DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands
POSTED BY: ROBERT CHARETTE / FRI, SEPTEMBER 09, 2011
When DigiNotar, the Dutch certificate authority (CA) company which is a wholly-owned subsidiary of VASCO Data Security International, Inc., announced on the 30th of August that it had been breached "which resulted in the fraudulent issuance of public key certificate requests for a number of domains," the general feeling in the IT security community was one of, "Oh, oh, here we go again."
Last March, you may remember, the Italian partners (registration authorities) of the certificate authority company Comodo (namely GlobalTrust.it and InstantSSL.it) were hacked and nine Secure Sockets Layer (SSL) encryption certificates fraudulently issued for Google, Microsoft, Skype, and Yahoo, among others. SSL encryption certificates are meant, to quote from VeriSign, the first company to issue SSL's in 1995, to help "... assure customers that they are safe from search to browse to buy and sign-in. When customers see the VeriSign Trust(tm) Seal, they know they can trust the link, trust the site, and trust the transaction."
The attack on DigiNotar was detected on the 19th of July the company said in its press release, and it also reported that it had revoked the fraudulent certificates that were issued. Its press release did not say how many certificates had been issued, however, only that one involved Google. However, one certificate was apparently overlooked during the detection process and that one only came to light when the Dutch government informed DigiNotar. But not to worry, government sites were not at risk of being compromised, DigiNotar claimed.
Fingers were pointed at the government of Iran as being the source of the attack, since it looked like the fake Google certificate was being used to spy on Iranian Gmail accounts.
The press release tried to sound upbeat, with VASCO stating that it "... expects the impact of the breach of DigiNotar's SSL and EVSSL [Extended Validation SSL] business to be minimal." A Dutch IT security company - Fox-IT BV - was hired to conduct an investigation into the incident, which came to be called internally, "Operation Black Tulip."
However, almost immediately after the public announcement of the breach, it became clear that the attack on DigiNotar might be worse than what the company was letting on. A story appearing in ComputerWorld soon after DigiNotar's announcement indicated that the fraudulent Google certificate was issued on July 10, over a week before DigiNotar said it had first detected the breach. In addition, a DigiNotar spokesperson admitted to ComputerWorld that "several dozen" certificates had been faked, not just a small number as it previously implied.
By the 3rd of September, it was becoming clear that the IT security situation caused by the breach was indeed becoming dire for some. For on that day, reported the AP, the Dutch government announced that because of the breach, "it could not guarantee the security of its own Web sites." In addition, the government said it was taking over DigiNotar's operations, a move the company did not fight against.
The AP story (at the New York Times) quoted the Dutch Interior Minister Piet Hein Donner as saying that visitors to Dutch government web sites could not be sure that "that he is on the site where he wanted to be."
Press speculation continued that the hack attack was the work of the Iranian government.
Then on the 4th of September, the news turned even more ominous. A story in ComputerWorld said that the "several dozen" faked certificates actually numbered more than 500 and included ones for "intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad." This news caused Google, Microsoft, Mozilla, etc. to move to "untrust" any and all certificates that had been issued by DigiNotar. News also surfaced, said ComputerWorld, that DigiNotar may have been compromised as early as May 2009.
For all intents and purposes, DigiNotar's CA operation was now out of business. So much for VASCO's claim of the breach having little material impact on DigiNotar's business.
On the 5th of September, DigiNotar released an interim report by Fox-IT on its investigation into the Operation Black Tulip attack. The report (PDF) is not pretty reading (an overview of the report can be found in this ComputerWorld article). Traces of the attack could be found as early as the 17th of June, it stated, meaning that it had gone undetected for more than a month. Further, a total of 531 fraudulent certificates were issued for 344 domain names. In addition, it appeared that some 300,000 Gmail accounts - mostly in Iran - had been compromised.
Moreover, DigiNotar's IT security was woefully deficient for its trusted role as a CA. The report said:
"The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN."
"The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced."
"The software installed on the public web servers was outdated and not patched."
"No antivirus protection was present on the investigated servers."
"An intrusion prevention system is operational. It is not clear at the moment why it didn't block some of the outside web server attacks. No secure central network logging is in place."
The Fox-IT report declined, for obvious reasons, to describe exactly how the attack successfully penetrated DigiNotar.
The news that 300,000 Iranian email accounts had been compromised reinforced the idea that the attack was government-sponsored, and primarily aimed at spying on Iranian dissidents.
On the 6th of September, the AP ran a story that reported Dutch prosecutors were investigating DigiNotar for possible criminal negligence because it was slow to disclose the breach. A New York Times article on the same day reported that the Dutch data protection agency, OPTA, had asked DigiNotar to investigate whether Dutch taxpayer information had been compromised.
A very interesting Wall Street Journal story on the 7th of September talked about how the Dutch government was telling its 17 million citizens basically to return to the use of pen and paper when dealing with the government until the situation could be fully resolved!
Also on the 6th of September, word was filtering out that the Iranian "Comodo hacker" was claiming responsibility for the DigiNotar hack as well. According to this story in PCWorld, the hacker - who says he is 21 - attacked DigiNotar "... in order to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims were killed by Serbian forces in 1995 during the Bosnian War."
The hacker also said that he succeeded in penetrating GlobalSign - another CA - and three others. A ComputerWorld story said that GlobalSign was going to investigate the claim and for now, stop issuing SSL certificates.
Yesterday, a ComputerWorld story said that the hacker is now threatening to unleash attacks against US, European and Israeli web sites. He also is threatening to publish a "how to" guide on hacking CA's or other high value targets for others in the hacking community. And a ComputerWorld story today reports the hacker claiming that he can exploit Windows Update, although Microsoft says that it's not possible.
At the very least, the attacks against Comodo and now DigiNotar and possibly GlobalSign and several others demonstrates that at least some CA authorities are not nearly as secure as was generally believed.
In fact, Mozilla, the Register reported yesterday, has told the 54 CA's with root certificates in its Network Security Services to check for intrusions or compromises and make sure their IT security is solid, and report back to it by the 16th of September. While it isn't making any direct threats to those that don't do what it asks, Mozilla has said it will "take whatever steps are necessary to keep our users safe."
While Mozilla's actions are yet being publicly followed by Google, Microsoft, etc., I suspect behind the scenes they are exerting their own pressure on CA's to tighten up their security. I wouldn't be surprised to see lawsuits filed against DigiNotar in the near future, either.
The attack also shows what can happen when the trust in the Internet is severely undercut as has happened in the Netherlands.
I'll post updated information on this story as it emerges, especially on the situation in the Netherlands.
Fun stuff to read, tell and watch:
Now FREE to watch all 91 minutes: "Defamation," from Israeli filmmaker Yoav Shamir. LINK: http://tinyurl.com/3rvhdvc
Some of His Best Friends Are Jewish: The Saga of a Holocaust Revisionist By Nathaniel Popper. Link: http://tinyurl.com/3v6m88c
...an Israeli lawyer has filed a class-action lawsuit against former President Jimmy Carter, seeking $5 million in damages because his book "Palestine: Peace Not Apartheid" allegedly defamed Israel. Link: http://tinyurl.com/3pltqg2
"...when you have laws against questioning the Holocaust narrative, you are screaming at the other person to stop thinking!!!" ---Mike Santomauro. *Anthony Lawson's Holocaust Video "were the Germans so stupid"... Link: http://tinyurl.com/44nsrco
An anti-Semite condemns people for being Jews, I am not an anti-Semite.--Mike Santomauro. Link: http://tinyurl.com/42z9p8o
Start reading DEBATING THE HOLOCAUST in under a minute: http://tinyurl.com/3f8h874
Call anytime: 917-974-6367
Messages in this topic (1)