China Could Be Exploiting Internet Security Process to Steal Data, Cyber Experts Warn

/in


To access data from unsuspecting users, the Chinese Communist Party (CCP) could be exploiting a universal authentication process that’s thought to be secure, but in reality may not be, cybersecurity experts have warned.

While encryption remains the preferred method to secure digital data and protect computers, in some cases, the very digital certificates used for authentication on the internet are allowing the Chinese regime to infiltrate various computer networks and wreak havoc, they said.

Bodies around the world, known as “certificate authorities” (CA), issue digital certificates that verify a digital entity’s identity on the internet.

A digital certificate can be compared to a passport or a driver’s license, according to Andrew Jenkinson, CEO of cybersecurity firm Cybersec Innovation Partners (CIP) and author of the book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyberwarfare.”

“Without it, the person or device they are using cannot be according to industry standards, and vital data encryption could be bypassed, leaving what was assumed to be encrypted in plain text form,” Jenkinson told The Epoch Times.

Through cryptography, digital certificates are used to encrypt internal and external communications that prevent a hacker, for example, from intercepting and stealing data. But invalid or “rogue certificates” can manipulate the entire encryption process, and as a result, “millions of users have been given a false sense of security,” Jenkinson said.

Layers of False Trust

Michael Duren, executive vice president of cybersecurity firm Global Cyber Risk LLC, said that digital certificates are typically issued by trusted CAs, and equal levels of trust are then passed on to intermediate providers. However, there are opportunities for a communist entity, a bad actor, or another untrustworthy entity to issue certificates to other “nefarious folks” that would appear to be trustworthy but aren’t, he said.

“When a certificate is issued from a trusted entity, it’s going to be trusted,” Duren said. “But what the issuer could actually be doing is passing that trust down to someone that shouldn’t be trusted.”

Duren said he…

Source…