Certification Authority Issues Alert on Fraudulent SSL Certificates

March 24, 2011 - PRLog -- Recently, Comodo Group, Inc., one of the leading certification authorities warned against nine fraudulent Secure Sockets Layer (SSL) certificates issued by a Registration Authority. The registration authority reportedly suffered a security breach incident, which led to the disclosure of a user account. The compromised user account was used by the attacker to create new authentication credentials, placing and receiving order for certifications. The fraudulent certificates affect login.live.com, mail.google.com, google.com, login.yahoo.com (3 fraudulent certificates), login.skype.com, addons.mozilla.org and global trustee.

Cybercriminals could use sophisticated techniques to lure users to visit websites using fraudulent certificates. As the sites appear legitimate to the users, they may enter the authentication details on the website, which could be extracted by the attackers. The fraudulent certificates could also be used to trick users to download files containing malware on their computer systems. The malware could be designed to extract confidential personal or business information. Attackers could use the fake certificates to spoof content or launch phishing attacks. Cyber education is crucial to combat growing security threats. Training sessions, seminars, online degree and e-learning programs could help in enlightening employees on Internet security issues and improve the IT security practices in organizations.

Computer forensics experts are investigating the case and the registration authority has been suspended pending investigation. The fraudulent certificates have been revoked. The certification authority has reported to the respective government authorities, browser vendors and domain owners regarding the issue of fraudulent SSL certificates.

Security breaches could be prevented by evaluating the IT infrastructure at frequent intervals through IT professionals qualified in penetration testing, security audit, masters of security science to identify and mitigate security flaws.

United States Computer Emergency Readiness Team (US-CERT) has also cautioned users against the fraudulent certificates Major browser vendors have updated their browsers to identify and block the fraudulent certificates. Mozilla has updated Firefox 3.5, 3.6 and 4.0 to block these certificates. Microsoft has released updates for Windows to address the issue. Internet users must install and regularly update anti-virus software in their computer systems. Regular adherence to security advisories and updates from developers would also help in preventing malicious attacks. Distance learning and online university degree programs could enable IT professionals to update their skill sets to combat the growing IT security threats.  IT administrators must keep track of the software updates and patch releases to secure the organizational networks and computer systems from intrusions and unauthorized access.

Contact Press

EC-Council
Website:  http://www.eccouncil.org
Email:  iclass@eccouncil.org
Tel:  505-341-3228

EC-Council University is based in Albuquerque, New Mexico and offers Master of Security Science (MSS) degree to students from various backgrounds such as graduates, IT Professionals, and military students amongst several others. The MSS is offered as a 100% online degree program and allows EC-Council University to reach students from not only the United States, but from all around the world.

EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates the global series of Hacker Halted security conferences.

# # #

iClass is EC- Council's online training delivery platform. Students can attend live, or recorded training sessions for courses such as Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) or Computer Hacking Forensic Investigator (CHFI).