DHS Notifies Web Users About Fake Sites

The Homeland Security Department now is warning Americans about fake websites that steal personal information, in the wake of a data breach at a site authentication service that reportedly ground Dutch e-government services to a halt last week.

Google, Apple, Microsoft and DigiD, a website that allows the Dutch to file taxes and conduct other governmental transactions, all have moved to block certificates from DigiNotar, an American owned firm located in the Netherlands.

The company has acknowledged that in July intruders believed to be from Iran stole data that DigiD and DigiNotar's other customers depend on to verify that website visitors have arrived at a credible website. Pilfered digital certificates facilitate man-in-the-middle attacks in which cyberspies and identity thieves authenticate bogus sites to dupe visitors who think they are at a legit site into entering their personal information.

The DHS-led U.S. Computer Emergency Readiness Team issued an incident report Friday afternoon that said the fraudulent DigiNotar certificates "could be used by an attacker to masquerade as legitimate sites."

The notice details steps being taken by browser makers Mozilla, Microsoft, Google and Apple to address the problem. Most measures require Internet users and system administrators to apply updates. Adobe has yet to release an update but plans to offer one that will remove the certificates. For now, "Adobe has released a blog entry containing a work-around for Adobe Reader and Acrobat 9, and Adobe Reader and Acrobat X," the US-CERT notice states.

"The results and repercussions of the Dutch investigation [into the hack] could shape the future of online commerce and government sites, and the regulation that covers them, as more and more government administrations switch from paper to online," the European edition of the Wall Street Journal remarked recently.

The paper quoted a spokesman for Neelie Kroes, the European Union's digital agenda commissioner, as saying, the Dutch case "is a huge deal" and the hack "illustrates the risks and the challenges of e-government and online commerce, and the European Commission is working on a coherent European response to meet these challenges."

Last week, Dutch Justice Minister Piet Hein Donner "advised citizens worried about the security of their communications with the government to return to pen and paper," the Journal reported.

The U.S. government has contracted with VeriSign, an established Web authentication firm, to help agencies install an add-on that verifies their Web addresses are the real deal. But only 23 percent of federal sites have incorporated the mandatory security measure, U.S. officials said recently.