DigiNotar security incident goes from bad to worseby Steve Ragan - Sep 7 2011, 01:43
Dutch Certificate Authority (CA) DigiNotar has watched the situation surrounding the breach to their network go from bad to worse, as new reports estimate 300,000 Iranians were possibly compromised due problematic security within the company.
A security report compiled by Fox-IT, who is investigating the breach, outlined several instances of lackluster security on DigiNotar’s network, and noted that some 300,000 Iranians were exposed in the incident. Version 1 of the report can be read here.
In total, 531 fraudulent certificates were issued during the DigiNotar breach, including certificates for Google, Microsoft, MI6, the CIA, TOR, Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo.
“We found that the hackers were active for a longer period of time. They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011,” the Fox-IT report stated.
The hacker who claimed responsibility for the Comodo breach earlier this year, known as ComodoHacker, confirmed over the holiday weekend that he was responsible for the DigiNotar attack as well. He did that by leaving his calling card on the servers, as well as claiming the attack in a public notice on Pastebin.
“I told all that I can do it again, I told all in interviews that I still have accesses in Comodo resellers, I told all I have access to most of CAs, you see that words now,” the hacker stated.
“I thought if I issue certs from Dutch Gov. CA, they'll lose a lot of money…But I remembered something and I hacked DigiNotar without more thinking in anniversary of that mistake. When Dutch government, exchanged 8000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8000 Muslims in same day, Dutch government have to pay for it, nothing is changed, just 16 years has been passed.”
Based on previous bits of information offered as proof, in addition to the details discovered on the compromised servers, it would appear that DigiNotar was part of a larger scheme by the Iranian hacker.
The problems discovered on DigiNotar’s network are likely why ComodoHacker had little resistance when it came to the breach.
“The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack. The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN,” the security report from Fox-IT noted.
“The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong (Pr0d@dm1n) and could easily be brute-forced. The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers. An intrusion prevention system is operational. It is not clear at the moment why it didn’t block some of the outside web server attacks. No secure central network logging is in place.”
Vasco, the authentication vendor who purchased DigiNotar recently, was quick to distance their products from the poor security at the CA.
“The integration of DigiNotar technology into VASCO’s products was planned for 2012. This means that all VASCO products in the market today are 100% DigiNotar-free. Your authentication project is safe with VASCO,” the company said in a statement.
In addition, the statement said that VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans.
Fox-IT said that the list of IP addresses will be handed over to Google so that they can inform users on the level of exposure caused by the breach.
“Google can inform their users that during this period their e-mail might have been intercepted. Not only the e-mail itself but also a login cookie could have been intercepted. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored e-mails. Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in GoogleDocs,” the report noted.
“Once the hacker is able to receive his targets’ e-mail he is also able to reset passwords of others services like Facebook and Twitter using the lost password button. The login cookie stays valid for a longer period. It would be wise for all users in Iran to at least logout and login but even better change passwords.”