PKI: Not as secure as you think

Major shortcomings in IT security are allowing hackers to steal digital certificates and get around the highest levels of...

Major shortcomings in IT security are allowing hackers to steal digital certificates and get around the highest levels of corporate security.

Security experts have warned that businesses are at serious risk of compromising their secure e-commerce systems because they do not understand how to deploy digital certificates.

Digital certificates are essential for e-commerce as they allow individuals to communicate securely over a trusted network or the Internet.

The certificate is formed from a securely stored private part or key and a public key. Both are needed to access encrypted information. However, experts are alarmed that private keys are not being issued correctly.

Rod Murchison, vice president of product management at network security firm Ingrian Networks, said he had come across many companies that had not paid enough attention to strict infrastructure security requirements.

"We spoke to one financial organisation that had already deployed a secure extranet and Internet banking service but regularly allowed staff to inappropriately handle the keys to the Secure Sockets Layer (SSL) protocol," said Murchison.

One example of lax security was discovered at an international bank, which employed the London-based ProCheckUp, a company that has developed tools to determine network security vulnerabilities.

Richard Brain, technical director at ProCheckUp, told CW360 that he was able to compromise the bank's Bacs (Banks automated clearing system) system for inter-bank transfers and its Web-based share dealing service.

The bank, he said, stored private keys on servers connected to the Internet. "We didn't only find administration certificates," he added, "we also discovered certificates to authorise money transfers between its London, Germany and New York subsidiaries."

Brain said that while private keys were nominally password-protected, the passwords used were either non-existent or set to "secret". This is he explained, a clear indication that little consideration had been given to the importance of such certificates.

The security model for digital certificates is hierarchical, which means that a certificate higher up the hierarchy has full access to all branches below it.

For example, Brain said that obtaining a private key for an organisation's head office would allow an intruder to access all subsidiaries.

"People do not realise the importance of certificates," he said assign that he often found private keys were stored on Internet servers.

In the case of the international bank, ProCheckUp found an unprotected Excel spreadsheet on one of its Internet servers containing passwords for the private certificates it issued.

There are strong protocols and even legislation in some countries to strengthen security. FIPS 140-2 is a US federal standard that specifies how highly sensitive electronic keys should be stored on hardware devices that handle secure data communications.

It goes as far as to ensure that FIPS 140-2 compliant devices are impervious to a wide range of electronic and physical attacks, and even protects against compromise if the devices are stolen. However, achieving FIPS 140-2 validation is a rigorous and sometimes lengthy process.

Read more on Antivirus, firewall and IDS products