance of an Anonymous-affiliated group calling itself "Knight Sec" into the case of a horrific rape case in Steubenville, Ohio, where two members of that town's Big Red High School football team are accused of the kidnapping and gang rape of a 16 year-old girl. The story, which was profiled in the New York Times, has split the downtrodden and football-obsessed community, in which the connections between officialdom and Big Red are almost too many to count. Amid concerns of a cover-up in the case, Knight Sec launched "OpRollRedRoll," a campaign to recover evidence of the assault that was posted to Twitter and Instagram, and expose how members of the Big Red team and Steubenville community were complicit in the assault or its cover up. Among the information obtained by the group and posted online is a YouTube video featuring team members recounting the assault and laughing about the rape. The group also claims to have compromised the Web hosting account and email accounts of those affiliated with the team.
It's unclear whether Knight Sec's actions will influence prosecutors who are pursuing the case, but it seems likely that the information they uncovered - including team members yucking it up over the assault - will make it harder to sweep the crime under the rug. The Anonymous of HBGary may be gone, but the group is still inspiring action. Expect them.