The Tech Herald

After a massive security breach - DigiNotar files for bankruptcy

by Steve Ragan - Sep 20 2011, 16:55

DigiNotar, the Dutch Certificate Authority (CA) that suffered a massive security breach, resulting in nearly 300,000 Iranians being compromised, has filed for bankruptcy. The voluntary petition was granted on Tuesday by a court in The Netherlands.

DigiNotar filed for bankruptcy on Monday, less than 24-hours later the petition was approved. In a statement, DigiNotar’s parent company, Vasco, distanced itself from the security breach, promising to cooperate with the Dutch government during the bankruptcy proceedings.

“Although we are saddened by this action and the circumstances that necessitated it,” said T. Kendall Hunt, VASCO’s Chairman and CEO.

“…we plan to cooperate with the Trustee and the Judge to the fullest extent reasonably practicable to bring the affairs of DigiNotar to an appropriate conclusion for its employees and customers. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar. ”

In total, 531 fraudulent certificates were issued during the DigiNotar breach, including certificates for Google, Microsoft, MI6, the CIA, TOR, Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo. A security report compiled by Fox-IT, who is investigating the breach, outlined several instances of lackluster security on DigiNotar’s network, and noted that some 300,000 Iranians were exposed in the incident.

“We found that the hackers were active for a longer period of time. They used both known hacker tools as well as software and scripts developed specifically for this task,” the report noted.

“The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong (Pr0d@dm1n) and could easily be brute-forced. The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers...”

Despite the breach of trust, Vasco says they will return to CA business in the future. “We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve Vasco’s core two-factor authentication business,” said Jan Valcke, Vasco’s COO.

“While we do not plan to re-enter the certificate authority business in the near future, we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform.”

It is unknown if said PKI/identity verification technology was also compromised during the breach, though it is assumed that it wasn’t by many following the situation. After the breach made headlines, Microsoft, Mozilla, and Google revoked DigiNotar’s trusted status, pulling their root certificates from all of their products.

“The CA business is all about selling trust. After all, a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked,” commented Swa Frantzen, of Section 66 – a security services firm in Belgium.

On the contrary, it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.”

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

300 Miles From One Gallon And No, That’s Not A Typo

Imagine you’re in a bar and a guy walks up and asks if you’d be interested in buying a car t...

2015 Nissan Pathfinder Prices and Specs

Nissan has announced pricing and specs for the 2015 Nissan Pathfinder. The SUV, which is on ...

Miami ePrix Circuit Revealed

The FIA Formula E Championship has revealed the layout for the Miami ePrix circuit. Formula ...

Two DeLoreans And A Replica Jaguar C Type On Scottish Classic Car Run

The Kirkintilloch & District Classic Vehicle Club’s annual run to Glencoe in Scotland is...

NBA All-Star LeBron James Teams with Kia

NBA All-Star LeBron James has signed a deal with Kia to be the company’s first luxury ambass...