Year of the Hacker (Con’t)
Tennessee Cyber Harassment and Cal Data Breach Update
SSL Certificate Provider DigiNotar Hacked, CIA Among Victims
DigiNotar, a Dutch SSL certificate authority, has belatedly revealed that in July hackers caused over 500 fraudulent certificates to be issued including certificates for Facebook, Skype, Mozilla, Microsoft Yahoo, Android, Twitter and domains owned by the CIA, Israel’s Mossad and the UK’s MI6. An audit has revealed that DigiNotar lacked basic security safeguards such as strong passwords, anti-virus protection and up-to-date software patches, which has some calling into question standards for other certificate authorities. Mozilla has called for other authorities to conduct a security audit and confirm they are secure by September 16th. Symantec has confirmed that its SSL Certificate Authorities VeriSign, Thawte, GeoTrust and RapidSSL are secure.
Kapersky Lab’s Roel Schouwenberg said that the attack will have greater consequences than the Stuxnet virus that disrupted Iran’s nuclear program. As MSNBC’s Matt Liebowitz notes, the attack “blew a hurricane-strength breeze at the fragile house of cards built by certificate authorities” and in doing so “fractured the implicit trust Web users have when logging on to a site.”
An Iranian known as Comodohacker claimed responsibility for the hack which he said was in retaliation for the Dutch involvement in the July 1995 Srebenica massacre in which Serbian forces killed over 8,000 Bosnian Muslims in a “safe area” protected by Dutch U.N. peacekeepers. The massacre was the worst atrocity on European soil since World War II. Reports by the U.N. and Dutch government have faulted the Dutch peacekeepers’ response.
Since California enacted the nation’s first data breach law, 45 states have since enacted similar measures. Governor Brown recently signed an update to the law that draws from some of the other state laws by requiring specific content in the notice provided. This includes:
- The name and contact information of the reporting person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- If the information is possible to determine at the time the notice is provided, information about the date of the breach and notification;
- Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided;
- A general description of the breach incident, if that information is possible to determine at the time the notice is provided; and
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
New Tennessee Law Addresses Posting Offensive Images
Tennessee has amended its harassment law to prohibit the posting or transmission of images that the defendant “knows, or reasonably should know, would frighten, intimidate or cause emotional distress.” The new law is a First Amendment landmine (as the photo of the Tennessee Titan’s falling inches from a Super Bowl win suggests) and has triggered a belated constitutional review by the state’s Attorney General and threats of law suit from the ACLU.
More Info: Kim Zetter, CIA, Mossad, Also Targeted in Massive DigiNotar Cert Breach, Wired; Ellinore Mills, Mozilla gets tough after digital certificates hack, CNET; Matt Liebowitz, Cracked digital certificates endanger ‘web of trust’, MSNBC; Wikipedia Srebrnica Massacre; Post A Picture That ‘Causes Emotional Distress’ And You Could Face Jailtime In Tennessee, TechDirt