Major shortcomings in IT security are allowing hackers to steal
digital certificates and get around the highest levels of corporate
security.
Security experts have warned that businesses are at serious risk of
compromising their secure e-commerce systems because they do not
understand how to deploy digital certificates.
Digital certificates are essential for e-commerce as they allow
individuals to communicate securely over a trusted network or the
Internet.
The certificate is formed from a securely stored private part or
key and a public key. Both are needed to access encrypted
information. However, experts are alarmed that private keys are not
being issued correctly.
Rod Murchison, vice president of product management at network
security firm Ingrian Networks, said he had come across many
companies that had not paid enough attention to strict
infrastructure security requirements.
"We spoke to one financial organisation that had already deployed a
secure extranet and Internet banking service but regularly allowed
staff to inappropriately handle the keys to the Secure Sockets
Layer (SSL) protocol," said Murchison.
One example of lax security was discovered at an international
bank, which employed the London-based ProCheckUp, a company that
has developed tools to determine network security vulnerabilities.
Richard Brain, technical director at ProCheckUp, told CW360 that he
was able to compromise the bank's Bacs (Banks automated clearing
system) system for inter-bank transfers and its Web-based share
dealing service.
The bank, he said, stored private keys on servers connected to the
Internet. "We didn't only find administration certificates," he
added, "we also discovered certificates to authorise money
transfers between its London, Germany and New York subsidiaries."
Brain said that while private keys were nominally
password-protected, the passwords used were either non-existent or
set to "secret". This is he explained, a clear indication that
little consideration had been given to the importance of such
certificates.
The security model for digital certificates is hierarchical, which
means that a certificate higher up the hierarchy has full access to
all branches below it.
For example, Brain said that obtaining a private key for an
organisation's head office would allow an intruder to access all
subsidiaries.
"People do not realise the importance of certificates," he said
assign that he often found private keys were stored on Internet
servers.
In the case of the international bank, ProCheckUp found an
unprotected Excel spreadsheet on one of its Internet servers
containing passwords for the private certificates it issued.
There are strong protocols and even legislation in some countries
to strengthen security. FIPS 140-2 is a US federal standard that
specifies how highly sensitive electronic keys should be stored on
hardware devices that handle secure data communications.
It goes as far as to ensure that FIPS 140-2 compliant devices are
impervious to a wide range of electronic and physical attacks, and
even protects against compromise if the devices are stolen.
However, achieving FIPS 140-2 validation is a rigorous and
sometimes lengthy process.