German Researchers Spoof Certificate Authorities
Germany-based researchers found a way to spoof certificates, even those protected with PKI-based domain validation, according to the Register.
With nothing more than a laptop, the group was able to steal credentials and eavesdrop on certificate authorities. “We evaluated the attack against a number of CAs and we set up a live (automated) demo against one CA,” said Dr. Haya Shulman, head of the cyber security, analytics and defenses division at the Fraunhofer Institute for Secure Information Technology.
“Essentially, many CAs that support domain validation can be attacked. We demonstrated an attack which redirects the CA to an attacker machine via DNS cache poisoning," Shulman said.
"But, other techniques can be applied, such as BGP prefix hijack. Indeed, such attacks are common and only recently MyEtherWallet users were attacked via BGP prefix hijack that was then exploited for DNS cache poisoning. Essentially this means that such attacks are happening and an important security mechanism such as the web PKI should be protected against such practical attacks.”
Researchers will present their findings, which name the affected Certificate Authorities (CAs), at the ACM’s Conference on Computer and Communications Security in Toronto on October 15-19, 2018. The goal of sharing the research is not to guard only against their attack findings but to harden the PKI against off-path attackers and to make it secure against man-in-the-middle (MitM) attackers.
“While this attack is relatively complex to pull off, it demonstrates a fundamental problem with Domain Validated (DV) certificates. DV-issued certificates offer the lowest level of identity validation, sacrificing solid identity proof in exchange for speed and automation,” said Justin Hansen, security architect at Venafi.
“The impact of this attack can be quite serious because if an attacker can successfully poison DNS for any domains owned by a targeted organization, they will be able to get a certificate for that organization, and everyone on the internet will trust it. The attacker can then do a whole range of malicious things with that domain.”
Because these types of compromises can occur, Hansen said that organizations should explore higher assurance certificates such as Organization Validation (OV) and Extended Validation (EV).
“As we also argue in the paper, certificate authorities that support Domain Validation (DV) control more than 95% of certificates market,” Shulman said.
“The reason is that the process is faster, cheaper and easier (it is mostly automated). The OV and EV certificates take long to issue, are cumbersome and more expensive (which is why most domains do not use them). It also would not completely mitigate the security issue. Essentially we recommend deploying DV.”
Source infosecuritymagazine
Latest Jobs
-
- Sales Manager (IT Managed Services)
- Manchester
- Up to £80,000 Base + Double OTE
-
Sales Manager (IT Managed Services) Ref BD7627 Salary: Up to £80,000 Base + Double OTE A great opportunity has come up for a Sales Manager to join a fast-growing IT infrastructure provider to manage their north west-based new business sales team. The Sales Manager will be responsible for leading an enterprise new business sales team who will be bidding and winning new business within the North West region. Skills & Experience required: Direct sales experience in the telecommunications/technology sector. Strong leadership/team skills and a positive track record in executing sales process & strategies and coordinating among internal and external stakeholders. Strong understanding of IT managed services such as Cloud, Cyber Security, Telecommunications (WAN/MPLS/SDWAN etc.) & Unified Communications. Have a team player attitude as well as being able to manage. Sales Manager Jobs, Telecoms Jobs, Telecommunications Jobs
-
- Security Overlay Specialist, Presales Consultant
- London
- Up to £80,000 plus 25% Commission and benefits
-
RA7291 Location: South East Salary Up to £80,000 plus 25% Commission and benefits Security Overlay Specialist, Presales Consultant A technically minded but sale focus individual is needed to be the Security Overlay Specialist for a global Tier 1 Service provider, Your remit will be to be the technical sales advocate for solutions based on security and Managed Network Services products; proactively working with the Account teams, Marketing Teams, Strategic Partners and key customer prospects directly in the development of pipeline and closure of key deals in this technology domain. They are looking for someone who has the technical networking and security background with the ability to do high-level technical solution design but who enjoys being more sales-focused and is able to help shape and develop deals with customers and work internally in helping to shape and develop the solution proposition Key responsibility will include 1) Technical qualification 2) pipeline generation 3) key deal leadership They are not looking for a hardcore Security Deep Domain expert, more of a global network services generalist with good broad security knowledge and some experience in working on managed UTM and Threat Monitoring services deals, but eager to learn and skill up in this area. Presales Jobs, Pre-Sales Jobs, Overlay Sales Jobs, Cyber Security Jobs, IT Security Jobs
-
- Presales Consultant (Collaboration)
- London
- £60,000 - £70,000 + bonus + benefits
-
Presales Consultant (Collaboration) RA7316B Location: London £60,000 - £70,000 + bonus + benefits One of the leading Global Telco’s are looking to expand their Collaboration presales team. The Presales Consultant will be responsible for providing technical guidance to the sales team and Enterprise Customer focusing around Cisco and Microsoft UC solutions. The Presales Consultant will have a good technical and general knowledge of cisco UC and Contact centre solutions and ideally experience to Microsoft Skype for Business and teams, you will be able to translate enterprise customer requirements into functional, effective and appropriate solutions for your customer base. Candidates need to have previous presales experience advising customers on collaboration solutions. You will need experience of doing high level design and presenting these solutions to C-level Executives. (Unified Comms Jobs, Unified Communications Jobs, UC Jobs, Collaboration Jobs)
-
- Collaboration Practice Lead
- London
- Up to £90,000 + bonus + benefits
-
Collaboration Practice Lead RA5791 Location: London Salary up to £90,000 plus bonus and benefits Collaboration Practice Lead is required for a global Tier 1 Service provider, you will be part of a global team helping to shape and deliver UC and Contact centre (CC) solution to enterprise clients and select SI partners. Responsibilities include Regular interaction with multi Regional SMEs to understand divergent UC/ CC needs and drive a team of Solution engineers and aid them in review/ approve the functional design, prepare and present customized solutions etc. Support the Proposal team in RFI, RFP and SO Identify desired UC/ CC solution functionality, evaluate alternatives, close gaps with Product. Strong alignment with Various OEMs in Collaboration (Audio, Video, Web and Social) Industry. Ability to work with Engineering, Product and Marketing teams to offer feedback, bridge Gaps and conduct technology sessions and participate in Industry forums representing TCL. Create readily demonstrable demos and develop POCs with prospective customers thereby enhancing Sales Funnel for UCC portfolio. Able to position Hosted Solutions across Contact center, Webex and IPT Solutions against premise setups You will require Proven leadership skills that build relationships with key stakeholders. Ability to communicate effectively and experience in documenting requirements and specifications is essential. Ability to cross-train and mentor associates on UCC technologies and updates Strong Knowledge around SIP, IP PBX, Webex, IPT, Various Video endpoints, interoperability scenarios is desired. Knowledge and experience designing and implementing enterprise room-based and mobile videoconferencing systems Experience with enterprise Cisco voice platforms is required, including Communications Manager, Unity Connection, Cisco Presence, Contact Center Express or Enterprise, Telepresence, Jabber etc Enterprise voice, video, and collaboration architectures including core call processing, voicemail, presence, contact centre, call recording, video conferencing, instant messaging, etc. In depth understanding of high availability design best practices for enterprise voice and video systems Microsoft Skype and teams experience would be beneficial (Unified Comms Jobs, Unified Communications Jobs, UC Jobs, Collaboration Jobs)