Blog Feed Post

The Foundation of Internet Trust May Be Crumbling – DigiNotar Certificate Authority Breached

Google recently reported the possibility of a Man-In-The-Middle (MITM) attack using fraudulent SSL certificates issued by DigiNotar.  The attack affected people logging into Google’s popular email services from Iran, and google has responded by rejecting all the Certificate Authorities operated by DigiNotar. We now know that Google is not the only possible target of these bogus DigiNotar issued certificates.  Rather DigiNotar certificate signing services, used to create a foundation of trust, had been used maliciously to create many fraudulent SSL certificates. Given DigiNotar’s critical role as a certificate authority, how could this have happened?    What does it mean for the perceived “trust” we’ve become accustomed to in our daily usage of the internet?  Given the attackers success with DigiNotar, the Comodo incident back in March, and the use of digitally signed malware, this appears to be a growing trend.  How can we stop this from happening again and what can you as an internet savvy user do to protect yourself?

The breach of DigiNotar BV has been confirmed through an Interim Report released by Fox IT on the fifth of September, as well as by a flurry of online activity by major Internet browsers. In the report titled “Operation Black Tulip”, Fox IT mentions previous penetration test results from an audit company DigiNotar BV regularly utilized stating “A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA Server “Relaties-CA” and also to “Public-CA”. Traces of the hacker activity started on June 17th and ended on July 22nd.” According to the report, a total of 531 fraudulent certificates were issued by the attackers.

The report goes on to mention some other key dates and pieces of information:

  • 128 rogue certificates digitally signed by DigiNotar detected on July 19th, revoked immediately.
  • 129 rogue certificated digitally signed by DigiNotar detected on July 20th, revoked on the 21st.
  • No Date Given – DigiNotar implements detection mechanism for invalid serial numbers through OCSP.
  • July 29th, a *.google.com certificate was discovered that had not previously been discovered, revoked immediately.
  • August 30th, Fox IT called in to investigate the incident, and provide mitigation strategies going forward.

According to all reports, the first public mention of this serious breach was not by DigiNotar BV, but rather a user in Iran who was presented with a certificate warning when trying to access https://mail.google.com. His suspicion, as well as other users, drew the attention of Google, who offered the first mitigation strategy, and action against DigiNotar BV by revoking all certificates signed by the CA. Several browser companies immediately followed suite, including Microsoft and Mozilla. Apple has remained close lipped on the issue, most likely due to the fact a bug in the Safari browser will not allow the DigiNotar certificates to be properly revoked.

Right now Google Chrome, IE and Mozilla Firefox have updated their Certificate Revocation Lists (CRLs) to blacklist the DigitNotar signed certificates. Claims by ‘ComodoHacker’ to have access to four additional CAs have prompted Globalsign to stop issuing certificates until they can verify that their infrastructure is secure. And lastly, the Dutch government has stepped into take over DigiNotar’s operations, after Fox IT’s report stated that the official Dutch government CA, PKIOverheid, also run by Diginotar, may also have been compromised.

Still, while the investigation remains ongoing, there are many questions that need answers.

  • Why did DigiNotar BV not notify the proper authorities regarding this breach nearly a month ago?
  • If DigiNotar had notified browser makers immediately, would the follow on invasions of privacy in Iran have happened?
  • How on earth were their most valued, and critical assets so readily available to the outside, and unpatched and outdated?
  • What requirements, policies, standards, and governance do Certificate Authorities need to adhere to, to remain a trusted CA?  For that matter, is there any governance?
  • SSL is the only real technology at this time meant to provide true data integrity, and protection to it’s users on the Internet.  What happens when we cannot count on the CA’s to provide prompt and proper notification, so that we may remain protected? The fact remains that SSL relies on an imperfect trust relationship between Certificate Authorities. Moxie Marlinspike’s presentation from Black Hat 2011, SSL And The Future of Authenticity, details a more distributed alternative.

Okay, so now that you understand the scope of the problem and how bad this is, what can you do to protect yourself?

  • Make sure you browser is up to date
  • Utilize browsers who are taking the necessary steps to protect the users
  • Remain vigilant when browsing secured websites, if you suspect something is amiss, notify the sites abuse or security department immediately with as many details you can document

This and similar past events covered by Cyber Squared where fraudulent certificate signing was involved , makes one wonder if the foundation of Internet trust we have become accustomed, can be trusted in itself.   Although scary, I hope that this serves as a wake-up call that CA’s are targets for sophisticated cyber threats, and that there is currently a lack of policies, standards, and governance that the certificate authorities must adhere to to maintain their “trusted” status.

Read the original blog entry...

More Stories By Adam Vincent

Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect™, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, two children, and dog.

Latest Stories
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
Companies are harnessing data in ways we once associated with science fiction. Analysts have access to a plethora of visualization and reporting tools, but considering the vast amount of data businesses collect and limitations of CPUs, end users are forced to design their structures and systems with limitations. Until now. As the cloud toolkit to analyze data has evolved, GPUs have stepped in to massively parallel SQL, visualization and machine learning.
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...