Security Firm Updates Key Leak

Wednesday, July 11, 2012 @ 03:07 PM gHale

Network security firm Cyberoam updated all its Deep Packet Inspection (DPI) devices after a decrypted version of the company’s universal private key leaked.

The hotfix went out after someone anonymously posted an apparent master privacy key for all of Woburn, MA-based Cyberoam’s devices on the Tor blog Sunday.

Rogue SSL Certificate Plan Proposed
NASA Investigates Compromise
U.S. Jams Taliban, Yemen Frequencies
Hacking to Force Stronger Security

In the blog entry the network described a security vulnerability with Cyberoam’s devices. The post, penned by Runa Sandvik, a security researcher and developer with the network, described how Cyberoam’s DPI services were insecure and could allow third party access.

The clash first began after a Tor user in Jordan ended up with denied access to the company’s site, Tor’s researchers said another Cyberoam device was intercepting the user’s Internet connection, which in turn, was triggering a fake certificate from the company. Further research by Tor revealed all Cyberoam devices shared the same CA certificate, which made it possible for anyone to intercept traffic on any of the company’s devices by any of the company’s devices.

Cyberoam responded with a blog post of their own saying while all of its devices used the same, specialized CA certificate, the company’s Unified Threat Management (UTM) tool doesn’t store HTTPS Deep Scan Inspection data since processing occurs in real time. This, according to the firm, quashed any possibility of “data interception between any two Cyberoam appliances.”

Cyberoam went on to clarify its devices disallow the export of private keys for SSL-bridging technology and its devices are not a “mass surveillance device” but a “network malware protection device.”

After the update, each Cyberoam product will have a new, unique key generated.

Claiming it understands the “critical nature” of the issue at hand, in its blog post, Cyberoam still feels Tor is singling them out and there are other companies who also use a universal CA for its devices. These companies, much like Cyberoam before its update, only put its devices at risk “when providing a HTTPS deep scan.”

This is just the latest warning related to insecure PKI (public key infrastructure) implementations. Earlier security compromises plagued Comodo and forced Dutch certificate authority DigiNotar out of business. In March last year, attacks on Comodo, Inc. compromised the SSL certificates of sites like Google, Yahoo and Skype while in August the now defunct, Dutch CA DigiNotar, issued a bogus certificate for Google.

Leave a Reply

You must be logged in to post a comment.