UPDATED 11:45 EDT / JANUARY 04 2013

NEWS

Hackers Exploit Security Lapse to Impersonate Google+

Google, Microsoft and Mozilla have all rushed to update their web browsers after it emerged that cybercriminals were exploiting a security loophole that allowed them to impersonate the Google+ social network.

The BBC reports that hackers exploited security credentials that browsers use to verify individual websites, allowing them to create a malicious website that appeared to be part of Google’s social domain. It happened after a Turkish security firm called TurkTrust – which apparently doesn’t live up to its name – mistakenly issued the credentials to hackers, who then set up the malicious site.

The malicious website seems to have gone unnoticed for about a year and half until it was discovered by Google over the Christmas period.

“Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the “*.google.com” domain,” wrote Google security engineer Adam Langley on the company’s security blog.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”

TurkTrust promptly launched an investigation into the security blip, discovering that in August 2011 it mistakenly issued the wrong “intermediate certificate” to a client. Rather than providing a ‘low level’ certificate, it accidently gave out two masters keys that guarantee a website’s identity. Normally, such master keys are only given to site owners.

Sophos security expert Chester Wisniewski explained how dangerous the certificates can be in the wrong hands:

“These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong. Still get a padlock, still shows everything as valid.”

“When you trust the padlock in your browser to be an indicator of security, you aren’t just trusting the ~150 CAs trusted by Mozilla, Microsoft and Google.”

Wisniewski explains that the certificates are important, because the security of online stores and other websites that handle financial transactions are dependent on how master keys and lower level security credentials interact with one another.

In response to the discovery, Google, Microsoft and Mozilla quickly issued updates so their browsers no longer trust the certificates. Mozilla went even further, programming its Firefox browser not to recognize any TurkTrust-issued security certificates pending the outcome of its own investigation into the lapse.

Wisniewski remarked in his blog that this latest glitch once again exposes the need for a more efficient web security system:

“It is really time we move on from this 20-year-old, poorly implemented system. It doesn’t need to be perfect to beat what we have.”


A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.