Could DigiNotar Hack Lead to a Cyberattack on You?

Hackers colluding with the Iranian government to spy on democratic activists may have made it easier for cybercrooks to spy on you, a security expert told

The Dutch government over the weekend seized control of DigiNotar -- which sells "SSL" security certificates that act as a handshake guaranteeing online transactions -- saying certificates it had issued were forged and could no longer be relied on. The hack targeted Iranian activists, but you might be a victim too, warned Ira Victor, director of the digital forensics practice with Data Clone Labs and a member of the High Technology Crime Investigation Association (HTCIA)

"Millions of websites use SSL to protect their user's information -- that's why the SSL digital certificates are such a tempting target for cybercriminals," Victor told

The forgeries were used almost exclusively in Iran for political reasons, mainly to spy on Iranian citizens, according to a recent review by IT firm Fox-IT and experts at security firm Kaspersky Labs. But individuals worldwide might end up in the crosshairs anyway, Victor warned.

"The [hacker] appears to be politically motivated, but that doesn't prevent him from cashing in on SSL certificates for his own profit, directly, or indirectly, and to use those funds for his political goals," he said, noting that "just about every digital asset is for sale in the digital black market."

More On This...

Experts say most major Internet communications companies had already used the phony forms; fake Google certificates had been used by 300,000 IP addresses, for example, as well as Skype, Microsoft, Facebook and more.

SSL digital certificates govern the basic security of all Internet transactions: Log onto a web browser or an email account and you'll often end up sending data that relies on one. With access to that certificate, a cybercrook could snoop the bits and bytes of what should be a secure transaction.

It's called a "man in the middle" assault -- and it's anything but common, scoffed Anup Ghosh, chief scientist with security company Invincea.

"Most hackers never resort to this," he told "If I want to capture your email, your online transactions, I don't need to forge a certificate. I can just compromise your machine."

Use of a certificate would require massive rerouting of Internet traffic, Ghosh said -- the sort of thing you'd do to snoop on Iran, not the average citizen.

"The only way for you to employ a forged certificate is if you can reroute my request to your server. You'd have to hack infrastructure," he said.

That hasn't stopped Microsoft from issuing updates to the Internet Explorer web browser on Windows 7 and Windows Vista, which you can install by running Windows Update. Late Tuesday the company issued an emergency patch for Windows XP as well. Google and Mozilla, maker of the Firefox browser, have also issued updates to their software.

Apple has made no official statements about plans to issue a patch for the Safari browser. Victor warns not to wait.

"For Apple, iPhone and iPad users, download the Opera browser. They'll be faster to issue a fix for this than Safari. And it's free," he told

DigiNotar, a subsidiary of Chicago-based Vasco Inc., acknowledged it had been hacked on Aug. 30 only after Google stated that fake certificates for Google sites were circulating in Iran. Google marked the company's certificates as dubious, and other web browser makers followed suit.

The hack underscores the increasing importance of what had been an obscure part of computing: digital certificates, which enable nearly all secure transactions online and are a crucial tent pole propping up not just Internet transactions but much of modern business.

"Digital certificates were created by the guys at Netscape. It was never envisioned to scale up for payroll data … we're pushing the envelope of what these things can do," Victor advised.

"Businesses that are relying on these certificates -- which is just about everybody today -- need to be better prepared," he told -- one thing he and Gosh can agree upon.

The underpinnings of web security that we take for granted … the people that provide those services are just as susceptible as anyone else, Gosh said.

"Like planning for a hurricane, you can't wait until the water comes rushing in," Victor said.