Friday, September 09, 2011

Man in the MailBox Mitigation Strategy

The Information Security Think Tank GodaiGroup recently released a report with a new form of Typosquatting they call Doppelganger Domains. A Doppelganger Domain is a domain spelled identical  to  a  legitimate  fully  qualified  domain  name  (FQDN)  but  missing  the  dot  between host/subdomain and domain, to be used for malicious purposes.

Over a 6 month period they have used a passive email attack to obtain 120.000 legitimate e-mails containing a total of 20 gigabytes of data from Fortune 500 companies. The data includes trade secret, invoices, usernames and passwords.

They describe an potential active email attack with an Man-In-The-MailBox (MITMB) method
Source: GodaiGroup

The mitigation strategy suggested for these potential threats include purchasing and registering doppelganger domains, block doppelganger domains in your DNS records and communicate this attack vector to your internal users, customers and business partners.

The man in the mailbox attack is successful as the attacker is able to place himself as a middle man in a mail transaction. What I really miss from this report is the focus on Information Security key concepts such as confidentiality, integrity, availability, authenticity and non-repudiation. The mitigation strategy should incorporate the use of technical protection mechanisms such as cryptography either on a user-to-user or server-to-server level. As we have seen lately from the DigiNotar-hack, PKI/SSL is not a perfect solution, but including the CIA triad in our strategy would complicate the attack.

Are there other mitigation strategies, did I forget anything?

Thursday, September 08, 2011

Trust, Security and Capitalism

DigiNotar is a Dutch certificate authority. It is, by default, used in most common web-browsers. After the recent events with the disclosure the DigiNotar-hack should we question the link between PKI chain-of-trust and capitalism?

Who are the real victims of this blunder? We! The consumers! The end-user! The ignorant user, installing a publicly and commonly known web-browser. The user does not know, understand or comprehend what SSL or PKI is, means or does in the background. There is an implicit trust from the end-user to the browser and it's use of the underlying PKI and chain-of-trust. The security of the chain-of-trust relies on certificate authorities issuing valid certificates in a proper manner. If there is a security breach at one CA you will undermine the entire chain-of-trust, as we have seen in the DigiNotar-hack.

The malware found on the infected servers would have been detected by common anti-virus. The servers were outdated, unpatched, no anti-virus and no secure central logging. It seems DigiNotar forgot to secure themselves.

The incident was publicly known on August 29th when rumors began spreading with Iranian ISP's using falsified issued Google certificates to monitor Iranian Internet users. In the aftermath of this incident, it has been known that DigiNotar detected a batch of 128 rogue certificates on July 19th and revoked them. On July 20th and July 27th, an additional 129 and 75 more rogue certificated were discovered. The final conclusion is they do not know how many certificates were issued. On September 1st the DigiNotar certificates were set to 'revoked' in OCSP.

When the incident was discovered on July 19th, why did 6 weeks pass before the general public was informed? The general public, the end-user, entities which have placed their trust into DigiNotar as a CA.

The incident doesn't seem to have helped the VASCO Data Security International, Inc. Stock. As many of the actors in the global PKI and chain-of-trust are private and commercial companies, can we question the Trust when these companies are driven by capitalism?