Terminology

One way to think of risks is the possibility for a problem to arise. Essentially, risk is the potential for realization of an unwanted negative consequence, but they are not problems in and of themselves. According to SANS,

“Thinking about risks as ‘potential problems’ sets the stage for the manager or analysis team to make decisions to avoid such problems. If a risk has become a problem, it is too late for mitigation. Action is warranted right away for problems. If risk management has been successful, that action has been planned, rehearsed and budgeted.”

It’s common to see the terms threat, attack and vulnerability being interchanged and used incorrectly. Basic definitions of these concepts are provided below, as defined in Gregory’s CISSP Guide to Security Essentials:

• Threat – the expressed potential for the occurrence of a harmful event such as an attack
• Attack – an action taken against a target with the intention of doing harm
• Vulnerability – a weakness that makes targets susceptible to an attack

Countermeasures

Security controls are also referred to as technical or administrative safeguards, or countermeasures. The goal of countermeasures are to counteract, or minimize loss of unavailability as a result of threats acting on their associated vulnerability. The GAO describes this as,

“The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; and the way management assigns authority and organizes and develops its people.”

There are four basic types of countermeasures:

• Preventative – These work by keeping something from happening in the first place. Examples of this include: security awareness training, firewall, anti-virus, security guard and IPS.
• Reactive – Reactive countermeasures come into effect only after an event has already occurred.
• Detective – Examples of detective counter measures include: system monitoring, IDS, anti-virus, motion detectors and IPS.
• Administrative – These controls are the process of developing and ensuring compliance with policy and procedures. These use policy to protect an asset.

Risk/Threats/Vulnerabilities Formula

We’ve all seen the information security risk analysis formula, which suggests that:

Risks = Threats X Vulnerabilities X Impact

Certain versions of this formula might substitute ‘consequence’ for ‘impact’ though the concept is essentially the same. Some security practitioners argue that this equation does not make sense mathematically, nor is it applicable to the practice of infosec. Instead, it has its roots in decision theory, particularly in expected utility/value theory.

The expected utility or value of an action may be thought of as a weighted average. It can be determined by defining a set of mutually exclusive and jointly exhaustive possible outcomes from a particular course of action, then multiplying the probability of each possible outcome by its utility. The formula is clear and mathematically rigorous.

By contrast, the ‘Risks = Threats X Vulnerabilities X Impact’ formula referred to above is unclear and mathematically incoherent. It is impossible to include these concepts into a mathematical formula. One simple question is: what are the units of measurement for threats and vulnerabilities? Or, what is the range of possible values for vulnerabilities?

In addition, the ‘Risks = Threats X Vulnerabilities X Impact’ formula fails to take into account all of the possible outcomes of a particular action. It focuses solely on security threats, and can only calculate for a single security threat at a time.

Perhaps the formula is not meant to be used as a mathematical formula, but rather as an informal way of stating that security risks is a function of threats, vulnerabilities and potential impact or consequence. In that case, the formula could use a revision for clarity’s sake.

Summary

This article takes a closer look at infosec risks, threats, attacks, vulnerabilities and countermeasures/security controls. It differentiates between the concepts and provides industry-standard definitions for each. The article also explores four basic categories of countermeasures/security controls: preventative, reactive, detective and administrative. Finally, the article examines the ‘Risks = Threats X Vulnerabilities X Impact’ formula from a critical perspective.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• Information Security threats and vulnerabilities (II.A.d.)

It’s important to ensure that website privacy policies correctly address specific legal issues and technical implications of the company. There are numerous types of privacy policies out there, some of which apply to online data; others apply to data collected by financial institutions; others that deal with the collection of information from children under the age of 13; and other policies that apply to individuals protected under foreign laws. There is no ‘one size fits all’ approach to developing a sound privacy policy.

Enterprise Privacy Programs

Developing and maintaining enterprise-wide privacy programs require top-down cooperation and collaboration of the different individuals in an enterprise.

According to United States privacy legislation, all companies involved in obtaining, maintaining, using and/or disclosing personal information about consumers ought to adopt a privacy policy. Privacy policies are documents in which companies state their information practices. Such documents keep organizations accountable to a set of formal privacy policies. Companies may be the subject of an FTC action or a lawsuit if their privacy practices do not accurately reflect those stated in their privacy policy.

Standardization of enterprise privacy programs is becoming more and more of an issue in recent years. Even though the primary objective of enterprise privacy policies is for internal use, standardization of such policies brings numerous advantages:

• Technical parts of regulations could be encoded into a standardized language
• Enterprises with heterogeneous repositories of personal data could develop consistent enforcement tools to ensure compliance with internal privacy practices

Components of a Privacy Policy

There are three main categories of information in a privacy policy:

1. 1. Policy Identification Details

This section defines the policy name, version and description.

1. 2. P3P-Based Components

This defines policy attributes that would apply if the policy is exported to a P3P format. Such attributes would include: policy URLs, organization information, PII access and dispute resolution procedures.

1. 3. Policy Statements and Related Elements: Groups, Purposes and PII Types

Policy statements define the individuals able to access certain types of information, for certain pre-defined purposes.

Another way to classify the components of a privacy policy is outlined below.

• Notice – Companies should provide consumers with clear, conspicuous notice that accurately describe their information practices.
• Consumer Choice – Companies should provide consumers with the opportunity to decide (in the form of opting-out) if it may disclose personal information to unaffiliated third parties.
• Access and Correction – Companies should provide consumers with the opportunity to access and correct personal information collected about the consumer.
• Security – Companies must adopt reasonable security measures in order to protect the privacy of personal information. Possible security measures include: administrative security, physical security and technical security.
• Enforcement – Companies should have systems through which they can enforce the privacy policy. This may be managed by the company, or an independent third party to ensure compliance. Examples include BBBOnLine and TRUSTe.

Consumer’s Point of View

From a consumer’s point of view, just because a website has a privacy policy doesn’t necessarily guarantee the security of the personal information. No privacy policy can definitely ensure the security of your information, or bind a company to those specific practices; however, there are certain policies that are better than others. A privacy policy should provide the consumer with a sense of transparency regarding the company.

Some important things that a consumer should consider when looking for good privacy policy include:

• What personal information is being collected?
• How will your personal information be used?
• How will your personal information be stored?
• Are there security measures protecting your personal information?
• How long will your personal information be kept by the company?
• Will your personal information be shared with others?
• How can you contact the company?

Summary

This article takes a look at the importance of an enterprise privacy policies and privacy programs. While policies alone cannot prevent data breaches or misuse of personal information, they are a good step in ensuring transparency and privacy-friendly practices. A privacy policy should contain the following key components: notice; consumer choice; access and correction; security; and enforcement. The article also lists some considerations consumers should take when assessing the reliability of a company’s privacy policy.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Personally Identifiable Information (PII) (I.A.a.)
• Consumer privacy concerns (II.A.a.)
• Organizational privacy practices (II.A.b.)
• Prominent notice and opt-in consent (II.B.b.)
• Privacy mechanisms – privacy by policy (III.A.)

The ISO standards work to facilitate trade; provide a basis for development, production and assessment of products; and to safeguard consumers who use products and services. The ISO produces standards for a wide range of industrial and commercial subjects. This article explores two ISO standards that are especially relevant to privacy professionals.

ISO 27000 Series & ISMS

The ISO 27000 standards series refers to information security matters. Since October 2005, the ISO has published six of these standards:

• ISO 27001: this is a model for creating information security management systems (ISMS).
• ISO 27002: this is a code of practices governing information security.
• ISO 27003: this focuses on the PDCA (plan-do-check-act) problem solving method for ISMS. It has been proposed, but not yet published.
• ISO 27004: this standard guides the development and assessment of ISMS, in alignment with the ISO 27002.
• ISO 27005: this soon to be published standard discusses information security risk management.
• ISO 27006: this regulates the accreditation of organizations that certify and register ISMS.

The ISO 27000 series is closely linked to other standards, including:

• ISO 17021: this standard discusses the requirements for auditing and certifying management systems of various types. It is closely related to the ISO 27006.
• ISO 13335: this discusses the management of information and communications technology security.  It is closely linked to the ISO 27005.
• ISO 24760: when it is published, this standard will offer a framework for identity management. It is most related to the ISO 27002.

Together, the ISO 27000 series of standards are used to plan, implement, certify and operate an ISMS. An ISMS, or information security management system, is a term unique to the ISO 27000 series. The term refers to a systematic approach for managing an organization’s sensitive information. An ISMS includes people, processes and information systems. Developing an ISMS ensures the following:

• The organization’s information assets are listed and secured.
• Information security risks are managed and mitigated.
• The organization’s security policies are implemented.
• The organization is regularly assessed to ensure adherence to security measures.

Information security involves three main components: confidentiality, integrity and availability. Confidentiality refers to the level to which information is accessible to authorized individuals only. Integrity refers to the level of accuracy and completion of information. Integrity of information also ensures that it is not modified without knowledge and authorization. Availability or accessibility of information to authorized individuals is also necessary for information security.

ISO 27001

The ISO 27001, formally referred to as “Information Technology – Security Techniques – Information Security Management Systems – Requirements,” was published in October 2005. It replaces the former BS7799-2 standard. The previous standard was created in 1995 by the BSI (British Standards Institute), which helped to ensure that information security measures were effective. The BS7799-2 standard was developed as a technology-neutral and vendor-neutral system. This standard was taken as a Code of Practice, rather than as specific standards.

The standard outlines the specific requirements involved in establishing, implementing, monitoring, reviewing and improving a management system. It does not discuss information security-specific requirements, but offers a framework for management systems in various types of organizations, from commercial enterprises, to public service agencies and non-profit groups. The ISO 27001 uses the OECD principles which govern security of information and other network systems.

The ISO 27001 standard demands that an organization’s management carry out the following:

1. Examine information security risks, paying attention especially to threats, vulnerabilities and impacts.
2. Develop and implement a complete set of information security controls and other protocols for dealing with risk.
3. Commit to an overarching management process to ensure that the information security controls adapt and grow with the organization.

The ISO 27001 involves a number of PDCA cycles. The PDCA cycle is a statistical process for problem solving. It is applied within improvement programs to ensure that action is effective. The cycle involves:

1. PLAN: identify the problems that are being faced. Brainstorm solutions to these problems.
2. DO: test problem-solving actions on a limited, experimental scale first. This will ensure that disruptions to regular operations are kept at a minimum.
3. CHECK: determine if the experimental actions are achieving a desired result. Monitor the quality of output continually to ensure that new problems are identified immediately.
4. ACT: once experimental actions are deemed effective, the changes should be implemented on a larger scale. This may mean that the new actions are integrated into daily routines and/or expanded to involve other individuals or departments in the organization.

In order for an organization to be certified compliant with the ISO 27001, it must go through the following process. Initially, the organization must decide to start the certification process. During this stage, management must commit to the project and delegate responsibilities. Management would then develop and publish an organizational policy regarding the standards certification.

The organization then undertakes a scoping process, in which specific parts of the organization are covered by the ISMS. This determines which locations, assets or technologies will be included in the certification.

After the scoping process, the organization must carry out a risk assessment to identify strengths and means of addressing weaknesses, in terms of risk exposure. As a result, the organization produces a document outlining the method for managing risks. The procedures and policies are then implemented throughout the organization. Auditors from certification or registration bodies then carry out the verification of compliance.

ISO 27002

The ISO 27002, formally referred to as “Information Technology – Security Techniques – Code of Practice for Information Security Management,” was published in 2005. The standard is based on the UK standard, BS7799. The ISO 27002 and ISO 27001 are meant to be used together.

The objective of the ISO 27002 standard is to establish requirements and basic principles for implementing or changing an ISMS within an organization. The contents of this standard address the requirements of a risk assessment. It represents more of an advisory document, rather than a standard or formal specification. As such, any organization that adopts the ISO 27002 must identify their own information security risks and create appropriate controls, using the document as a framework.

The standard outlines thirty-nine control objectives that specify functional requirements. These control objectives form a basis for an organization to create principles for its own information security policies. The main sections or categories under which the control objectives fall are as follows:

1. Risk management
2. Policy
3. Organization
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Software development
10. Incident management
11. Business continuity
12. Compliance

While the ISO 27003 offers some guidance for implementation, a number of critiques regarding the ISO 27002 standard have surfaced since its publication. A few potential areas for revision include:

• The standard does not adequately address risk assessment. It ought to suggest more risk assessment activities.
• The standard does not clearly define what an organization’s security policy should be.
• The standard should assist organizations in ensuring business continuity, for instance facilitating recovery or planning to cope with incidents that may arise.
• The standard should be more in depth in terms of its section on IT auditing. It may want to cover the value of auditing and improvement.

Increasing Certification

There are a number of reasons for increasing certification to ISO 27000 series standards. Two important causes are the increase of threats to information and the increase of regulatory and statutory requirements for information protection. Over the past decade, formal ISMS are seen as necessities for organizational best practices.

According to international reports, ISO 27001 certifications have steadily been increasing by approximately one thousand organizations per year. Concurrently, global information security threats are becoming more and more visible. These threats target any organization or individual who relies on the use of electronic information. At the same time, personal data may also be at risk of natural disasters, external attack, internal corruption or theft. This has led to increasing demand for compliance from suppliers, business partners and consumers.

Summary

This article introduces the ISO 27001 and the ISO 27002 standards. It discusses the ISO 27000 series of standards, which regulate information systems management from a privacy perspective. The ISO 27001 aims to help organizations to improve their ISMS (information security management system) by providing a model for design and implementation. The ISO 27002 lists some guidelines for managing the life cycle of information security within an organization. It is comprised of a number of control objectives. The article finally discusses the important role of ISO standards in an organizational ISMS context.

Foundations Exam Preparation

In preparation for the Certification Foundation exam, a privacy professional should be comfortable with topics related to this post, including:

• Business risk management (I.C.a.)
• Information security standards (II.A.d.)
• Information security management (II.C.a.)

The E-Government Acts of 2002 involved a large number of new regulations to implement and control the use of electronic technologies by the U.S. Government. Title III of this Act, called the Federal Information Security Management Act required all Government agencies to develop extensive information security programs.

What is the Importance of FISMA?

The Federal Information Security and Management Act deals with Information Security, which is one of the Fair Information Practice Principles. Proper protection of data does not only include the acceptable use and disclosure of the data by the agency, but also the measures taken to prevent abuse of information by other parties and to protect the status and availability of the data.

FISMA incorporates the three main components of information security:

• Confidentiality– involves implementing the necessary restrictions and authorizations to limit access to sensitive data.
• Integrity– involves ensuring information is authentic and preventing improper modification or destruction
• Availability– involves the ability to readily access information and the timeliness of the information

What Does a FISMA Compliant Information Security Program Entail?

• Periodic risk assessments must be conducted evaluating any potential harm caused by unauthorized access, use, disclosure or destruction of the data including an assessment of the magnitude of harm
• Risk assessments are used to develop policies which are cost effective and reduce any security threats. These policies must also protect data at all stages of the life cycle
• The efficacy of policies, procedures and security controls must be tested at least annually, with higher risk systems requiring more frequent evaluations.
• An agency must implement a way to detect, report and respond to security violations
• An agency must develop a continuity of operations plan to return function as quickly as possible in the event of a security incident of disruption.

What is Security Certification and Accreditation?

Security Certification and Accreditation is the official process taken to authorize the operation of an information system by an agency of the U.S. Government. By accrediting an information system, the agency accepts full responsibility for the system and will be held accountable for any negative impacts or problems that may arise.

The four phases of the Security Certification and Accreditation process:

1. Initiation Phase– ensures all parties are on the same page regarding the information system, its contents and controls before the system is evaluated. In this phase, the information security system is prepared and the security plan is analyzed and updated for review.
2. Security Certification Phase– evaluates security controls to make sure they are functioning correctly, that the system is operating as it should and that the information is adequately protected. In this phase, all security controls are tested documentation is created with the results.
3. Security Accreditation Phase– the information gathered during the previous phase is used to determine if the operation of the information system presents an acceptable security risk. In this stage, the authorizing official determines whether or not an information system may become operational, and proper documentation is filed if the system is ready to become accredited.
4. Continuous Monitoring Phase – ensures ongoing enforcement by requiring ongoing configuration and management control, monitoring of security controls and the filing of status reports and documents.

Reaccreditation occurs periodically and after significant changes in the system or environment. The Security Certification and Accreditation process is used to evaluate an individual information system and its security. It is similar to but distinct from Privacy Impact Assessments which are used to evaluate privacy protections with regard to changes in a records system. PIA and C&A evaluations for particular information systems may overlap in coverage. However, PIA are also used to evaluate privacy concerns involved with using matching programs, sharing information between agencies or when transferring data to electronic form. C&A evaluations are less frequent and more extensive and evaluate individual security systems and their related policies.

Enforcement of FISMA

Monitoring of FISMA compliance is built into the regulation through mandatory reports due to the Director of the Office of Management and Budget, and several House of Representative and Senate Committees. The report must include:

• The information resources used by the agency
• The information technologies used by the agency
• The program performance
• Financial management information including annual budgets, and accounting to determine cost effectiveness
• Record of any significant vulnerabilities in the policies, procedures or security systems.

In 2008, OMB Memorandum 08-09, added new reporting guidelines that required each agency to report:

• The number of each type of privacy review used by the agency during the previous fiscal year
• Any new policies, guidance or advice provided by the agency official in charge of privacy in the past fiscal year
• The number of written privacy complaints received in the past fiscal year
• The number of privacy issues referred to another agency with the relevant jurisdiction in the past fiscal year

Each agency must also create a performance plan in consultation with the Director of the Office of Management and Budget regarding the time period and resources needed including budget, staffing and training to implement or continue to implement, secure FISMA compliant information security systems.

FISMA also requires annual independent evaluations of the information security programs and procedures. The evaluation is conducted by the Inspector General of the agency, if one is appointed. It one is not appointed, the head of the agency must hire an external party to evaluate the system. A report the evaluation must be submitted to the Director of the Office of Management and Budget who then summarizes the findings in the Director’s Report to Congress.

Summary:

The Federal Information Security Management Act protects privacy by requiring extensive evaluations and monitoring of Government information systems to ensure data is adequately protected and operating at an acceptable level of risk.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Federal Information Security Management Act (I.C.f.i-iii.)
• The E-Government Act of 2002 including Privacy Impact Assessments (I.C.c.i.-ii.)

The scheduled drug raid was a joint operation with MI5, MI6, the US Drug Enforcement Agency and organized by the Serious Organized Crime Agency.  SOCA received £416 million in funding for 2006 (about $625 million), but did not release how much of that budget went for the covert operation.  An internal source claimed to The Times – London that the aborted operation cost over £100m ($150M). The agent responsible for the loss, referred to only as ‘T’, lost her purse somewhere between the airline terminal, the immigrations checkpoint and a bus from El Dorado airport in Bogota, Columbia.  She was heading to her new office at the British Embassy.

A Soca spokeswoman said: “Soca has introduced its own clearly defined data handling and security policies. During the year to March 2009 — the first year we have been required to report any breaches — there wasn’t a single breach of personal or sensitive data by Soca staff.”

The agencies took the first steps by defining data handling policies and measuring/reporting against them.  An inquiry and formal investigation into the event occurred, and remedies put in place appear to be working.  The obvious question – why was encryption not used for this sort of situation?

The secure computer on a USB key was developed for just this sort of cloak and dagger thing. There are encryption routines built into every commercial operating system available today.  Dozens of security vendors sell encryption software, ranging from Full Disk Encryption, to mobile device encryption, to file level and storage encryption.  The US National Security Agency helped Microsoft with Windows Vista. They designed a security enhanced version of Linux.  The British Intelligence folks have their hands in a few secured systems as well.

Encryption ought to be just another wicket in the engrained security processes of an intelligence operation.  In fact, encryption ought to be a requirement for every organization that processes private or mission critical information.  Security product provider Checkpoint points out the dire situtation best in a February 2009 UK survey: “…less than 50% of the UK public and private sector organisations use any form of data encryption.”

As a privacy professional, knowledge of information security and its ramifications to privacy are paramount to successful data protection.  Personally Identifiable Information, Private Health Records, Personal Financial Information – it’s all only as confidential as the protections surrounding it.  If the security provisions do not guarantee the data are available and the integrity’s intact, there could be more than fines or company reputation at stake.

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

Heartland reportedly determined the source of the breach last week as a piece of malicious software.

Heartland Payment Systems is a member of the Payment Card Industry’s (PCI) small group of payment processors. Any business that handles credit card data, from an end merchant through processors and the issuers themselves, are part of the PCI. Established by a consortium of Visa, Mastercard, American Express and others, PCI is one of the largest commercial groups creating a minimum security requirement for their members. The Data Security Standard (DSS) calls out far more specific protection requirements across it’s members than anyone outside of the Federal/military, and apply those protections for each phase of a credit card’s processing. The final list of 12 rules includes items such as encryption, firewalls, intrusion detection, log management, and authentication/authorization. The PCI DSS’ final implementation date was over two years ago, in 2007 after a two year extension. Each member had to pass an audit by a qualified assessor, and if a member was not in compliance, they were typically given a set amount of time to come into compliance.

One thing that does stand out is Heartland’s insistence that no Social Security numbers, unencrypted PINs, or addresses/telephone numbers were disclosed. These are specific requirements of the DSS – it interests me whether the lack of disclosures occurred because the data were not collected, or if the data were simply encrypted. As mentioned earlier, encryption is one of the PCI DSS requirements. Encryption may eventually be broken, although by using the latest algorithms the information is typically expected useless by the time it is finally disclosed. The European Union requires limiting the collection and storage of data to the minimum absolutely required. This prevents accidental disclosure, such as the inmates medical records loss in the UK. Within the CIPP reference guide, good privacy policy in the US should follow this sort of minimalistic attitude.

In the next iteration of the PCI provisions, aptly named the Payment Application DSS, all programs that handle credit card information must have application layer protections embedded in the system by 2010. This should take care of many threats due to network data pilfering, but will have considerably less effect on illegitimate software running on a bank’s systems. Hopefully it will result in lower business postage charges.

Sergeant Haytham Khalil obtained records for an acquaintance embroiled in a custody dispute. He was charged with a misdemeanor of “accessing a computer and as a result exceeding his authority by obtaining information belonging to a department and agency of the United States.” Sentencing, scheduled for April 14th, could result in a $100,000 fine and one year of supervised probation.

Sergeant Khalil used another officer’s account credentials who did have appropriate access privileges. The fellow officer left the credentials available for any of his co-workers to access the National Crime Information Center database when he wasn’t around. Obviously, there was a violation of the researched individual’s privacy.

The biggest problem with this scenario isn’t the Sergeant,although his actions were well outside of the code of conduct by reviewing the records. No, the biggest problem is the fellow officer’s equivalent of taping his password to the monitor, and the expectation of the co-workers within the department that the sharing of credentials should be normal operating procedure.  This type of user name/password sharing essentially amounts to a Role Based Access Control (RBAC):  every user that needs access to the system uses the same information.  Any time a system utilizes RBAC, administrators lose a great deal of accountability. Was it officer A or B, or the guy who we promoted six months ago, or fired a year ago? Hopefully you see the problem.

By assigning specific rights to individual users, and limiting the overlap and assignment of those rights (resulting in essentially two person controls), the system may not be gamed. Individual users are then responsible for their actions. There is no finger pointing, reviewing the video tapes, etc. Policy should then dictate disciplinary action or even dismissal for sharing credentials. One step further is some sort of biometric access control, which should be easier for the end user’s compliance. Further still RFID badges, where you may either log in or leave the building. These measures don’t completely eliminate a user’s logging in, then letting someone else sit at the controls, but it certainly increases the complexity.

The talk, titled “MD5 considered harmful today: creating a rogue CA certificate”, centers on creating a new PKI certificate for a well known, trusted server.  Browsers contain a default list of who constitute a trusted server and each company defines their own processes for who makes the list (Mozilla, Microsoft, Apple, Opera).  The German researchers created an appropriately named rogue CA, consisting of a certificate attested to by one of the default trust authorities included by Mozilla in the FireFox browser.   There are plenty of details available on the hack itself.  

The question that stands out in my mind: of the 30,000 sites tested, why were there 9,000 still using an outdated cryptography?  Stands to reason that most of these trust providers have had more than adequate time to migrate to a stronger method (13 years – literally).  And at the very least, a revocation/renewal path for users after the 2004 demonstrations.  There are plenty of weak rationale: People are on slow computer connections to download so much information, The computers don’t have enough processing power to make the crypto computations, It’ll slow down the user’s experience, We need consistency with our servers.

Bogus.  There are expiration dates on certificates for a reason.  Use them.  Certificate Revocation Lists exist.  Check them.  There are key lengths and cipher versions associated with connections.  Skip the known vulnerable version.

There’s a sliver of “Why did Microsoft, Mozilla, Apple and the rest allow these certificates into their browsers?”  Politics and money perhaps.  Some of it comes down to ignorance.  If a user asks their Internet Service Provider for a secured HTTPS website, they don’t know the difference and just know they see the browser lock once everything’s done.  The pressure will come as it always does with a high profile exposure.  Do you think it will take another 10 years?

Btw, If you really want amusement, check the root chains loaded by default, especially if you’re on a little older computer.  The attached screen shot shows the buttons to press for IE7 on Vista (Internet Options->Content->Certificates->Trusted Root/Intermediate).  It’s absolutely amazing what Microsoft used to put in there – now there are only a couple that make me scratch my head…  Can you imagine how much information is at risk because of poor choices?  What if it’s your bank, or medical doctor or email provider?