Welcome to YLOAN.COM
HOME MARKETS TRADE SOLUTIONS TECH CONTACT
yloan.com » Site Promotion » Hacker Claims Responsibility For Stealing SSL Certificates Belonging To Some Of The Web's Biggest Sites
Online Business Site Promotion Web misc Affiliate-Revenue Auctions Audio-Streaming Autoresponders Blogging-Rss Email-Marketing Ezine-Publishing Forums Internet-Marketing List-Building PPC-Advertising Podcasting SEO Spam-Blocker Traffic-Building Video-Streaming Web-Design Web-Development Web-Hosting Domain Name soreness web analysis vinyl mlm searching media info spyware access microsoft outlook farmville

Hacker Claims Responsibility For Stealing SSL Certificates Belonging To Some Of The Web's Biggest Sites

Hacker Claims Responsibility For Stealing SSL Certificates Belonging To Some Of The Web's Biggest Sites


News about the recent SSL certificates theft caused quite a commotion. Some criticized Mozilla's silent, a few believed that the delay in disclosing a theft of the digital certificates put certain lives at risk. What is certain is that the result of this incident presented a new threat model for information security professionals.

Nine SSL certificates from an Comodo certificate reseller were stolen on March 15. However, none of the browser makers went public with the Comodo hack or the existence of the rogue certificates before March 22. The certificates stolen were for six Web sites, including the log-on sites for Microsoft's Hotmail, Google's Gmail, the Internet phone and chat service Skype, and Yahoo Mail. A certificate for Mozilla's Firefox add-on site was also obtained

Iran was accused of the theft. A few days later, an Iranian claimed responsibility for stealing these certificates belonging to those big sites. Comodo said, at least one of the certificates, for logon.yahoo.com, was used to legitimize a fake Yahoo site hosted by an Iranian ISP (Internet service provider


"Our security was good in that we picked up the attack and shut it down quickly, but we should have covered this threat model," Comodo's chief executive Melih Abdulhayoglu said. "We didn't, however, model for attack from a foreign government."

Appelbaum told Mozilla that the attack was not a normal attack. Disclosure does not allow anyone else to perform this attack. Only the attacker with the certificate is able to take advantage of this situation. Only the attacker will benefit from a delay."

Abdulhayoglu described three clues to the attacker's origin. Firstly the choice of targets was not financial companies but core internet infrastructure sites.

Secondly, in order for the certificates to be of any use, access to the domain name system infrastructure would have been required.

Finally, the attack was very well orchestrated and "too clean". It did not bear the hallmarks of criminal attacks the company had experience with in the past, according to Abdulhayoglu.

"You can't be 100 per cent certain," he said. "But if it looks like a duck, and quacks like a duck, then it probably is a duck."


SSL certificates work on the ground that the issuing body is credible. Organizations such as Verisign, Thawte, Equifax, Entrust, Global Sign, RapidSSL and Comodo promote themselves as sophisticated, guarded operations that can be trusted to issue certificates. While Comodo deserves credit for admitting what happened, that part of its system used to issue SSL certificates was compromised by a third party getting access to a login and password will raise serious concerns for the firm and its customers.

This recent theft incident goes to show that even SSL certificates are not foolproof for ensuring the security of communications on the Internet.

It is highly critical that organizations perform pen testing more frequently before hackers attack. Organizations that are involved with online transactions, which allow inbound connections and potentially exposing customer information, should be more concerned. They either have to go through a consultant or with hire information security professionals advanced skills and knowledge in penetration testing.

Information security professionals can increase their penetrating testing knowledge and skills from enrolling in a highly technical and intensive course that focuses attacking and defending highly secured environments. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals. CAST will provide a highly advanced information security training called the Advanced Penetration Testing training (APT). This highly sought after and advanced technical security training will be offered at all EC-Council hosted conferences and events, and through specially selected training partners. The launch classes for CAST will be at the upcoming TakeDownCon Dallas, from May 15-17, 2011.
Website all about Weight Loss Tea Do You Have Parasites? Most effective Website Hosting Web sites - What Can make A Web site A person Of The Best? Cricket Accessories Wholesale Retail Stores And Websites Developing site to earn on-line Make Her Feel Blessed By Gifting Her The Most Exquisite Diamond Solitaire Pendants What to do once arrived at the dive site Authenticating Your Website in Yahoo! Site Explorer An Introduction To Walkways For Your Site Website all about Tava Tea Website promotion: a guide to promoting your website Save Your Money with Promotional Code The Top Five "Must Haves" For Ecommerce Websites
print

Contact

mail:info@yloan.com

www.yloan.com

About us Infoline Team Join us Cooperation

Products

Yloan information

Our Solutions

Presentation Testimonials Examples Our experts Resources

Press Room

Advertisement Interviews Hot news Photos Marketing

Resources

loan info finance info
www.yloan.com guest:  register | login | search IP(216.73.216.35) California / Anaheim Processed in 0.027682 second(s), 7 queries , Gzip enabled , discuz 5.5 through PHP 8.3.9 , debug code: 26 , 4289, 77,
Hacker Claims Responsibility For Stealing SSL Certificates Belonging To Some Of The Web's Biggest Sites Anaheim