Misplaced Pages

DarkHotel

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

DarkHotel (or Darkhotel ) is a targeted spear-phishing spyware and malware -spreading campaign that appears to be selectively attacking business hotel visitors through the hotel's in-house WiFi network. It is characterized by Kaspersky Lab as an advanced persistent threat .

#269730

48-557: The attacks are specifically targeted at senior company executives, using forged digital certificates , generated by factoring the underlying weak public keys of real certificates, to convince victims that prompted software downloads are valid. Uploading malicious code to hotel servers, attackers are able to target specific users who are guests at luxury hotels primarily in Asia and the United States . Zetter (2014) explains that

96-428: A certificate authority (CA), usually a company that charges customers a fee to issue certificates for them. By contrast, in a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate. In case of key compromise, a certificate may need to be revoked . The most common format for public key certificates is defined by X.509 . Because X.509

144-455: A cryptographically authenticated statement of revocation. For distributing revocation information to clients, timeliness of the discovery of revocation (and hence the window for an attacker to exploit a compromised certificate) trades off against resource usage in querying revocation statuses and privacy concerns. If revocation information is unavailable (either due to accident or an attack), clients must decide whether to fail-hard and treat

192-410: A public key certificate , also known as a digital certificate or identity certificate , is an electronic document used to prove the validity of a public key . The certificate includes the public key and information about it, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If

240-554: A wildcard certificate . Once the certification path validation is successful, the client can establish an encrypted connection with the server. Internet-facing servers, such as public web servers , must obtain their certificates from a trusted, public certificate authority (CA). Client certificates authenticate the client connecting to a TLS service, for instance to provide access control. Because most services provide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than

288-442: A certificate as if it is revoked (and so degrade availability ) or to fail-soft and treat it as unrevoked (and allow attackers to sidestep revocation). Due to the cost of revocation checks and the availability impact from potentially-unreliable remote services, Web browsers limit the revocation checks they will perform, and will fail-soft where they do. Certificate revocation lists are too bandwidth-costly for routine use, and

336-401: A certificate is not "flat" but contains these fields nested in various structures within the certificate. This is an example of a decoded SSL/TLS certificate retrieved from SSL.com's website. The issuer's common name (CN) is shown as SSL.com EV SSL Intermediate CA RSA R3 , identifying this as an Extended Validation (EV) certificate. Validated information about the website's owner (SSL Corp)

384-550: A domain and its subdomains). Such certificates are commonly called Subject Alternative Name (SAN) certificates or Unified Communications Certificates (UCC) . These certificates contain the Subject Alternative Name field, though many CAs also put them into the Subject Common Name field for backward compatibility. If some of the hostnames contain an asterisk (*), a certificate may also be called

432-457: A hostname. In addition, the certificate authority that issues the client certificate is usually the service provider to which client connects because it is the provider that needs to perform authentication. Some service providers even offer free SSL certificates as part of their packages. While most web browsers support client certificates, the most common form of authentication on the Internet

480-510: A label as a "partial wildcard" according to early specifications However, use of "partial-wildcard" certs is not recommended. As of 2011, partial wildcard support is optional, and is explicitly disallowed in SubjectAltName headers that are required for multi-name certificates. All major browsers have deliberately removed support for partial-wildcard certificates; they will result in a "SSL_ERROR_BAD_CERT_DOMAIN" error. Similarly, it

528-427: A network. These computer terminals were clients of the time-sharing mainframe computer . In one classification, client computers and devices are either thick clients , thin clients , or diskless nodes . A thick client , also known as a rich client or fat client , is a client that performs the bulk of any data processing operations itself, and does not necessarily rely on the server . The personal computer

SECTION 10

#1732802198270

576-483: A public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site. As an example, when a user connects to https://www.example.com/ with their browser, if the browser does not give any certificate warning message, then the user can be theoretically sure that interacting with https://www.example.com/

624-439: A qualified trust service provider and signature creation device) are given the same power as a physical signature. In the X.509 trust model, a certificate authority (CA) is responsible for signing certificates. These certificates act as an introduction between two parties, which means that a CA acts as a trusted third party. A CA processes requests from people or organizations requesting certificates (called subscribers), verifies

672-432: A relatively small community, like a business, and are distributed by other mechanisms like Windows Group Policy . Certificate authorities are also responsible for maintaining up-to-date revocation information about certificates they have issued, indicating whether certificates are still valid. They provide this information through Online Certificate Status Protocol (OCSP) and/or Certificate Revocation Lists (CRLs). Some of

720-472: A self-signed certificate, called a root certificate , trust anchor , or trust root . A certificate authority self-signs a root certificate to be able to sign other certificates. An intermediate certificate has a similar purpose to the root certificate – its only use is to sign other certificates. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate needs to sign it. An end-entity or leaf certificate

768-500: A signature that can be verified by its own public key. Self-signed certificates have their own limited uses. They have full trust value when the issuer and the sole user are the same entity. For example, the Encrypting File System on Microsoft Windows issues a self-signed certificate on behalf of the encrypting user and uses it to transparently decrypt data on the fly. The digital certificate chain of trust starts with

816-433: A single certificate for all main domains and subdomains and reduce cost. Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops), these domains would not be valid for the certificates: Note possible exceptions by CAs, for example wildcard-plus cert by DigiCert contains an automatic "Plus" property for the naked domain example.com . Only a single level of subdomain matching

864-484: A top-level domain is not allowed. Too general and should not be allowed. International domain names encoded in ASCII (A-label) are labels that are ASCII-encoded and begin with xn-- . URLs with international labels cannot contain wildcards. These are some of the most common fields in certificates. Most certificates contain a number of fields not listed here. Note that in terms of a certificate's X.509 representation,

912-410: A variety of clients, which vary on the chat protocol being used. Multiplayer video games or online video games may run as a client on each computer. The term "client" may also be applied to computers or devices that run the client software or users that use the client software. A client is part of a client–server model , which is still used today. Clients and servers may be computer programs run on

960-403: Is a common example of a fat client, because of its relatively large set of features and capabilities and its light reliance upon a server. For example, a computer running an art program (such as Krita or Sketchup ) that ultimately shares the result of its work on a network is a thick client. A computer that runs almost entirely as a standalone machine save to send or receive files via a network

1008-480: Is a username and password pair. Client certificates are more common in virtual private networks (VPN) and Remote Desktop Services , where they authenticate devices. In accordance with the S/MIME protocol, email certificates can both establish the message integrity and encrypt messages. To establish encrypted email communication, the communicating parties must have their digital certificates in advance. Each must send

SECTION 20

#1732802198270

1056-548: Is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates. Subject Alternative Name (SAN) certificates are an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called Subject Alternative Names (SANs). Names include: RFC   2818 (May 2000) specifies Subject Alternative Names as

1104-406: Is by a standard called a workstation . A thin client is a minimal sort of client. Thin clients use the resources of the host computer. A thin client generally only presents processed data provided by an application server , which performs the bulk of any required data processing. A device using web application (such as Office Web Apps ) is a thin client. A diskless node is a mixture of

1152-417: Is called a Wildcard certificate. Through the use of * , a single certificate may be used for multiple sub-domains . It is commonly used for transport layer security in computer networking . For example, a single wildcard certificate for https://*.example.com will secure all these subdomains on the https://*.example.com domain: Instead of getting separate certificates for subdomains, you can use

1200-408: Is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and

1248-436: Is indicated with a set of trust bits in a root certificate storage system. A certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker would be able to exploit such a compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure . Revocation is performed by the issuing certificate authority , which produces

1296-590: Is located in the Subject field. The X509v3 Subject Alternative Name field contains a list of domain names covered by the certificate. The X509v3 Extended Key Usage and X509v3 Key Usage fields show all appropriate uses. In the European Union, (advanced) electronic signatures on legal documents are commonly performed using digital signatures with accompanying identity certificates. However, only qualified electronic signatures (which require using

1344-458: Is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted. Client (computing) Client is a computer that gets information from another computer called server in the context of client–server model of computer networks . The server is often (but not always) on another computer system, in which case

1392-586: Is part of the open source Firefox web browser, so it is broadly used outside Firefox. For instance, while there is no common Linux Root Program, many Linux distributions, like Debian, include a package that periodically copies the contents of the Firefox trust list, which is then used by applications. Root programs generally provide a set of valid purposes with the certificates they include. For instance, some CAs may be considered trusted for issuing TLS server certificates, but not for code signing certificates. This

1440-572: Is particularly important in HTTPS, where a web site operator generally wants to get a certificate that is trusted by nearly all potential visitors to their web site. The policies and processes a provider uses to decide which certificate authorities their software should trust are called root programs. The most influential root programs are: Browsers other than Firefox generally use the operating system's facilities to decide which certificate authorities are trusted. So, for instance, Chrome on Windows trusts

1488-674: Is supported in accordance with RFC   2818 . It is not possible to get a wildcard for an Extended Validation Certificate . A workaround could be to add every virtual host name in the Subject Alternative Name (SAN) extension, the major problem being that the certificate needs to be reissued whenever a new virtual server is added. (See Transport Layer Security § Support for name-based virtual servers for more information.) Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC). In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example,

DarkHotel - Misplaced Pages Continue

1536-406: Is typical for standard libraries in programming languages to not support "partial-wildcard" certificates. For example, any "partial-wildcard" certificate will not work with the latest versions of both Python and Go. Thus, Do not allow a label that consists entirely of just a wildcard unless it is the left-most label A cert with multiple wildcards in a name is not allowed. A cert with * plus

1584-400: Is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS , a protocol for securely browsing the web . In a typical public-key infrastructure (PKI) scheme, the certificate issuer is

1632-527: Is very general, the format is further constrained by profiles defined for certain use cases, such as Public Key Infrastructure (X.509) as defined in RFC   5280 . The Transport Layer Security (TLS) protocol – as well as its outdated predecessor, the Secure Sockets Layer (SSL) protocol – ensures that the communication between a client computer and a server is secure. The protocol requires

1680-531: The Online Certificate Status Protocol presents connection latency and privacy issues. Other schemes have been proposed but have not yet been successfully deployed to enable fail-hard checking. The most common use of certificates is for HTTPS -based web sites. A web browser validates that an HTTPS web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that

1728-637: The certificate authorities included in the Microsoft Root Program, while on macOS or iOS, Chrome trusts the certificate authorities in the Apple Root Program. Edge and Safari use their respective operating system trust stores as well, but each is only available on a single OS. Firefox uses the Mozilla Root Program trust store on all platforms. The Mozilla Root Program is operated publicly, and its certificate list

1776-496: The client accesses the service by way of a network. A client is a computer or a program that, as part of its operation, relies on sending a request to another program or a computer hardware or software that accesses a service made available by a server (which may or may not be located on another computer). For example, web browsers are clients that connect to web servers and retrieve web pages for display. Email clients retrieve email from mail servers . Online chat uses

1824-488: The device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption , code signing , and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject

1872-566: The group, dubbed DarkHotel or Tapaoux, has also been actively infecting users through spear-phishing and Peer-to-Peer networks since 2007 and using those attacks to load key logging and reverse engineering tools onto infected endpoints. Targets are aimed primarily at executives in investments and development, government agencies, defense industries, electronic manufacturers and energy policy makers. Many victims have been located in Korea , China , Russia and Japan . Once attackers are in

1920-449: The information, and potentially signs an end-entity certificate based on that information. To perform this role effectively, a CA needs to have one or more broadly trusted root certificates or intermediate certificates and the corresponding private keys. CAs may achieve this broad trust by having their root certificates included in popular software, or by obtaining a cross-signature from another CA delegating trust. Other CAs are trusted within

1968-414: The larger certificate authorities in the market include IdenTrust , DigiCert , and Sectigo . Some major software contain a list of certificate authorities that are trusted by default. This makes it easier for end-users to validate certificates, and easier for people or organizations that request certificates to know which certificate authorities can issue a certificate that will be broadly trusted. This

DarkHotel - Misplaced Pages Continue

2016-422: The other one digitally signed email and opt to import the sender's certificate. Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system. A self-signed certificate is a certificate with a subject that matches its issuer, and

2064-661: The preferred method of adding DNS names to certificates, deprecating the previous method of putting DNS names in the commonName field. Google Chrome version 58 (March 2017) removed support for checking the commonName field at all, instead only looking at the SANs. As shown in the picture of Wikimedia's section on the right, the SAN field can contain wildcards. Not all vendors support or endorse mixing wildcards into SAN certificates. A public key certificate which uses an asterisk * (the wildcard ) in its domain name fragment

2112-505: The same machine and connect via inter-process communication techniques. Combined with Internet sockets , programs may connect to a service operating on a possibly remote system through the Internet protocol suite . Servers wait for potential clients to initiate connections that they may accept. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via

2160-493: The server to present a digital certificate, proving that it is the intended destination. The connecting client conducts certification path validation , ensuring that: The Subject field of the certificate must identify the primary hostname of the server as the Common Name . The hostname must be publicly accessible, not using private addresses or reserved domains . A certificate may be valid for multiple hostnames (e.g.,

2208-567: The victim's computer(s), sensitive information such as passwords and intellectual property are quickly stolen before attackers erase their tools in hopes of not getting caught in order to keep the high level victims from resetting all of the passwords for their accounts. In July 2017 Bitdefender published new research about Inexsmar, another version of the DarkHotel malware, which was used to target political figures instead of business targets. Digital certificate In cryptography ,

2256-404: The web site is who it claims to be. This security is important for electronic commerce . In practice, a web site operator obtains a certificate by applying to a certificate authority with a certificate signing request . The certificate request is an electronic document that contains the web site name, company information and the public key. The certificate provider signs the request, thus producing

2304-539: The wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. Thus it secures www.wikipedia.org as well as the completely different website name meta.m.wikimedia.org . RFC   6125 argues against wildcard certificates on security grounds, in particular "partial wildcards". The wildcard applies only to one level of the domain name. *.example.com matches sub1.example.com but not example.com and not sub2.sub1.domain.com The wildcard may appear anywhere inside

#269730