DigiNotar, the Dutch Certificate Authority (CA) that suffered a massive security breach, resulting in nearly 300,000 Iranians being compromised, has filed for bankruptcy. The voluntary petition was granted on Tuesday by a court in The Netherlands.
DigiNotar filed for bankruptcy on Monday, less than 24-hours later the petition was approved. In a statement, DigiNotar’s parent company, Vasco, distanced itself from the security breach, promising to cooperate with the Dutch government during the bankruptcy proceedings.
“Although we are saddened by this action and the circumstances that necessitated it,” said T. Kendall Hunt, VASCO’s Chairman and CEO.
“…we plan to cooperate with the Trustee and the Judge to the fullest extent reasonably practicable to bring the affairs of DigiNotar to an appropriate conclusion for its employees and customers. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar. ”
In total, 531 fraudulent certificates were issued during the DigiNotar breach, including certificates for Google, Microsoft, MI6, the CIA, TOR, Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo. A security report compiled by Fox-IT, who is investigating the breach, outlined several instances of lackluster security on DigiNotar’s network, and noted that some 300,000 Iranians were exposed in the incident.
“We found that the hackers were active for a longer period of time. They used both known hacker tools as well as software and scripts developed specifically for this task,” the report noted.
“The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong ([email protected]) and could easily be brute-forced. The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers...”
Despite the breach of trust, Vasco says they will return to CA business in the future. “We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve Vasco’s core two-factor authentication business,” said Jan Valcke, Vasco’s COO.
“While we do not plan to re-enter the certificate authority business in the near future, we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform.”
It is unknown if said PKI/identity verification technology was also compromised during the breach, though it is assumed that it wasn’t by many following the situation. After the breach made headlines, Microsoft, Mozilla, and Google revoked DigiNotar’s trusted status, pulling their root certificates from all of their products.
“The CA business is all about selling trust. After all, a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked,” commented Swa Frantzen, of Section 66 – a security services firm in Belgium.
On the contrary, it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.”