Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Security Error Leaves Users Vulnerable

Thales : 29 May, 2012  (Technical Article)
Thales comments on error at Yahoo! that opened a security hole by leaking private keys
Security Error Leaves Users Vulnerable
Last week Yahoo! released its Axis extension for Chrome but accidentally leaked a private key allowing anyone to digitally sign malicious extensions as if they came from Yahoo! itself.

Richard Moulds, VP Product Strategy at Thales e-Security, comment on the revelation:

“The issue is that Yahoo! launched a new standalone browser called Axis for mobile devices that also acts as an extension for Firefox, Chrome, Safari and Internet Explorer. The good news is that they use code signing to allow customers to validate the integrity and authenticity of the code that Yahoo publishes – in practice, this means that the browser (like IE) can validate the software plug-in before it allows the plug-in to run.

“In this case, the plug-in for the Chrome browser included the private signing key (a PGP key) when normally it would only include the public key in the form of the signing certificate. Consequently, anyone can misuse the private key and publish their own plug-ins, sign them with the Yahoo public key and the browser (Chrome, in this case) would not be able to tell the difference – for example, an attacker could write a browser plug-in that captured passwords, cookies or web history and it would look (and work) just like a trusted Yahoo plug-in.. Fake plug-ins could also be used to carry malware that would have effect outside the browser or even bring the host computer to a standstill.

“There is no suggestion that the private key was stolen – it seems to have just been pure human error. Needless to say, this is a great example of where a hardware security module (HSM) would have helped. An HSM would have ensured that copies of the private key simply wouldn’t have been  available to humans and therefore there would be much less risk of humans doing something silly – i.e. reduces the risk of human error, not just the threat of attacks

“A HSM could have been used to enforce even greater controls since it could have been used to enact “dual controls” or shared responsibility policies where more than one person would be required to actually sign the code – a final check and balance before the code is published – again reducing the risk of human error (as well as human misuse).  

“Remember that this is not an APT attack (like RSA or Diginotar.) This a security error that left the door open for that sort of attack – however, if the loophole was exploited it wouldn’t qualify as an APT since it wouldn’t be ‘targeted’ – in this it would potentially apply to every instance of a Chrome browser. One of the downsides of auto update processes is that if a new plug-in is published and it contains an error, it could be propagated to a large number of computers very quickly since they all run out and get the new software as soon as it is published.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo