Debacle deepens for hacked SSL certificates issuer

Report indicates widespread compromise of DigiNotar's infrastructure and questions industry's response to breaches

The attack on DigiNotar, an issuer of SSL certificates, appears more serious than originally thought. A report by the company hired to analyze the breach raised its estimate of the number of fraudulently created certificates and found substantial security weaknesses in Diginotar's infrastructure.

The report by Dutch security firm Fox-IT (PDF) found at least 531 certificates had been fraudulently created by an intruder into their systems, an increase from last week's estimate of more than 270. The attacker gained administration rights to firm's domain server, which managed all of DigiNotar's certificate infrastructure, a significant network weakness, the report stated.

"All CA [certificate authority] servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination," the report stated. "The password was not very strong and could easily be brute-forced."

More than 300,000 unique IP addresses -- almost entirely from Iran -- validated a fraudulent certificate issued for Google's domain. Each time a browser encounters a new certificate, the software checks its validity with DigiNotar. The fact that nearly all the validation checks came from Iran could indicate that the nation's government may have been involved in the attack. The Dutch government is currently investigating the possibility.

The breach of DigiNotar and its aftermath has caused security experts to question the capability of the SSL certificate infrastructure -- responsible for issuing and verifying signatures used to secure online communications and transactions -- to respond to major security events. Major browser makers, including Google and Microsoft, have issued patches that will invalidate all certificates issue by DigiNotar. Yet the impact of the breach goes beyond just browsers: Certificates were issued for Microsoft's Windows Update mechanism and Google's Android code signatures.

Add to that the uncertainty regarding the breach and the industry will feel the effects of the attack for months, if not longer.

"With some 500 authorities out there globally, it's hard to believe Diginotar is the only compromised CA out there," Roel Schouwenberg, senior researcher for security firm Kaspersky, said in a blog post. "DigiNotar will quite likely go out of business. This should serve as a very strong message for CAs to go public with any breach."

On Monday, the hacker that claimed responsibility for breaching certificate authority Comodo, posted an online statement taking credit for the DigiNotar hack. While the timing -- a statement coming much later than the attack and coinciding with the issuance of the Fox-IT report -- suggested mere braggadocio, details found by the security firm corroborated the hacker's claims. Specifically, a specialized script intended to exfiltrate certificates also included a statement taunting DigiNotar.

"In the text, the hacker left his fingerprint: Janam Fadaye Rahbar," the report stated. "The same text was found in the Comodo hack in March of this year."

The Dutch government has taken over operations of the certificate authority, which is a subsidiary of security firm VASCO, after declaring the company's authentication infrastructure untrusted.

This story, "Debacle deepens for hacked SSL certificates issuer," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies