Mervyn McCracken

DigiNotar

Abstract

Given the original design requirements of the Internet, theexpertise of cyber criminals and the philosophies ofCorporate Governance it could be argued that trust on theinternet has long passed its best-before-date.

Introduction

August 29th 2011, Cert-Bund, the German organization thatprovides support in computer safety for government agenciesbecomes aware of an ongoing attack on the Dutch CertificateAuthority (CA), DigiNotar. Briefly for now, a CA is atrusted third party that vouches for the validity of websites. When a web browser visits a secure site, acertificate issued by a CA will attest to the fact that itis a bona fide enterprise that is being visited.

Cert-Bund informed its Dutch counterpart, GovCert.nl of theattack. GovCert.nl in turn passed on the news to DigiNotar.However, this was not news to DigiNotar. They were aware ofthe attack at least as far back as July 19th. The fact thatit had failed to come clean about the hack was one of thereasons that expedited DigiNotar’s fast track to extinction.On September 20th, a mere three weeks after being outed,DigiNotar filed for voluntary bankruptcy. Even as the news went public DigiNotar was maintaining thatits Government Issue certs PKIoverheid were stilltrustworthy. But another reason that DigiNotar had become apariah in the security business was that it had failed tosegment its network of CA servers. All its servers were partof the same Windows domain of which the hackers had gaineddomain administrator rights to. The attackers had access toeverything! Fox-It, commissioned by the Dutch government toinvestigate, discovered two PKIoverheid certificates that

1

Mervyn McCracken

cannot be accounted for, which put paid to that notion oftrustworthiness.

As of August 30th, operating systems and web site developerswere issuing patches that revoked the validity of allDigiNotar certs. Two days later, Kaspersky urged the Dutchgovernment to follow suit and completely ban DigiNotar fromthe Public Key Infrastructure (PKI) chain. The followingday, Dutch Minister Donner states that the security ofhundreds of government websites cannot be guaranteed andthat the government has lost confidence in DigiNotar. Thiswas surely DigiNotar’s death knell.

The Dutch MP, van Dam, claimed the delay in reporting theattack put lives at risk. Mikko Hypponen of Finland’s F-Secure, supports this claim by adding that politicalactivists in Iran died due to the late reporting of theattack.

The Attack

The main source of information on the DigiNotar attack is a report1 by Fox-It. This report also makes use of an internalreport made by DigiNotar.

July 19th, DigiNotar became aware of the issuing of afraudulent SSL cert during a routine procedure andcommissioned an internal report. It is discovered that thefirst signs of the attack date back to June 6th. There is adecision to hush-up the attack. As of July 19th, DigiNotarstarts revoking (127) some its certs. The cert below is themuch mentioned *.google.com wildcard certificate which wasissued July 10th.

2

Mervyn McCracken

July 27th was the first time the google cert made an OnlineCertificate Status Protocol (OCSP) request. When a webbrowser (e.g. user in Iran) encounters an SSL cert it willrequest from the issuer (DigiNotar) whether the cert isvalid or not. An invalid cert is one that has been revokedotherwise it is valid by default. Because DigiNotar issuedSSL certs mainly for the Netherlands the OCSP requests fromIran should have eventually attracted suspicion.

August 4th, massive number of OCSP requests on the*.google.com cert began. The massive man-in-the-middleattacks continued until Aug 27th when it was detected byGoogle Chrome due to a security feature known as"certificate pinning". The discoverer makes note of this ona Google Forum at the same time.

August 29th DigiNotar was notified that it had been hacked.The following day Fox-It was commission by Dutch governmentto investigate.

Sept 14th, Regulator OPTA declared in a statement that it nolonger trusted the DigiNotar certificates. The Ministry of

3

Mervyn McCracken

the Interior and Kingdom Relations inherited the operationalmanagement of the certification systems from DigiNotar.

VASCO Data Security International, DigiNotar’s parent company declares the voluntary bankruptcy of its subsidiary on Sept 20th. VASCO also announces its departure from the Certificate Authority business citing substantial losses.

Fox-It Findings

During the initial incident response investigation that wasperformed before the involvement of Fox-IT, it wasidentified that at least two web servers were runningoutdated versions of the DotNetNuke software. There areknown security vulnerabilities in these outdated versions ofthe DotNetNuke software and the initial incident responseinvestigation concluded that these vulnerabilities had beenexploited to gain first entry into DigiNotar’s network.

DigiNotar showed an appalling lack of security on itssystems. Some of which were:

All its servers were on the one network Simple password regime in place No anti-virus in evidence

The complete Fox-It1 report is wildly available.

The Attacker(s)

A twenty-one year old Iranian student credits himself withboth the attack on DigiNotar and an earlier attack on areseller for CA Comodo (March 2011). He goes by the nameComodoHacker and there is evidence of a similar finger printfound in both cases. The hacker also said that his actionsare politically motivated, in retaliation for the Dutchinvolvement in the Srebrenica massacre in 1995. The hacker

4

Mervyn McCracken

said that he attacked DigiNotar on July 11, the anniversaryof that massacre. However, there are definite signs of ahack as of June 17th with a probable first sign of attack onJune 6th. Maybe he should have celebrated D-Day. He hasclaimed to have shared his knowledge with his friends. Itcould be that he happened upon an easy way into DigiNotarand then shared this knowledge with individuals who werebetter placed to use the facilities on offer. The realattack on the victims didn’t begin in earnest until Aug 4th.

This may be corroborated by the fact that though very scriptkiddie type code was detected on the systems, there was alsovery sophisticated code found that was used to delete logentries so that there was no trace of which fraudulent certswere issued. The attack also required DNS Poisoning ofseveral DNS servers. Again, sophisticated code was requiredor someone who had control over one or more ISP’s. TheIranian government exercises complete control over itsinternet. The main beneficiaries of the attack would alsoappear to be the Iranian authorities.

The Victims As a result of the fraudulent certs issued from DigiNotar,300,000 requests for OCSP revocation status were made toDigiNotar’s servers. 99% of these requests came from Iran.The remaining 1% were using Tor and other anti-detectiontools but were also deemed to have originated in Iran.

Freedom House

Freedom House was founded by Eleanor Roosevelt and WendellWillkie (her husband’s opponent in the previous year’sPresidential Election) in 1941. It is said to be fundedmainly by the US State Dept. It observes nations around theworld and scores each on a scale of 1 to 7 (worst case) forboth political freedoms and civil rights.

5

Mervyn McCracken

“Freedom House is an independent watchdog organization dedicated to theexpansion of freedom around the world”. By it’s rating, Iranscores 6:6. The Financial Times is critical of Freedom House(FH) because of its US State Dept funding, claiming it runsmany clandestine operations in Iran. This begs the questionthen: Are their findings more reliable? Either way, FH ratesSaudi Arabia, a keen ally of the US in the Middle East, a7:7 for political freedoms & civil rights. That’s equivalentto its ratings of North Korea, China, Sudan and Syria.

Freedom house on Iran

The judicial system is not independent, as the supremeleader directly appoints the head of the judiciary, who inturn appoints senior judges. Suspects are frequently triedin closed sessions without access to legal counsel.Political and other sensitive cases are tried beforerevolutionary courts, where due process protections areroutinely disregarded and trials are often summary. Judgesdeny access to lawyers, commonly accept coerced confessions,and disregard torture or abuse during detention.

In January 2011 alone, it was reported that 83 people,including three political prisoners, were executed. BySeptember, there had been more than 200 officially announcedexecutions, including over two dozen public hangings, whileat least 146 others were carried out in secret, without theknowledge of the inmates’ lawyers or relatives. The totalnumber of executions in 2011 was reportedly as high as 600.

An interview with F-Secure’s Mikko Hypponen mentions thedeaths of dissidents Hoda Reza Zadeh Saber and Haleh Sahabiin the same article as DigiNotar but these occurred in earlyJune 2011. The link is unlikely as the first OCSP requestswere not detected until July 27th.

Besides the repeated mention of the 300,000 by journalists,very little is known of the victims.

6

Mervyn McCracken

Certificate Authority

For the purpose of secure communications over the internet,a form of cryptography known as asymmetric cryptography isused. Fundamental to this communication are two keys, oneprivate and one public. Communications encrypted with thepublic key can only be decrypted with the private key. Eachpublic key will have only one corresponding private key.Should two users be using the same public key they coulddecrypt each other’s sensitive data. Therefore, it isimportant that the public key is unique so that only theholder of the public key will know the private key.

Organizations such as banks that need to enforce this formof secure communication between them and their customersrely on trusted third parties to generate these uniquepublic/private keys and to maintain the infrastructurepertaining to this system. These ‘trusted third parties’ areknown as Certificate Authorities (CA’s).

Another important function performed by these CA’s is tovalidate the bona fides of any organization wishing to partakeof this system. Any enterprise such as a bank or an on-linesales company that wishes to process sensitive data such ascredit card details will, when validated by a CA, be issueda certificate which contains the unique public key.

When a user visits a secure site the user’s browser willencounter the certificate and if the browser trusts theissuing authority (CA) of the cert, will load the requestedpage as normal. Should the browser encounter a cert that itdoes not trust it will show the user a warning similar tothe one below:

7

Mervyn McCracken

The user may see this warning for several reasons

Browser was misdirected to an invalid site (see DNSpoisoning below)

Valid site but cert has expired (not in above case) Site has issued its own cert and is valid (e.g. UCD) Site is NOT trustworthy and should be avoided

It can be seen from the warning that the traffic to and fromthe site will be encrypted and thus be safe in transit. Thequestion the user must ask himself is whether he trustswhoever it is at the other end of that secure connection.

In the case of Diginotar, the hackers effectively broke inand used the facilities to issue themselves certificatesthat they then attached to spurious web sites. When usersvisited (misdirected to) these spurious sites their browserstrusted Diginotar and loaded the particular page. The userwas none the wiser.

There are approximately 650 CA’s across 54 jurisdictions.They are not regulated by any one authority but expected toconform to industry best practices. Given that they reside

8

Mervyn McCracken

across so many jurisdictions, regulation even if desired,hardly seems feasible.

One advantage of having so many CA’s is that, if there whereonly a few, many organizations would be limited to whom theycould place their trust in. An ENISA report claimed Comodowho had 25% of the world’s SSL market was too big to faileven though it too had been hacked. Their hack was not asbad as Diginotar’s but had it been, e-commerce would havebeen plunged into chaos with so many relying on their certs.

Who are they?

The seven largest CA’s are

Comodo Symantec Trend Micro DigiCert Entrust GlobalSign GoDaddy

As recent as February 2013 they have come together to formThe Certificate Authority Security Council (CASC).CASC is amulti-vendor industry advocacy group dedicated to research,promoting internet security standards and educating thepublic on internet security issues.

"While not a standards-setting organization, we’re committedto supplementing standards-setting organizations by providing education, research, and advocacy on the best practices and use of SSL", states Robin Alden, CTO of Comodo.Internet Security

Security on the Internet sits on a three-legged stool. Each leg is essential and each has its flaws. They are:

9

Mervyn McCracken

DNS SSL HTTPS

One of the main reasons for this predicament is that security was not part of the original design requirements, least ways, a very low priority. It has been a subsequent add-on.

Domain Name System

E-Commerce – a necessity

In an economy that appears to be getting tougher year afteryear some suggest4 that consumer spending hasn’t actually stopped— it’sonly shifted. Online retail, or e-commerce, has rapidly becomeone of the most oft used methods for making purchases,especially during the holiday season. Statistics aresuggesting that 80% of homes in America alone now having atleast one computer (92% of which have access to theinternet) it’s no wonder that online retail has grown sorapidly in the past decade. The figure for ownership in thesame year (2010) in Western Europe was 70 PC’s per 100people. As of 2011, internet connectivity in some Europeancountries has exceeded 90%.

DNS – essential to E-Commerce

Essential to E-Commerce is the Domain Name System (DNS).Commonly referred to as the phonebook of the internet, DNSresolution allows the human to input an IP address of words(domain name) and have that converted into an IP address ofnumbers essential for communication between machines on anetwork.

Given that we live in a world of IPv4 due to the slow uptakeof IPv6 means that the number of available IP addresses haslong since been used up. Luckily Network Address Translation

10

Mervyn McCracken

(NAT) has helped avert the crisis. But a world in which auser could not input www.myFavoriteSite.com so as to have itresolve to a numeric IP address is inconceivable to asuccessful e-commerce economy.

From the realms of Cognitive Psychology, George Miller (MIT1956) delivered one of the most important papers on thesubject, in which he opened by claiming that he waspersecuted by a magical number. Miller had quantified thesize of short term memory in humans. That number was seven(plus or minus 2) and represents the number of individualpieces of data that can be held in short term memory.Generally, a piece of data is referred to as a chunk. Thefollowing could be seen as nine separate pieces/chunks ofdata:

H G K L H R S N N

According to Miller, this would tax the short term memory ofmost humans. But, let’s say the same nine are presented toan aviation enthusiast. Those nine letters represent theairport codes for Hong Kong, London Heathrow and Shannon.The nine have now been chunked into three.

HGK – LHR – SNN

By the same rules, that aviation enthusiast could rememberseven 3-letter combinations for seven different airportsbringing the letter count from 9 to 21. Again, according toMiller’s rules, the more one is an expert on a subject thegreater the size of the relevant chunk whilst the chunkcount still remains at seven. In aviation, each airport hastwo codes, IATA (3 letter) for passenger use and ICAO (4letter combo) for pilot use.

Seven airports represent seven letters each. That brings thetotal up to 49 letters representing 7 pieces of data;

Hong Kong- Heathrow-Stansted-Gatwick-Shannon- Dublin-Cork

11

Mervyn McCracken

HKGVHHH LHREGLL LGWEGKK STNEGSS SNNEINN DUBEIDW CRKEICK

But wait, that seven can be chunked into three:

London airports, Irish airports and Hong Kong! Again, boththe London and Irish airports could be increased to four.The letter count now grows to 63 for just three chunks.

This demonstrates how easy it can be for humans to rememberlarge amounts of data given the right medium. But now try

208.80.152.201212.58.241.131194.71.107.15

That’s Wiki, BBC and Pirate Bay. Even if one did manage tocommit the above to memory, ISP’s are reluctant to issuestatic IP address due to the limited number of IPv4addresses, so they may not be in use when one tries them!

Domain Name Resolution

Whether you're accessing a Web site or sending e-mail, yourcomputer uses a DNS server, which manages a massive databasethat maps domain names to IP addresses, to look up thedomain name you're trying to access. The proper term forthis process is DNS name resolution, and you would say thatthe DNS server resolves the domain name to the IP address.For example, when you enter "http://www.howstuffworks.com"in your browser, part of the network connection includes

12

Mervyn McCracken

resolving the domain name "howstuffworks.com" into an IPaddress, like 70.42.251.42, for HowStuffWorks' Web servers.

DNS Poisoning (Spoofing)

A networked computer will have access to a DNS server eitherfrom the local ISP or from the organization that thecomputer belongs to. Should that massive database mentionedabove be compromised by an attacker, the numeric IPaddresses corresponding to particular domain names arealtered by the attacker. The domain names now resolve to anaddress of the attacker’s choosing.

For example, an attacker spoofs the IP address DNS entriesfor a target website on a given DNS server, replacing themwith the IP address of a server he controls. He then createsfiles on the server he controls with names matching those onthe target server. These files could contain maliciouscontent, such as a computer worm or a computer virus. A userwhose computer has referenced the poisoned DNS server wouldbe tricked into accepting content coming from a non-authentic server and unknowingly download malicious content.

One of Brazil’s largest banks suffered an attack3 thatredirected users to a malicious site that attempted toinstall malware and steal passwords. In this situation, theusers were not aware that they were on a fake site since thedelivered page looked just like the original. These types ofattacks are very hard to detect since the users had actuallytyped the correct domain name in their browsers.

The now legendary computer virus Stuxnet utilized DNS poisoning to redirect Iranian systems to a site called windowsupdate.com. Once there, a valid security certificate (SSL see below) verified that the site was genuine and a false update was downloaded. This update was carrying important aspects of the Stuxnet virus.

13

Mervyn McCracken

DNSSEC is a technology that was developed to protect againstsuch attacks by digitally ‘signing’ data so you can beassured it is valid. However, in order to eliminate thevulnerability from the Internet, it must be deployed at eachstep in the lookup from root zone to final domain name. Thismay be the reason for the slow up take of DNSSEC (discussedlater). Signing the root (deploying DNSSEC on the root zone)is a necessary step in this overall process. Importantly itdoes not encrypt data. It just attests to the validity ofthe address of the site you visit.

SSL

Short for Secure Sockets Layer, a protocol developed fortransmitting private documents via the Internet. SSL uses acryptographic system that uses two keys to encrypt data − apublic key known to everyone and a private or secret keyknown only to the recipient of the message. Many Web sitesuse the protocol to obtain confidential user information,such as credit card numbers. By convention, URLs thatrequire an SSL connection start with https: instead of http.The public key will be part of an SSL Certificate whichitself is used to authenticate a secure web-site. In theory,this could be the most robust of the three. However, many ofthe trusted third parties needed to issue the SSL certs haveproven less robust in their security with many thefts ofgenuine certs and fraudulent issuance of others.

HTTPS

HTTPS (HTTP over SSL or HTTP Secure) is the use of SecureSocket Layer (SSL) or Transport Layer Security (TLS) as asub-layer under regular HTTP application layering. HTTPSencrypts and decrypts user page requests as well as thepages that are returned by the Web server. The use of HTTPSprotects against eavesdropping and man-in-the-middleattacks.

Fundamental weaknesses in the design of HTTPS:

14

Mervyn McCracken

In the current setup, browsers and operating systems (e.g.Microsoft’s certificate store) place trust by default in alarge number of CA’s (hundreds) by default, so a failurewith one of them creates a risk for all users and allwebsites. The security of HTTPS equates to the security ofthe weakest CA. HTTPS should be modernized, to be moreresilient against attacks and more user friendly.

Corporate Governance

Long Live the King

In light of the collapse of Enron and WorldCom in the US andSatyam in India the US, in a bid to restore confidence inthe reliability of financial reporting, the US passed intothe law the Sarbanes-Oxley Act. Sarbox or even Sox as it isknown, makes legal some of the principles of CorporateGovernance recommended by both the Cadbury Report (UK 1992)and the OECD Reports (1998, 2004).

15

Mervyn McCracken

Corporate Governance (CG) is system by which largecorporations are guided in how they execute their affairs.Notably, that they function on both sound and legalprinciples. That in the event of wrong-doing, theircorporate officers are accountable to a board of directors.And, that board is independent of the day-to-day running ofthe corporate entity. Another notable guiding principle isthat conflicts of interest between stakeholders bemitigated. Stakeholders include debtors, creditors andshareholders.

There are different models5 of CG depending on theparticular variety of capitalism in which the model isembedded.

Anglo- American Model European Model Indian Model

Anglo American Model

The Anglo-American model of corporate governance emphasizesthe interests of shareholders. It relies on a single-tieredBoard of Directors that is normally dominated by non-executive directors elected by shareholders. Because ofthis, it is also known as “the unitary system”. Within thissystem, many boards include some executives from the company(who are ex officio members of the board). Non-executivedirectors are expected to outnumber executive directors andhold key posts, including audit and compensation committees

European model

Some continental European countries, including Germany andthe Netherlands, require a two-tiered Board of Directors asa means of improving corporate governance. In the two-tieredboard, the Executive Board, made up of company executives,generally runs day-to-day operations while the supervisoryboard, made up entirely of non-executive directors who

16

Mervyn McCracken

represent shareholders and employees, hires and fires themembers of the executive board, determines theircompensation, and reviews major business decisions.

Indian model

India’s SEBI Committee on Corporate Governance definescorporate governance as the “acceptance by management of theinalienable rights of shareholders as the true owners of thecorporation and of their own role as trustees on behalf ofthe shareholders. It is about commitment to values, aboutethical business conduct and about making a distinctionbetween personal & corporate funds in the management of acompany. It has been suggested that the Indian approach isdrawn from the Gandhian principle of trusteeship and theDirective Principles of the Indian Constitution, but thisconceptualization of corporate objectives is also prevalent in Anglo-American and most other jurisdictions.

Ultimately, CG attempts to place ethics as its rule of thumbbut if the shareholder comes first and the shareholder’sfirst priority is to turn a buck, what then for ethics? Thisalso throws up a contradiction. A corporation, for legalreasons, is considered a person. It, in itself, cannot actethically. Its corporate officers may act ethically buttheir responsibility is primarily for the benefit of thecorporation.

Ethics

MSD, a pharmaceutical company based in Rathdrum, Wicklowsince 1961 decided to consolidate its business and pulled theplug in Rathdrum even though the state-of-art facility wasstill in profit. 280 people in a small community dependingon the facility will lose their jobs.

Money talks

17

Mervyn McCracken

From his article of 1970, The Social Responsibility of Business is toIncrease its Profits, Milton Friedman wrote;

“In a free-enterprise, private-property system, a corporateexecutive is an employee of the owners of the business. Hehas direct responsibility to his employers. That responsi-bility is to conduct the business in accordance with theirdesires, which generally will be to make as much money aspossible while conforming to the basic rules of the society,both those embodied in law and those embodied in ethicalcustom.”

One of the direct results of Sarbox is that the C –suiteexecutives which it set out to hold accountable havedecoupled themselves from that responsibility6. From anarticle, More Sarbanes-Oxley Anniversary Thoughts, ten years afterSarbox was passed;

“backed…. by several corporate defense lawyer sources that sub-certifications or “waterfall” certification insulates the C-suite from claimsof criminal responsibility for false certification. Basically, if severalunderlings tell the CFO and CEO the numbers are good, disclosures aregood, controls are good”

As Antunovich7 et al (Current Trends in Management) attest, themost admired corporations are those with an average return(5 yrs) of 125% while the least admired are those with anaverage return of 80%. This admiration was supported by aBusiness Week survey which ranked good & bad boards. Thehighest ranked boards where those with the highest financialreturns.

Trust in whomever you wish, but the dollar is king.

Regulatory Compliance

18

Mervyn McCracken

DigiNotar was audited annually to ETSI TS 101456 standards which deal with Electronic Signatures and Infrastructures (ESI). In the aftermath of the attack, their systems’ security was found to be severely lacking.

It may have been a move to maximize profits. A random9 google search shows the price of ISO 27001 certification at $48,000. Or it may have been an oversight on the part of theDigiNotar board but either way it was a costly mistake.

It may serve as a warning to others that the cheap way usually ends up the costliest.

19

Mervyn McCracken

Business Continuity & Incident Response

As of 2011, NIST8 reports that all CA’s are under increasedthreat of attack. This poses a risk to both the CA and theorganizations relying on the CA. Therefore both must designand implement a strategy for a likely CA compromise.

DigiNotar serves as an example of the many benefits ofhaving a good Business Continuity strategy in place. As partof the ISO package, ISO 22301 and ISO 27035 deal withBusiness Continuity planning (BCP) and Incident Responserespectively.

Clause 8 of ISO 22301 which deals with Business ImpactAnalysis would assist an organization in identifyingkey/critical processes. Following this, to identify thethreats facing those key processes. The next phase is toconduct risk analysis so as to reduce or mitigate thoserisks and simultaneously plan for their eventuality.

With such a plan in place, DigiNotar would have identifiedits PKIoverheid ("PKIgovernment") program, which issuedcertificates for the Dutch government, as a critical processseparate from its other CA business. “Some of the most-usedelectronic services offered by Dutch governments used certificates fromDigiNotar”.

In particular, DigiNotar would have been forced to recognizethe vulnerability of not segmenting its network, so as toisolate its different servers, which was one of the mainfactors in its demise.

As a consequence of having a good BCP in place, the need fora good Incident Response (IR) Plan would arise. Another ofthe main factors in DigiNotar’s demise was that is was notaware of which or how many fraudulently issued certificatesthere were. This happened because the attackers had accessto all servers which included the server that held the logsdetailing which certs were issued. Other organizations who

20

Mervyn McCracken

suffered similar breaches were not as unlucky as DigiNotar.They, at least, knew which certs to revoke, containing thedamage. In DigiNotar’s case, the attackers issued themselvescerts and then by means of some sophisticated codediscovered on their systems after the attack, delete thoselogs.

The stages of an ISO 27035 IR plan are:

1. Prepare to deal with incidents e.g. prepare an incidentmanagement policy, and establish a competent team todeal with incidents;

2. Identify and report information security incidents;3. Assess incidents and make decisions about how they are

to be addressed e.g. patch things up and get back tobusiness quickly, or collect forensic evidence even if itdelays resolving the issues;

4. Respond to incidents i.e. contain them, investigatethem and resolve them;

5. Learn the lessons - more than simply identifying thethings that might have been done better, this stageinvolves actually making changes that improve theprocesses.

At stage three, the importance of retaining log datasecurely would have arisen and DigiNotar would have seen theneed to implement some type of basic Log Management Policyat least. The need to protect its logs by isolating thatserver, is reasonably, a possible outcome.

Though DigiNotar was audited annually to ETSI standards (seeRegulatory Compliance), this seems more to do withcompliance than any substantive policy/desire to address itsbusiness needs.

The advantages of signing-up to ISO 27035/22301 are two-fold.

21

Mervyn McCracken

Clauses 4 through 8 of 22301 assist an organization indesigning and implementing a robust BCP. It forces anorganization not only to look at its business risks,but also the risks facing the implementation of theBCP. Clauses 9 & 10 would maintain currency by testing,documenting and improving when necessary.

Commitment to ISO22301 implies an organization isproactive in facing its responsibilities to itsshareholders, stakeholders and customers. It is atestament of their positive security posture and a powerfulPR statement in an industry that has lost allsemblances of trust.

The only reason most CA's are there is that, at the present,there is no alternative.

It is reasonable to assume that had DigiNotar have either orboth ISO 27035/22301 in place that they would still be inbusiness today.

That same NIST report8 makes the following lucid point:

The creation of a new CA or establishment of a relationship with a new externalCA after a CA compromise can cause significant delays in issuing newcertificates, so it is prudent to establish backup CA’s as a precautionary measure.

NIST recommends that any organization should have in place,as part of its IR plan, contingencies for the issuance ofSSL certs from a primary alternative as well as a secondaryalternative. The expectation of CA compromise should beconsidered as an absolute given! The NIST report outlines a very detailed plan for both CAand relying parties, addressing their respective needs

22

Mervyn McCracken

Security Awareness in crisis

A recent report asked the question whether SecurityAwareness was a waste of time. Given the inability of anti-virus in detecting, what may well be, the vast majority ofmalware out in the wild at present, the argument put forwardwas that it was the best possible solution at the moment.

From those in the industry of information security we mayexpect them, at least, to be at the forefront when it comesto security awareness. The following examples may proveotherwise.

DigiNotar

In the case of DigiNotar who suffered a litany of poorsecurity decisions including:

All their servers were on the one network Not running anti virus software Simple passwords in use (the attacker easily gained

administrator rights to their entire network )

Bit9

From Bit9’s own site, “The Bit9 Trust-based Security Platformcontinuously monitors and records all activity on servers and endpointsto detect and stop the advanced persistent threat that evades traditionalsecurity defenses.”

In Feb 2013, Bit9 were hacked. The comment, “Due to anoperational oversight within Bit9, we failed to install our own product on ahandful of computers within our network”, must have been deeplyembarrassing.

DNSSEC

23

Mervyn McCracken

DNSSEC, the technology to protect DNS servers frompoisoning/spoofing attacks is available but isn’t beingutilized by those who we’d expect to embrace it.

Brussels, 2 November 2010 – 87% of the world’s top-level domains (TLDs) haveyet to deploy the Domain Name System Security Extensions (DNSSEC) protocol,according to a new .eu Insights report published today by EURid, the registry forthe .eu TLD.

The following was picked up from a blog and is a reply (June2011) from an ISP who was asked about their adoption ofDNSSEC:

“Hello Mark,

We do not have this implemented at this time. We currently do not have plans in the near future. I have noted this request however and if there is enough demand for this service, it will be seriously looked into for implementing DNSSEC. This idea of this service from our research is very good, but we have not seen many of our peers make that conversion over yet. As things change, we could become closer to implementing services like this.”

From the UK’s TheRegister article on slow DNSSEC take up (Feb2013)

Banks are very risk-averse. I fully expect a slow uptake there, unlesssome major DNS event happens……… Secure64 has sort of tried thata few times now, last time they tried to shame the .gov people for notimplementing DNSSEC as per mandate. I don't think it is working :)

24

Mervyn McCracken

Pièce de résistance

In psychology experiments10, to test a hypothesis, a typicaltest sample usually numbers 30-60. In large surveys, a testsample of 1000 is used to represent millions. According toan ENISA report11, a New Zealand bank (BankDirect)accidently allowed its SSL cert to expire. 300 of itscustomers were presented with a HTTPS warning before thesituation was remedied. The 300, for that moment, were allin a very similar predicament. All were about to visit avery important site so the same level of attention andpriority could be assumed upon each. These types ofconditions are sought by all psychology experiments. Thepreciseness of this situation is hard to emulate. Theresult: 299 ignored the warning and proceeded to the siteand gave up their very sensitive details. That’s 99.666%.

It is difficult not to draw conclusions on the seriousnessof the state of affairs of security awareness from thiscase. Had it been an experiment proper, it may be worthy ofa paper.

Microsoft’s policy of perpetually bombarding users withbanal warnings may have over-cooked proper attempts toinform the user. This is not a Windows bash but a criticismof the policy. It’s not unlike those adverts by drinkscompanies who implore us to buy as much of their product aspossible who then slip in that little “Always drinksensibly” inanity at the end. Their moral obligationfulfilled.

From those who we expect to understand the risks, securityawareness programs may have failed to reach their target.For the general user, the New Zealand example may provesecurity awareness is in crisis.The following, again from the UK’s TheRegister (April 2013)shows that attacks are still on the rise and lack ofsecurity awareness being a costly oversight:

25

Mervyn McCracken

The survey, out Tuesday, also revealed that 93 per cent of largeorganisations (those which employ more than 250 workers) had reportedbreaches in the past year.

The median number of breaches suffered was 113 for a largeorganization (up from 71 a year ago) and 17 for a small business (up from11 a year ago).

Both figures suggest that companies which report hacker attacks aredoing so more often.

Over three in four (78 per cent) large organisations that responded saidthey'd been attacked by an unauthorized outsider (up from 73 per cent ayear ago) and 63 per cent of small businesses said the same (up from 41per cent a year ago).

Twelve per cent of respondents said the worst securitybreaches were partly caused by senior management givinginsufficient priority to security.

26

Mervyn McCracken

Cyber Crime Continuing to undermine trust:

Attacks such as DigiNotar and Stuxnet require backing from astate size organization and are very target specific. Theyhave degraded trust on the internet to the point where aperson could, through their browser, click on the bookmarkfor their banking site so as to view their account detailsand due to DNS cache poisoning be redirected to a bogussite. It is possible to have that bogus site signed with anSSL cert (stolen or fraudulently issued) which would leavethe customer completely oblivious to the fact that they weregiving their very sensitive details to a criminal.

Though possible, the above scenario may not be costeffective for the criminal and therefore hardly probable. Aneasier way is to take advantage of situations that usersalready trust using what is termed social engineering.“Taking advantage of the notoriety of companies, celebritiesand major events is a tactic cyber criminals continue to usebecause it works,” said Christopher Boyd, senior threatresearcher at GFI Software.

GFI Software’s Report for March 2012, documented severalspam attacks and malware-laden email campaigns infiltratingusers’ systems under the guise of communications purportingto be from well-known companies and promotions for popularproducts and services. Google, LinkedIn, Skype and the video game Mass Effect 3were among the brands exploited by cyber criminals in order

27

Mervyn McCracken

to attract more victims.

“Criminals know that Internet users are bombarded with countless emails everyday, and these scammers prey on our curiosity and our reflex-like tendency toclick on links and open emails that look like they’re coming from a company weknow and trust.”

Google served as the hook for two particularly nasty scamsuncovered by GFI in March. One SEO poisoning attack toldusers that “Google systems” had detected malware on theircomputer and directed them to download a rogue antivirusapplication. Meanwhile, spammers inundated mailboxes withmessages containing fake announcements for “GooglePharmacy,” a phony service touted as a “pharmaceuticalinterface for Google.” The body of the email consisted of asingle image rather than text in order to circumvent spamfilters. Victims who visited the URL contained in the imagespam were directed to Pharmacy Express, a site linked tospam attacks since 2004 (see Cybercrime-as-a-Service below).

Users of popular social networking site, LinkedIn, receivedfake invitation reminders redirecting them to a BlackHoleexploit and infected their machines with Cridex12, a Trojanthat has targeted banks, social networks and CAPTCHA tests.Other cyber criminals targeted Skype users with a spamcampaign claiming to offer free Skype credit, but instead,directed users to a compromised site hosting malicious Javaexploits.Cybercrime-as-a-Service

Much like legitimate business ventures, the cybercrime-as-a-service industry "employs" people at various levels,including people with corner-office functions arounddecision-making and oversight, as well as other individualsresponsible for infecting machines via phishing attempts,botnets, fake AV and similar efforts commonly associatedwith the spread of malware. "Employees" who conduct thesetasks are then paid by the number of infections theydeliver.

28

Mervyn McCracken

Ross Anderson, in his book Security Engineering, defines 2004as the date where there was a significant shift in malwaredesigner from prideful academic to stealthy gangster. A keeninsight from him is that an effective computer virus needsto be delicately balanced somewhere on a scale between tooinfectious and not infectious enough. A virus that is notinfectious enough will die too soon. Therefore, itseffectiveness will be short lived. A virus that is tooinfectious will bring too much attention upon itself andthus efforts to curtail it will be swift. Therefore, itseffectiveness, too, will be short lived. Also, it isdifficult to write a self-replicating virus that, whenreleased into the wild will be both useful and goundetected.

Added to this, the gangster doesn’t want your data anymoreeither, he wants your machine. Instead, the criminal isusing manually controlled exploits so that his trojans willinfect machines with rootkits that themselves won’t impactthe host’s performance. These rootkits even come with aftersales back-up and some will even download the latest patchesso a rival can’t steal the machine. The aim is to createlarge networks of zombies.

In 2007, the Storm network had enslaved over one millionzombie machines. It was considered the world’s most powerfulsupercomputer rivaling the likes of Google in computingpower. These botnets are often leased to the pharma industryin a policy referred to as pump & dump for widespreadmarketing campaigns.

Criminality at a Steal

Wanna13 buy a botnet? It will cost you somewhere in the region of $700. If you just want to hire someone else’s botnet for an hour, though, it can cost as little as $2.

Fortinet 2013 Cybercrime Report 14

29

Mervyn McCracken

Alex Harvey, Fortinet's security strategist described anumber of websites that specialize in the cracking ofpasswords and usernames. At least one of them can test asmany as 300 million potential passwords in a period of 20minutes. While some people might assume that such an exploitwould be very expensive, the price, according to Harvey, isonly the pocket-change rate of $17.

Real world attacks on trust

Though attacks and security breaches are widespread, thefollowing are some that exploited our trust:

In 2011, Epsilon, an e-mail marketing company with clientssuch as Capital One, Best Buy, and Marriott Rewards was the victim ofa phishing attack which resulted in the compromising of 60million customer email addresses (at least one hundred ofEpsilon’s client databases were affected).

The attackers were then able to perform massive phishingattacks on all those Capital One, Best Buy, and Marriottcustomers masquerading as Epsilon. It’s a vicious cycle.What can you do? Change your e-mail address periodically

March 2011, RSA Security, too, was the victim of a phishingattack on its employees. Possibly 40 million employeerecords were stolen and more importantly, attackers stoleinformation on the company's SecurID authentication tokens.

Subsequently, attacks on Lockheed-Martin, L3, and othersoccurred. RSA executives claimed that no customers' networkswere breached. John Linkous, vice president, chief securityand compliance officer of eIQnetworks, Inc. didn’t believethem. "RSA didn't help the matter by initially being vague about both theattack vector, and (more importantly) the data that was stolen".

30

Mervyn McCracken

To which he added, "……… the abject fear that it drove into every CIOwho lost the warm-and-fuzzy feeling that the integrity of his or herenterprise authentication model was intact”.

Throughout 2010 VeriSign was the victim of a continuousattack(s). Security experts are unanimous in saying that themost troubling thing about the VeriSign breach, or breaches,in which hackers gained access to privileged systems andinformation, is the way the company handled it – poorly.VeriSign remained tight lipped about the attack which onlycame to light in 2011 because of a new SEC-mandated filingrequirement. Very little is known about the VeriSignattack(s), due in no small part, to VeriSign’s reluctance toproffer any information.

The above examples could be seen as attacks on trust itself.

Redesigning the Internet: Anonymityor Accountability?

The Internet and its design philosophy

Primary Goal

The top level goal for the DARPA Internet Architecture15 wasto develop an effective technique for multiplexedutilization of existing interconnected networks. Someelaboration is appropriate to make clear the meaning of thatgoal.

31

Mervyn McCracken

The components of the Internet were networks, which were tobe interconnected to provide some larger service. Theoriginal goal was to connect together the original ‘ARPANET’with the ARPA packet radio network, in order to give userson the packet radio network access to the large servicemachines on the ARPANET.

Secondary Goals

The following list summarizes a more detailed set of goalswhich were established for the Internet architecture.

1. Internet communication must continue despite loss of networks or gateways.2. The Internet must support multiple types of communications service.3. The Internet architecture must accommodate a variety of networks.4. The Internet architecture must permit distributed management of its resources.5. The Internet architecture must be cost effective.6. The Internet architecture must permit host attachment with a low level of effort.7. The resources used in the internet architecture mustbe accountable.

The above may appear like an amalgam of desirable networkfeatures. It is important to understand that these goals arein order of importance, and that an entirely differentnetwork architecture would result if the order were changed.

The initial design requirements were from a militaristicpoint of view. Successful communications (….. must continuedespite loss of networks or gateways) in a war time scenariowas the main aim. Security (…architecture must beaccountable) was the least priority which for the time wasreasonable. Even an insightful article on Internet designfrom 1995 (Fundamental Design Issues for a FutureInternet16), Scott Shenker argues in his final Discussion that

32

Mervyn McCracken

we gamble on a future where extremely inexpensive bandwidth isthe norm (at the time it was expensive into the medium termview) and that in the near term the internet should becapable of handling multimedia applications. There is nomention of security.

Future Internet Design

The National Science Foundation has a major new long-terminitiative called Future Internet Design (FIND). FINDinvites the research community to consider what therequirements should be for a global network of 15 years fromnow, and how we could build such a network if we are notconstrained by the current InternetFIND places the new priorities as:

Security Availability & Resilience Better Manageability Economic Viability Suitability for the needs of society Longevity Support & utilization of tomorrow’s computing

(applications & networking)

In the present day it is no surprise that security has risento top the list

Redesigning the Internet: Anonymity or Accountability by Ira Rubinstein17

Rubinstein pits Clarke against Lessig in what they term a ‘tussle’ between anonymity and accountability. Rubinstein, writing in 2009, uses Lessig’s discussion from 1999 to base his argument which appears dated. Clarke on the other hand offers something more tangible on trust and identity.

Clarkes Trust & Identity

33

Mervyn McCracken

Mechanisms are needed that regulate interactions based on mutual trust

Permit users to choose with whom they interact Reframe the end-to-end argument in terms of trust

(where and between whom trust exists) rather than in terms of physical location

Rely on trusted third parties to manage identity, protect end-users from attack or unwanted content, and provide mutual assurances, and so on

Design for delegation so that end-user controls trust decision

Part of any future design, should include what made thepresent model so successful. As the Economist’s TechnologyEditor Tom Standage put it,

“The internet has been a hotbed of innovation because it's“dumb”. The designers didn't presuppose how the internetwould be used and that has made it extremely flexible. Butwhat we are running into now are scaling and securityproblems, and some people are asking: if we were buildingthe internet from scratch, what would be the ideal clean-slate design?”

Conclusions:

The National Science Foundation’s FIND has been tasked withredesigning the Internet. Such an important task should notbe left to just one organisation.

It is reasonable to assume that any future internet must behighly tolerant of innovation and business creation. Itmatters not that this was not foreseen in the originaldesign because it is the original design that has allowedthe internet to become what it is. The need foraccountability and security cannot be allowed to stifleearnest growth.

34

Mervyn McCracken

This report does not recommend regulation of CertificateAuthorities at the present or in any future design of theinternet and cites the Sarbox Act as example of whereregulation only serves to alter the landscape of that whichit intended to regulate. With Sarbox, there was an attemptto hold board members of the rank Chief (C-Suite)responsible for the financial dealings of their corporationbut they effectively shifted that responsibility to lesserranked officials in the organization. Time and energy wouldbe better spent on a solution that is more likely to come tofruition.

Embrace the king

Instead, since corporate entities are driven by the need tomaximize profits, this report recommends a solution that isfinancially driven. As a guide, the robustness of anorganization’s security posture could be ranked. As anexample, there could Gold, Silver and Bronze standards. Anorganizations potential for financial gain would be based onhow high their standard was. This could be in the number ofjurisdictions that they are permitted to operate in or thenumber of customers they could have on their books. Theachievement of this standard would have to be utterlyindependent and transparent.

Whatever the final solution, the more an organisation canprove how secure it is, the greater the possibility it hasto maximize its profits.

Security Awareness and how it is delivered is in need of anoverhaul. Unlike trust which in the present design of theinternet is beyond repair, security awareness, though incrisis, will face the same predicament in a future design aswell. Therefore, it is imperative that this problem isaddressed sooner rather than later.

35

Mervyn McCracken

Sources:

Fox-It report1: http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf

2: http://www.productiveit.com/productive-it-blog/why-e-commerce-is-essential-for-growth#.UYhCKoJqIy4

3: http://www.f5.com/pdf/white-papers/dnssec-wp.pdfeCommerce: 4:http://www.productiveit.com/productive-it-blog/why-e-commerce-is-essential-for-growth#.UYhCKoJqIy4

5: Corporate Governance Models Around the World http://theglobaljournals.com/gra/file.php?val=NjEw

6:http://retheauditors.com/2012/08/05/more-sarbanes-oxley-anniversary-thoughts/

7:http://books.google.ie/books?id=K8zJw-CshBYC&pg=SA6-PA14&lpg=SA6-PA14&dq=Antunovich++et+al+125%25&source=bl&ots=IhtavvVerF&sig=aouWmon3efV9vvU0ZIYIB_EoSzk&hl=en&sa=X&ei=_heIUc-1Dof17AbOi4HQBQ&ved=0CEEQ6AEwAg#v=onepage&q=Antunovich%20%20et%20al%20125%25&f=false8: http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf

36

Mervyn McCracken

9:http://www.pivotpointsecurity.com/risky-business/iso-27001-cost-estimate-48000-information-security-confidence-priceless

10: Prof M Keane, UCD11: http://www.enisa.europa.eu/media/news-items/operation-black-tulipcridex12: http://www.symantec.com/security_response/writeup.jsp?docid=2012-012103-0840-99C as a s13: http://www.wired.com/threatlevel/2012/11/russian-underground-economy/ Fortinet14: http://www.fortinet.com/sites/default/files/whitepapers/Cybercrime_Report.pdf15:Clarkehttp://groups.csail.mit.edu/ana/Publications/PubPDFs/The%20design%20philosophy%20of%20the%20DARPA%20internet%20protocols.pdf

16: Shenkerhttp://nms.lcs.mit.edu/6.899/beyondbesteffort.pdf

Redesigning the Internet: Anonymity or Accountability? Ira Rubinstein17: http://www.jjay.cuny.edu/centers/cybercrime_studies/Ira_talk.pdf

37