It seems that fall is near. It’s a rainy day here but nonetheless, a wonderful day.
We wanted to notify our customers and viewers of a security risk that is currently out there on the internet. We normally allow security providers, such as Microsoft, McAfee or Symantec, make these announcements but due to the nature of this risk, and the fact that it is actively being used by malicious users, we thought it necessary to let you know directly.
48 hours ago it was announced that there were active attacks being pursued online using fraudulent digital certificates which were issued by DigiNotar. DigiNotar is a certificate authority which provides customers with digital certificates. These fraudulent certificates affect all users of the internet, regardless of the Operating System in use.
According to the information we have, the following certificates are known as fraudulent:
- DigiNotar Root CA
- DigiNotar Root CA G2
- DigiNotar PKIoverheid CA Overheid
- DigiNotar PKIoverheid CA Organisatie – G2
- DigiNotar PKIoverheid CA Overheid en Bedrijven
What is a Digital Certificate?
A digital certificate, or just certificate for short, is a data file that is used to encrypt information. For example, when you connect to a bank web site, you might be connecting over SSL (Secure Sockets Layer) and your information, such as bank account number or password, is encrypted using a digital certificate. This keeps attackers from being able to steal information while it’s being transmitted over the internet because they cannot decrypt the information without being the actual bank server.
What is a Digital Certificate Authority?
A Digital Certificate Authority, also known as just Certificate Authority or CA, is a Digital Certificate provider that generates digital certificates and hands them out to customers. Your bank will receive a digital certificate by purchasing one from a Digital Certificate Authority. In order for digital certificates to function, it requires the bank to have a “private key:”, used to decrypt information, a “public key” used to encrypt information, and an available Digital Certificate Authority to authenticate any certificates. When you access the bank web site, the web site will tell your computer that it has a certificate. Your computer must then contact the Digital Certificate Authority in order to receive encryption information (“public key”) so it can talk to the bank web site. the Digital Certificate Authority insures that no one is able to hijack a digital certificate.
Steps to Protect
Users of Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008 (including both R2 and non-R2 releases), as well as users of Macintosh and Linux/Unix are affected.
In order for users to protect themselves from these fraudulent digital certificates, the following steps are necessary:
Windows XP
- Open Internet Explorer
- Visit the following web site: http://update.microsoft.com.
- Click the “Express” button when the option is made available.
- Follow the prompts to complete the installation of any new Microsoft updates
Windows Vista/Windows 7
- Click Start > Control Panel
- Click System and Security
- Click Windows Update
- Choose Check for Updates on the left
- Click the ‘Install Updates’ button.
(If the ‘Install Updates’ button isn’t available, then you may already have this update installed)
Macintosh/Linux/Unix
Check for any new System updates for your respective operating systems.
Macintosh users can contact Apple Product support for more information on how to protect against these attack vectors
—-
Depending on the type of device you have, Smart phones and MP3 players may also be affected. iPod, iPhone, Android, PalmOS, Blackberry. Users of these devices should contact the manufacturer’s technical support to insure these devices are protected.
Microsoft has already announced that Windows Mobile 6.x, Windows Phone 7 and Windows Phone 7.5 (Mango) devices are already protected and not affected by this risk.
