Approaches To Computer Security And Cryptography: Lessons From The Comodo Certificate Fraud Attack Essay.

Comodo Certificate Fraud Attack

Data as well as communication innovation has shown the ability to change the manner in which organizations work, the manner in which that administration is able to deliver, and the way logical research is attempted to enhance society. In a regularly evolving world, having the capacity to react quickly to new chances and difficulties is critical to the future financial and social success of the world. The fast improvement of Information and Communication Technologies (ICT) is constraining the organizations to receive more thorough by development intends to reform their tasks, service delivery channels, as well as the manner in which they cooperate with other members. As the case of comodo certificate fraud attack just happened, being IT administrator in small to medium organization, we will discuss about various security risks and security measures to mitigate that risks. (Dr. Khouri, 2013).

Comodo is a web security arena organization where the organization provides administrations as well as solutions that mainly work for developing online trust. SSL Certificates, Code Signing Certificates, Email security testaments are few items that Comodo provides. On March 23rd in 2011, the organization found that they have endured a digital assault which has come about into a hack of their network system. It had been found after 8 days after the hacking. The hacker who did this hacking is ComodoHacker which was done through his pastebin account. Many servers of registration authority were hacked during that time by assailants who utilized their access to create fake certificates that were signed with Comodo's root signing key.

Comodo conceded that few other affiliates were hacked in same assaults, albeit when no keys were issued. This SQL injection attack which was done on ComodoBR abused its vulnerabilities in the organization's web interfaces that enabled the hackers to run various database commands to the backend server of the organization. The aggressors posted two data files that seemed to show data identified with request of certificate signing, email addresses, user IDs, as well as password details for few employees.

This attack enabled the hackers for registering fraudulent certificates for high-traffic sites that include Google Mail, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.com, and Microsoft's login.live.com. This fake authentications could have permitted hackers with the capacity of pursuing man-in-the-center assaults to exhibit substantial digital certificates vouching for the legitimacy of the sites that were spoofing. (Goodin, D., 2011).

The hacker dealt with his accomplishment by first exchanging a site containing a hard-coded user id and password, and creating declarations for a few well-known websites, that includes Google, Live.com, Skype, and Yahoo. Designers who had designed Public Key Infrastructure (PKI) acknowledged from the earliest starting point that falsely issued certificates were an unavoidable truth. They designed revocation for this. At the point when the deceitful activity was seen, the main vendors disavowed the certificates and issued security updates for the revocation. (Grimes, 2011).

According to ComodoHacker, they figured out full authorization to RA network system and figured out the DLL (TrustDll.dll) that dealt with signing of certification request. As it appears, the coding of DLL file was in C# and the code that had been uploaded to the Pastebin account of hackers. Username as well as passwords were then hardcoded into the DLL file by which hackers find the access to APIs that were utilized for signing certificates. Then hackers created his own particular CSR (Certificate Signing Requests) as well as then he signed them by utilizing signing APIs he had approached and figured out how to manufacture false certificate for the CAs. (Mandalia, 2012).

Security Issue behind Hacking

Developing a secure connection on the web can only be possible through the utilization of certificates, restricting an element to its public key. These certificates must be issued by any of the Certificate Authorities (CA), where every CA has some similar privileges. The security of the web intensely depends on securing trust on the certificate authorities. Whereas Trusted CAs take phenomenal endeavors to ensure their private keys, compromise as well as misuse still happen, with awful results. (Jayaraman, B. & Li, H., 2018).

SSL certificates are utilized to verify secure Web sites in order to guarantee that users are associating with the expected website. The false certificates are particularly disturbing, as they can divert Internet users to the wrong Web sites, maybe with malignant plan, and demolish trust in the CAs i.e. Certificate authorities. (Whitney, L., 2011).

Certificate transparency is an undertaking that was started by Google for identifying any type of misbehavior of CA and also abstaining CA from any false authentication issuance by making the transparency in the process of certificate management. Here, public log actualized as Markel hash tree is utilized as a proof. Every domain enlists the CA-issued testament on this log server. The server at that point restores the signed certificate time (SCT) to the area, and that domain can give this SCT to a customer on TLS association setup as confirmation. This procedure isn't resistant to assaults when CA get compromised by external authority. (Khan, S. & Zhang, Z., 2018).

Comodo client certificate can enable organizations to accomplish better strategies to implement strong authentication by introducing a digital certificate onto a client's PC which is utilized to verify the client each time they sign into their account. Every certificate can possess proven as well as secure Public/Private Key Infrastructure (PKI) in order to prove a user's identity to a remote PC or server. Each certificate must be utilized to validate one specific client in light of the fact that the system has the some unique private key which is required to complete the validation procedure. These customer certificates are utilized as second factor authentication of user with credentials like login id and password.

A PKI enabled client certificate guarantees an endeavor that the individual signing into a protected administration is one of their clients by approving not just their User ID as well as Password, yet their authentication too. This kind of solution can be delivered just by a Certification Authority like Comodo in light of the fact that lone a Certification Authority has the experience and skill to deal with the full life cycle of these digital certificates which may include issuance as well as repudiation.

PKI is the very important innovation that can meet the quickly developing requirement for performing online security and trust so individuals can interface with certainty as well as securely share data online in the coming future. In spite of other advancements and trust models, PKI gives a single platform that can deliver the economies of scale fundamental for future development; guarantees trust between parties on first contact; and secures the confidentiality as well as integrity of information while transit. PKI utilizes public as well as symmetric key cryptography so as to exchanging secret key between two parties. The secret key which is known by both parties, is then used to scramble additionally messages. There are three main reasons why PKI is considered as best technology for online security as well as trust:

1. Massive adaptability –PKI has given a steady platform to the development of Web-scale e-commerce business, and offers the economies of scale required to meet the developing demand for a safe online ordeal driven by versatile, cloud as well as social innovations.
2. Validation –The PKI trust model gives a deterministic method to make affirmations about the a) security, b) integrity as well as c) identity of association.
3. Strong encryption –PKI empowers the utilization of encryption to guarantee the secrecy and integrity of private information when it is transmitted over the public Internet. (Symantec Corporation, 2014).

Securing Organization from being hacked

(FutureSoft Solutions Pvt. Ltd., 2017).

Broadened Validation SSL certificate usually known as EV SSL Certificate that causes any client to gain trust over the organization's site. It gives a green address bar to the site with our organization name and details being shown for the clients to see how well the site is protected. This is shown to improve the client certainty to continue with their transactions through the site. This causes our site proprietor to expand the rate of sale transformation. Because of a thorough analysis and validation by the CA, an EV SSL Certificate which is installed on a site shows the accompanying trust components: the organization's name, alongside the green bar and green lock icon.

This sort of SSL Certificate is profoundly compelling in upgrading the trust level of a site. It fills in as an affirmation of the business' reliability, being the best decision for building better client connections in view of certainty, safety, and security. (Kate, A., 2017).

Conclusions

The Internet wouldn't get more secure at any point in the near future. The multiplication of site malware, HTTP hijacking, as well as some other assaults have expanded the requirement for unavoidable SSL/TLS certification, vulnerability filtering, malware detection and other trust administrations. PKI is the main innovation that can meet the quickly developing need for SSL endorsements and trust administrations. The eventual fate of trust relies upon PKI, and the eventual fate of PKI relies upon us. The security hack of 2011 exhibited that not all CAs are made equivalent that we need to increase current standards and make the best choice to guarantee the long haul manageability of the PKI ecosystem. It implies that each single CA must focus on making security the main requirement, and that it must begin starting from the top with solid administration, better policies, diligent outline, and better implementation process.

By cooperating as an industry to make the best choice, upholding thorough security works on, keeping up the agile infrastructure, and embrace more grounded Web program security principles, we can guarantee that individuals have the certainty they have to associate online in the future. The developers of Internet browser have made incredible strides in enhancing program security, yet additionally need to be more cautious about CA root consideration, actualize "hard-fail" online repudiation checking, and bolster new versions of SSL/TLS to moderate the dangers postured by BEAST or any other new risk. Also, site administrators can ensure their clients and reinforce consumer trust in the PKI ecosystem by actualizing Always On SSL and choosing expanded approval endorsements. Lastly, customers can ensure themselves by utilizing current Web programs and searching for trust markers to confirm that sites they visit are utilizing HTTPS on each single page, and that their SSL certificates issued by a dependable CA.

References

Gaigole, M., S. & Prof. Kalyankar, M., A. (2015). The Study of Network Security with Its Penetrating Attacks and Possible Security Mechanisms. International Journal of Computer Science and Mobile Computing, Vol.4 Issue.5, May- 2015, pg. 728-735. [Online]. Available at: https://www.ijcsmc.com/docs/papers/May2015/V4I5201599a46.pdf (Accessed: 26th Aug 2018)

Dr. Khouri, A., M. (2013). The Role of Digital Certificates in Contemporary Government Systems: the Case of UAE Identity Authority. International Journal of Computer Science, Engineering and Information Technology Research. [Online] (Accessed: 26th Aug 2018)

Goodin, D. (2011). New hack on Comodo reseller exposes private data. [Online]. Available at: https://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/ (Accessed: 26th Aug 2018)

Grimes, R., A. (2011). The real security issue behind the Comodo hack. [Online]. Available at: https://www.csoonline.com/article/2623707/hacking/the-real-security-issue-behind-the-comodo-hack.html (Accessed: 26th Aug 2018)

Mandalia, R. (2012). Security breach in CA Networks - Comodo, Diginotar, Globalsign. [Online]. Available at: https://blog.isc2.org/isc2_blog/2012/04/test.html (Accessed: 26th Aug 2018)

Jayaraman, B. & Li, H. (2018). Decentralized Certificate Authorities. [Online]. Available at: https://oblivc.org/docs/dca.pdf (Accessed: 26th Aug 2018)

Whitney, L. (2011). Comodohacker returns in DigiNotar incident. [Online]. Available at: https://www.cnet.com/news/comodohacker-returns-in-diginotar-incident/ (Accessed: 26th Aug 2018)

Khan, S. & Zhang, Z. (2018). Accountable and Transparent TLS Certificate Management: An Alternate Public-Key Infrastructure with Verifiable Trusted Parties. Security and Communication Networks Volume 2018, Article ID 8527010, 16 pages. [Online]. Available at: https://www.hindawi.com/journals/scn/2018/8527010/ (Accessed: 26th Aug 2018)

Comodo Custom Client Certificates. [Online]. Available at: https://www.instantssl.com/ssl-certificate-products/ssl-resources/Comodo_Custom_Client_Certificates.pdf (Accessed: 26th Aug 2018)

Securing the Future of Trust on the Internet. Symantec Corporation 2014. [Online]. Available at: https://www.symantec.com/content/en/us/enterprise/white_papers/b-securing-the-future-of-trust-on-the-internet_WP.en-us.pdf (Accessed: 26th Aug 2018)

Public Key Infrastructure: Build Trusted Identity and Enable Authorized Access. FutureSoft Solutions Pvt. Ltd. 2017. [Online]. Available at: https://fspl.co.in/digitization/pki/ (Accessed: 26th Aug 2018)

Kate, A. (2017). All you need to know about Extended Validation (EV) SSL Certificates. [Online]. Available at: https://medium.com/ssl-dragon/https-medium-com-ssl-dragon-all-you-need-to-know-about-extended-validation-ev-ssl-certificates-deefa5ae3af5 (Accessed: 26th Aug 2018)