BERLIN — In the Netherlands, the daily rhythm of a smooth running European society was disrupted after a computer hacker stole a series of files that guaranteed the legitimacy of major government Web sites, and in the process, exploited a weakness in the global Internet.
Consumers last week were advised to avoid online transactions with Dutch retailers, and, for a time, online banking. Passport applicants and those wishing to submit income tax returns scrambled to fire up dormant fax machines or lined up at local post offices.
In the placid capital city, The Hague, government computer administrators checked thousands of computer servers to determine the extent of the damage caused by the anonymous hacker, who in Web postings claims to be an Iranian saboteur motivated by geopolitical gain.
“This is the Dutch equivalent of Hurricane Irene,” said Calum MacLeod, the director in Europe for Venafi, a U.S. company whose software helps companies like Cisco manage the class of digital files called security certificates targeted by the hacker in the Netherlands.
Mr. MacLeod said the attack on the Dutch government’s preferred provider of security certificates, DigiNotar, a company in Beverwijk, near Amsterdam, exposed the fragility of the global system of digital authentication that undergirds the Internet.
“What happened at DigiNotar appears to be the result of poor internal controls and a determined hacker,” Mr. MacLeod, who lives in Eindhoven, the Netherlands, said. “But as this kind of event becomes commonplace, the whole Internet could be undermined.”
In the case of DigiNotar, which is owned by a company in Illinois, Vasco Data Security International, the hacker masqueraded as the legitimate owner of a range of Web addresses, not just of Dutch government sites but also of global companies like Google and Yahoo.
Remotely, apparently from a computer address in Russia, he compelled DigiNotar to generate digital seals of approval for those Web sites, so-called security certificates, that could be displayed in the address lines of Web browsers as vouchers of the sites’ authenticity.
The phony sites were then used in Iran to spy on as many as 300,000 people, according to a report by a security firm, Fox-IT, that was hired by the Dutch government. Google also detected the phony certificates circulating in Iran and advised its users last week to change their passwords and be alert for unfamiliar Web addresses.
But DigiNotar is just one of an estimated 650 companies and government entities that control the flow digital security certificates. The proliferation of issuers has amplified the risks of hacking break-ins, an expert said.
“The levels of internal security controls used by issuers varies enormously, and therein lies the problem,” said Peter Eckersley, a director at the Electronic Frontier Foundation, a digital civil liberties group in San Francisco that has studied the sector. “I suspect that it will be technologically challenging over the next few years to fix these problems.”
In 2010, the Electronic Frontier Foundation studied the security certificates residing on public Web servers to compile the first comprehensive inventory of certificate issuers called the SSL Observatory. The name refers to the Secure Socket Layer protocol language certificates use to guarantee the legitimacy of Web sites and addresses.
Currently, there are 1,500 certificate issuers, Mr. Eckersley said. The biggest are U.S. companies: VeriSign, a unit of Symantec in Mountain View, California; GoDaddy, based in Scottsdale, Arizona; Atlanta-based Equifax; and Comodo, a company in Jersey City, New Jersey. But the list also includes governments, like Tunisia and the United Arab Emirates, which used its vouching authority to help plant spyware in BlackBerrys during the recent Arab Spring uprising.
“If I were the chief security officer at a major company, I should be aware that there are about 50 countries where this technology could be used to eavesdrop on my employees,” Mr. Eckersley said.
Article source: http://www.nytimes.com/2011/09/13/technology/hacking-in-netherlands-points-to-weak-spot-in-web-security.html?partner=rss&emc=rss