Internet security was critically compromised last week in separate incidents.
First, RSA, one of the leading global manufacturers of cryptographic solutions, was apparently compromised and data was stolen from its critical servers. There is speculation that the SecurID source code or even the seeds may have been copied. SecurID is a token-based enterprise solution used by more than 300 million users worldwide to enforce an authentication mechanism based on ‘unpredictably generated’ access codes.
In addition, well-known security vendor Comodo erroneously issued several SSL certificates to hackers. These were certificates that belonged to major Internet sites, including Skype, Yahoo, Windows Live, Google Mail and Mozilla.
This last breach is far more critical since it allows the hackers to mimic all major Internet services, enabling them to create fake websites that would appear to be genuine. The implication is simple: hackers could create specially crafted phishing emails to send to users of these well-known webmail operators. Users would then be lured to the ‘legit and certified’ looking sites and tricked into providing their account credentials.
The Comodo case is very worrisome because it impacts all Internet services (HTTPS, SMTP, POP3 and IMAP4 over SSL, etc.).
The direct consequences of this situation is that it will be much easier for the bad guys to get their hands on user account credentials and use that information for all sorts of mischief: spamming, breach of confidentiality via mailbox data-mining (bank transactions, clinical data, enterprise data storage), and identity theft, just to name a few.
Imagine all the messy situations this can lead to.
The fact that SSL has been one of the most reliable security solutions shows the inherent weakness of Internet protection mechanisms.
So now we have to wonder about where to place our trust to ensure our privacy and protect the sensitive data we handle.
Leave a Comment