Protecting Dotti From Comodo Certificate Fraud Hack

Describe approaches to computer security including access control, identity verification and authentication in order to minimise cyber attacks on a system.

Compare and contrast different types of cryptography including current cryptographic algorithms and their applications.

Apply principles of public key cryptography to achieve secure communication networks by using digital certificates and digital signatures in compliance with industry standards.

About Dotti

In the following assignment, a technical report about a particular organization has been provided regarding the Comodo certificate fraud hack.  The chosen organization which has been assessed in the assignment has been chosen as a medium sized organisation which deals with commercial transactions electronically. The name of the organization that has been chosen is Dotti and employs approximately 100 people. The security risks that the certificate hack has over the mentioned organization has been assessed conclusively and a well justified, feasible and cost effective solution has been provided to maintain the integrity of the security network.

Dotti is a fashion online retail store that conducts its business through the internet for commercial transactions. The medium sized organization was founded more than a decade ago but recently after the acquisition by The Just Group the company has expanded extensively throughout New Zealand and Australia.  The company launched its online store in 2012 and plans to conquer the fashion industry of Australia within a span of 10 years (Dotti Online Shop 2018). The company deals with a number of fashion items such as dresses, tops, jackets, bottoms, shoes and other accessories.

Every company including Dotti has to use a digital certificate to identify who is initiating the transaction and associate it with the public key. The certificate is then associated with the web service of the private company (here Dotti). The certificate is then recognized by the CA or Certification Authority which is an amalgamation of trusted parties. These certificates are normally used for public key cryptography. Whenever a customer requires a request for transaction from the mentioned company, the CA produces a digital certificate after verifying the certificate of the applicant. These registration verification of the certificates (of the customers) can be done by anyone as the digital certificates are maintained by the CA in a public register (Comodo certificate hack 2018). Every certificate that is associated with Dotti has a validity for a particular time.

After news broke out that the Certification authority or CA called Comodo was duped by an Iranian hacker it caused a major concern in the IT community. The community has even urged prominent companies like Mozilla and Microsoft to remove Comodo as a proper trustable root security authenticator (Comodo hack may reshape browser security 2018). A site was compromised at fast which had a hard coded password and login name as per the statement of the Iranian Hacker and certificates were randomly generated for prominent websites such as Yahoo, Skype, Live.com and Google for targeting the attack (LOO 2017). In this way, the Public key infrastructure or PKI and the digital certification integrity of the company was compromised which can put the company at serious risk if proper steps are not taken.

The Comodo Certificate Hack and Its Risks

Due to the hack, since 2011, major companies have been attacked without prior notification which had some serious repercussions. The registration server of the mentioned company (Dotti) can get compromised due to the certification hack. The partners which are currently working for the mentioned company can also get compromised and their passwords and login details can be stolen through the exploit. The exploit can be used to issue different digital certificates and can be used in several countries if it is not discovered immediately causing huge damage for the company financially as well as in reputation (Independent Iranian Hacker Claims Responsibility 2018). As a website’s legitimacy is validated through SSL certificates, it assures the user that they have connected to the actual site. The hack could potentially transfer the user traffic of the company to a fake site and cause irreparable damage to its reputation. Moreover, Dotti could also get affected by several lawsuits due to failure of discovering the vulnerability and revoking it as soon as possible. The basic security of the site will get compromised and users will refuse to perform online commercial transactions from Dotti’s website which will affect their profit margin as well.  Hackers will be able to intercept the sensitive data that goes between the site and the browser which is normally encrypted (Comodo hacker 2018).

Moreover, the generation of fraudulent certificates can allow the hackers to put in attack tools in the server itself that can be used to compromise it later. Even after issuing of the certificates are closed, the hackers will be still able to compromise the system internally. The CA infrastructure can be compromised and valuable user information can be stolen like transaction credentials which can put Dotti at serious risk considering that it is yet to become a large scale corporation to compete effectively in Australia with its other retail competitors. The hackers can also implement DDoS tool in the server which can remain dormant in the server for around 4 years if it is left undiscovered (How Cybercrime Exploits Digital Certificates 2018). Data breaches will become common for the company which will result in the loss of its customers. The hackers will be able to carry out other illicit activities such as malware diffusion, sabotage and cyber espionage.

The hackers can use the Comodo certificate hack as a medium to get into the PKI environment. They can use the hack to improve the diffusion of malwares in the server of the mentioned company, Dotti. As Comodo is envisioned as a trusted entity, the attackers can easily manipulate a company’s website to sign malicious codes as well as reducing the chances of malware detection (Solo Iranian hacker takes credit for Comodo certificate 2018). The attackers can also remotely install Trojan into the company’s server disrupting every transaction that happens in the database of the company. They can compromise the build server of the mentioned company by signing the malware through other digital certificates such as Adobe along with Comodo to increase the chances of fair validation of codes. They will also have the capability to install infected ISAPI filter, password dumper and a number of malicious codes. They can also create new trojans with the stolen digital signature and enhance it to prevent detection.

Proposed Solution for Dotti

Dotti, being an online fashion retailer has to go through a number of digital signatures to check which institution issued and which person signed the certificate. The Comodo certificate hack can result in the loss of identity for the customers resulting in serious implications. The certificate hack could lead to stealing of other digital certificates and valuable information with the help of malicious agents (Parkinson 2014). The associated malicious certificate can fool the users in thinking that the site of Dotti is actually real, when it isn’t and is just a medium for phishing passwords and login IDs.

The proposed solution for Dotti for tackling the mentioned situation is by appointing a security researcher who will have access to the SSL black list that has a collection of the digital certificates like Comodo which are used for malignous purposes (Zhu, Amann and Heidemann 2016). This list was created by a Swiss organization named Abuse.sh and has been part of major investigations regarding botnets and Trojan viruses. To conduct the online commercial transactions securely, checking the SSL black list from time to time is a well justified and cost effective solution. Dotti can also create a map of SHA1 fingerprints which are linked to botnet and malware activities. The Black list will also enable the mentioned company to detect C&C traffic like Shylock and VMZeuS (Specter 2016). Dotti needs to keep a track on the latest digital certificate abuse news to keep a track on internet surveillance and malware distribution. The list will allow Dotti to prevent cyber-attacks and maintain their online transactions secure in the future. The security expert, if appointed by the company will be able to deal with future botnet and malware operations reliably after the database of the affected certificates like Comodo certificate matures (Tschofenig and Gondrom 2013).

The company needs to update its software regularly to prevent the hackers from getting a backdoor into the online transaction server. The risks from the Comodo certificate hack can also be reduced by backing up the website data regularly by creating manual and automatic backups. The XSS or cross site scripting and SQL injections need to be monitored carefully through queries which are parameterized to check unusual insertion of codes in the server of the mentioned company (Weaknesses in SSL certification exposed by Comodo security 2018). Usage of strong passwords is mandatory and double authentication should be made mandatory for every user of the company’s website. The second password can be created through SMS, hard and soft tokens (Khan et al. 2018). The hack could potentially transfer the user traffic of the company to a fake site and cause irreparable damage to its reputation. Moreover, Dotti could also get affected by several lawsuits due to failure of discovering the vulnerability and revoking it as soon as possible. The company needs to appoint a proper security team which will have the ability to check uploaded files with suspicion and monitor the activity of the uploaded files.

Ways to Reduce the Risks

Special software such as web application firewall can be used by the company to filter any hacking attempts and provide an extra layer of protection. To protect its customers, Dotti can remove the auto fill option from its website to prevent the hackers from stealing sensitive customer information (Preneel 2015).

Dotti can also create its own register of digital certificates just like Google (which has its own database known as Certificate Transparency Project) to detect SSL certificates which are wrongfully issued by CA like Comodo from a certificate authority which is unimpeachable.

Conclusion 

To conclude the report, it can be stated that Dotti needs to properly enforce the proposed solution as soon as possible to prevent any future damage to its reputation. In the technical report, the cyber security issue has been discussed conclusively and the seriousness of the concern has been highlighted with respect to the mentioned company. The report discusses the risks that the company can face due to the Comodo Certificate hack and proposes several solutions that can be implemented to reduce the chances of a security threat from the discussed problem. The company needs to implement proper public key cryptography and impose several authentication steps to prevent the loss of information during an online transaction. As the company has recently started the online fashion retail platform, the solutions need to be implemented immediately so that the company can stay above its competitors in terms of customer information security and data integrity.

To prevent the Comodo Certificate hack from affecting its organizational performance and online transactions, Dotti needs to consider the following recommendations:-

• A risk analysis test needs to be performed and a security audit needs to be scheduled in a routine manner to check the vulnerabilities that the company is facing.
• To check the current performance of the network and maintain the security goals for the future, the company needs to install a NGFW or next generation firewall and install appropriate antiviruses (Modi 2016).
• To stop the attacking system and identifying the malicious attackers, IPS or Intrusion prevention system needs to be used.
• The software and patches needs to be checked if they are up to date to prevent the latest threats.
• VPN or Virtual private networks needs to be used to prevent man in the middle attacks.
• Employees need to be educated about the importance of access controls, authentication and identity verification.
• Security policies need to be revised and enforced accordingly to provide stronger defences that can respond to HTTP as well as HTTPS attacks.
• The network of the company needs to be divided into manageable zones and for the working teams, multifactor authentication needs to be provided to manage the mentioned scenario.

References

Comodo certificate hack—it gets worse - bravatek.com. [online] Available at: https://bravatek.com/comodo-certificate-hack-it-gets-worse/

Comodo hack may reshape browser security - CNET. [online] Available at: https://www.cnet.com/news/comodo-hack-may-reshape-browser-security/ [Accessed 2018].

Comodo hacker: I hacked DigiNotar too; other CAs breached .... [online] Available at: https://arstechnica.com/information-technology/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached/ [Accessed 2018].

Dotti Online Shop | Shop the Latest Womens Clothing, Dresses & Fashion [online]. Available at: https://www.dotti.com.au/ [Accessed 2018]

How Cybercrime Exploits Digital Certificates. [online] Available at: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/ [Accessed 2018].

Independent Iranian Hacker Claims Responsibility for .... [online] Available at: https://www.wired.com/2011/03/comodo-hack/ [Accessed 2018].

Khan, S., Zhang, Z., Zhu, L., Li, M., Safi, K., Gul, Q. and Chen, X., 2018. Accountable and Transparent TLS Certificate Management: An Alternate Public-Key Infrastructure with Verifiable Trusted Parties. Security and Communication Networks, 2018.

LOO, W.S., 2017. Digital certificates: success or failure?.

Modi, S.N., 2016. ROLE OF TRUSTMARK IN ECOMMERCE. International Journal for Innovations in Engineering, Management and Technology, 1(1), pp.35-40.

Parkinson, S.F., EMC Corp, 2014. Certificate crosschecking by multiple certificate authorities. U.S. Patent 8,850,208.

Preneel, B., 2015, May. Cryptography and Information Security in the Post-Snowden Era. In TELERISE@ ICSE (p. 1).

Solo Iranian hacker takes credit for Comodo certificate .... [online] Available at: https://www.computerworld.com/article/2507258/security0/solo-iranian-hacker-takes-credit-for-comodo-certificate-attack.html [Accessed 2018].

Specter, M.A., 2016. The economics of cryptographic trust: understanding certificate authorities (Doctoral dissertation, Massachusetts Institute of Technology).

Tschofenig, H. and Gondrom, T., 2013. Standardizing the Next Generation Public Key Infrastructure. In Proc. of the Workshop on Improving Trust in the Online Market-place.

Weaknesses in SSL certification exposed by Comodo security .... [online] Available at: https://www.infoworld.com/article/2623829/authentication/weaknesses-in-ssl-certification-exposed-by-comodo-security-breach.html [Accessed 2018].

Zhu, L., Amann, J. and Heidemann, J., 2016, March. Measuring the latency and pervasiveness of TLS certificate revocation. In International Conference on Passive and Active Network Measurement (pp. 16-29). Springer, Cham.