DigiNotar is a trusted authority. That means that they can issue certificates that allow websites offering secure, encrypted communications to prove that they are who they say they are. When you browse to your bank, your email provider or any other "secure" site, in the background these certificates are exchanged before encrypted communications can begin.

Your web browser contains a list of "root" authorities whose certificates are trusted by default.

If a web site presents a valid certificate and your browser is configured to trust the signing authority encrypted communications can begin, transparently to the end user. A valid certificate is one that matches the name of the site that is using it, that has an expiry date that has not yet been exceeded and critically is signed by a trusted authority. It is this last step that is normally difficult for those with malicious intent to overcome. DigiNotar's security was compromised and a large number of fraudulent certificates were issued for services such as Google mail and Windows update.

The implications of this breach are serious. If an attacker can set up a proxy server, between you and your "secure" destination, the malicious proxy can pose as the real secure site. It can present the right credentials and the attacker can decrypt and read all your content, before passing it on, transparently, to the real final destination, a classic man-in-the-middle attack.

In a normal situation where you are browsing the internet you can connect directly from your computer to your secure destination, you are not at a great deal of risk. If however all my traffic must pass through a proxy, either at my Internet Service Provider or at state level, which is the case in some more restrictive nations then the risk increases. The proxy can make use of fraudulent certificates and act as a man-in-the-middle. There is also a risk on public networks such as Wi-Fi hotspots, where again the hot-spot provider will often use a proxy. Alternatively, an attacker could infect your system with malware that configures your computer to pass all traffic through a proxy of the attacker's choice, wherever you are located.

For this to be effective the attacker would need to be able to install code on your system to make these changes. At least one of the fraudulent certificates allows "code signing" meaning it can be used to certify that a program is from a valid publisher so this possibility certainly exists in theory and the booming cybercrime economy is proof positive that the means to deliver code to infect PCs are abundant.

The breach at DigiNotar is significant for a number of reasons. As a CA, DigiNotar's entire business was built on a foundation of trust; they had a duty to ensure that the security and integrity of their systems was second-to-none. Certificates of this kind are used to secure the most sensitive of communications and allow online entities to assure their identities when dealing with customers. To say that these events and the earlier associated breach at Comodo have undermined trust in secure web transactions would certainly not be overstating the matter.

The failures were numerous:

• The first breaches were detected on the 19th July and yet hacker activity had been ongoing since June 17th. No public statement about fraudulent certificates was made until the press release of August 30th

• The fraudulent google.com certificate was generated on July 10th and was actively used in Iran until August 29th when it was finally revoked.

• According to the report by Fox-IT many basic failures in securing processes and infrastructure were apparent, single AD domains, weak passwords, no anti-malware installed, lack of effective separation of critical networks and outdated or unpatched software on public-facing web servers.

Trust in all certificates issued by DigiNotar was revoked by most major browser and operating system manufacturers and the consequences for DigiNotar as a company were fatal, within two weeks, they were declared bankrupt at an estimated cost to the parent company of $3.3 to $4.8 million (US), excluding costs that may be incurred as a result of any claims that may arise.

The industry and other Certificate Authorities will need to ask some difficult questions now.

When a relatively small group of organisations is trusted with assuring the identity of the rest of the web then an incident of this nature seriously undermines both public and professional confidence in the viability of the current system.

We should be promoting and enforcing regulatory standards for an industry of this level of importance. In much the same way that organisations who handle credit cards are required to conform to PCI standards; CAs should also conform to an audited minimum level of security. This would have eliminated many (hopefully all) of the failures listed above. By the same token there need to be standards set around rapid and effective disclosure in the event of a breach.

Looking to the future, I imagine we will move away from the model where a single client trusts a single CA and move more towards the model used by the backward compatible Convergence (http://convergence.io/details.html) which can be configured to require a consensus of trust from multiple "notaries" before a certificate is considered valid.

Consumerisation is much bigger than just enterprises having to manage their employees bringing their own devices into the network and it is not an issue that only surfaced in the last 12 months. At its core, consumerisation describes how innovation in information technology now emerges primarily in the home and how it is adopted (some would say invades) the world of work. The reasons for this shift can be accurately characterised in four words; expectation, visibility, utility and flexibility.

The internet is of course a regular part of everyday life now, everyone from six to sixty conducts a varying proportion of their life online. Large-scale, free-of-charge web mail services such as Excite (the original) Hotmail and Yahoo are almost 20 years old now; the same can be said of instant messaging. The social network has been with us in one form or another since the launch of AOL in 1989. The Application Service Provider (ASP) boom dates back to the dot com era, and computing hardware has been shrinking in size from day one.

The graduates of today and even of the past several years have grown up in an inter-connected world and their lives have evolved to fill all available space within that world. To expect a new hire to work without access to Web 2.0 is now no different than expecting them to work without access to more basic means of communication like telephones and simple email. In fact most of us could more easily function without the latter two than without the internet.

It's all about Visibility, Utility and Flexibility. The capabilities on offer, their attractiveness and scalability have been historically limited by cost. Whether that is the cost of the handset, the tablet or the bandwidth it has always been a barrier. This meant that the buying power to really make use of and importantly to control the use of these technologies, resided squarely with the enterprise.

 Recent technological innovations haven't just shifted the playing field; they have changed the game entirely. Data costs both for broadband and for 3G access have tumbled, unlimited use packages are now the norm. The advent of the iPhone turned device selection into a consumer driven choice and the success of Android has amplified that. The success of iPad has meant that the laptop is being relegated to the status of the desktop. Cloud services like Twitter, Facebook,  Google Apps, Amazon Web Services, Apple's new iCloud have pushed the collaboration  and communication platforms outside the corporate perimeter and into the hands of the user.

We increasingly expect our work environment to be available on-demand and visible from wherever we are, whatever the hardware we choose to use; in fact this is one of the key defining characteristics of Cloud. File sharing services, virtual server availability, social networks, blogs, wikis, instant messaging public hotspots, low cost mobile internet, high-performance hardware, collaboration environments all mean that external is the new internal. It is entirely possible, with a combination of these consumer services to be able to sit in your head office, never once connect to the corporate network and still have all you need and more to do your job effectively.

So when I access my corporate email from my 3G tablet using a web interface and use a public file sharing service to synchronise my files, when my laptop is left chained to my desk and my work life is mobile, when I use public social networks for professional networking and never connect to the VPN; did the enterprise just go blind?

A true consumerisation strategy needs to establish a means of managing any device that connects to corporate assets over public networks such as 3G. To rely on them periodically connecting to the enterprise network is no longer sufficient. It needs to be able to remotely differentiate the corporate from the personal content on user-owned devices in order not to overstep its bounds and it needs to recognise that consumerisation is about so much more than the device your employees chose to use. Access to information and services both internally and externally needs to be re-examined in the face of this crumbling perimeter.

First and foremost enterprises should acknowledge the reality that is already upon them and redesign outdated polices, practices and most critically, update training. As was pointed out in a study by the Economist Intelligence Unit, that was sponsored by Trend Micro back in 2009 "Much education, training and organisational experimentation is needed to ensure that greater technology freedom does not sap productivity or cause damage to the company. The sooner that firms begin to tackle this, the sooner the benefits of technology democracy will start to flow.

Online banking in the US still tends to rely on simple user name and password combinations. This is called "single factor authentication", based purely on "something you know" in this case, your password. In the rare cases where a confirmation number is required, this is often sent to the customer's email account, which is also easy for a criminal to compromise.

In Europe, two-factor authentication has been common for years - Germany and France were using two-factor authentication even in the days before the internet, for BTX and Minitel banking respectively. Two-factor authentication involves a user name and password, the "something you know"; as well as an additional piece of information, often based on "something you have". A third method is based on "something that you are", the biometric factor. Obviously rolling out biometrics in a financial institution is atypical because you need to make sure that every customer has access to some kind of biometric reader. So we're relying more on things like tokens and one-time passwords. This relies on methods such as a Transaction Authentication Number (TAN), a sheet of one-time use numbers sent regularly to each customer. Some banks will use a mobile TAN sent by SMS to the customer's mobile phone, some banks will send hardware tokens to all customers, which generate random codes and some offer card reading devices which require a PIN and then generate a confirmation code.  In most instances these codes are required whenever a customer is moving money around or making a payment.

Multifactor authentication is perceived by many as being the panacea, the thing that will resolves all the issues. The problem is that we're not authenticating the right thing. When using two-factor, or even a hundred factor authentication, the person demonstrates that they are who they say they are; by receiving an SMS, by using a password from a sheet of paper or some other means.  But it doesn't go any way towards ensuring the validity of any single transaction. We sit in front of our computers; we open a browser and connect to our banking website. We enter our user name, certain digits from our password and then our one-time code, and at that point we establish a secure tunnel between the client and the financial institution to carry out transactions in a privileged environment. 

Criminal malware has already developed to the point where it can sit inside the browser of the infected computer and intervene with any transactions that we make, even if it's in a secure tunnel. You may be telling your browser to tell your bank to transfer £500 to pay your bills, and you have to rely that your browser is going to relay that information intact to the bank. Of course, if a criminal controls the browser, he can modify that transaction and change it from £500 to £5,000, and designate the recipient to be a money-mule of his choice. When the bank sends the reply, the first person to see the reply is the criminal in the browser and again he can modify it so you see only what you expect. This is called a Man-in-the-browser attack. The majority of current banking malware is not engineered to overcome user authentication tokens, *yet*. Critically though some is such as Bebloh:  http://countermeasures.trendmicro.eu/sophisticated-banking-trojan-human-consequences.

As criminals begin to adopt this technology more widely then banks will have to update their risk assessment results and may have to reconsider their investments. 

Technology which successfully defends against this threat does exist but its commercial deployment is unfortunately not widespread. Banks have been over the last few years, completing their roll-out of multi-factor authentication technologies. For the most part these technologies have been aimed at authenticating the user, ensuring that they are an authorised account holder by proving ownership of the token and knowledge of the password. A minority of banks have taken this further and issued all their holders with a chip and PIN card reader aimed not only at authenticating the user but at verifying each individual transaction. Systems of transaction verification ensure that man-in-the-browser attacks cannot succeed. If any critical details relating to the payment (such as amount or beneficiary) are modified by a third party, then the verification code, generated by the chip & PIN device is longer valid and the transaction will fail. Simple user authentication systems do not have the same logical relationship to the transaction in question and as such cannot act as an effective digital signature, as they cannot certify the integrity of the information being transmitted.

No current malware is capable of overcoming transaction verification technology properly implemented, and any stolen account details from a customer of a bank using such a system would also be worthless to criminals as they could not initiate any new transactions without the reader. 

The message to CIOs and security officers of financial institutions is clear: Implement transaction verification technology in order to protect against fraud, instead of relying on simple user authentication, however numerous the factors. Banking and financial transactions in general, are increasingly mobile, increasingly moving to the cloud and criminal ingenuity is relentless in its pursuit of the money. Man-in-the-browser attacks and even banking malware for smartphones are already established realities, an effective layered defence, including mobile device protection, browser lockdown technologies, whitelisting, anti-malware and effective authentication and verification all have their place.