Blog Feed Post

The Foundation of Internet Trust May Be Crumbling – DigiNotar Certificate Authority Breached

Google recently reported the possibility of a Man-In-The-Middle (MITM) attack using fraudulent SSL certificates issued by DigiNotar.  The attack affected people logging into Google’s popular email services from Iran, and google has responded by rejecting all the Certificate Authorities operated by DigiNotar. We now know that Google is not the only possible target of these bogus DigiNotar issued certificates.  Rather DigiNotar certificate signing services, used to create a foundation of trust, had been used maliciously to create many fraudulent SSL certificates. Given DigiNotar’s critical role as a certificate authority, how could this have happened?    What does it mean for the perceived “trust” we’ve become accustomed to in our daily usage of the internet?  Given the attackers success with DigiNotar, the Comodo incident back in March, and the use of digitally signed malware, this appears to be a growing trend.  How can we stop this from happening again and what can you as an internet savvy user do to protect yourself?

The breach of DigiNotar BV has been confirmed through an Interim Report released by Fox IT on the fifth of September, as well as by a flurry of online activity by major Internet browsers. In the report titled “Operation Black Tulip”, Fox IT mentions previous penetration test results from an audit company DigiNotar BV regularly utilized stating “A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA Server “Relaties-CA” and also to “Public-CA”. Traces of the hacker activity started on June 17th and ended on July 22nd.” According to the report, a total of 531 fraudulent certificates were issued by the attackers.

The report goes on to mention some other key dates and pieces of information:

  • 128 rogue certificates digitally signed by DigiNotar detected on July 19th, revoked immediately.
  • 129 rogue certificated digitally signed by DigiNotar detected on July 20th, revoked on the 21st.
  • No Date Given – DigiNotar implements detection mechanism for invalid serial numbers through OCSP.
  • July 29th, a *.google.com certificate was discovered that had not previously been discovered, revoked immediately.
  • August 30th, Fox IT called in to investigate the incident, and provide mitigation strategies going forward.

According to all reports, the first public mention of this serious breach was not by DigiNotar BV, but rather a user in Iran who was presented with a certificate warning when trying to access https://mail.google.com. His suspicion, as well as other users, drew the attention of Google, who offered the first mitigation strategy, and action against DigiNotar BV by revoking all certificates signed by the CA. Several browser companies immediately followed suite, including Microsoft and Mozilla. Apple has remained close lipped on the issue, most likely due to the fact a bug in the Safari browser will not allow the DigiNotar certificates to be properly revoked.

Right now Google Chrome, IE and Mozilla Firefox have updated their Certificate Revocation Lists (CRLs) to blacklist the DigitNotar signed certificates. Claims by ‘ComodoHacker’ to have access to four additional CAs have prompted Globalsign to stop issuing certificates until they can verify that their infrastructure is secure. And lastly, the Dutch government has stepped into take over DigiNotar’s operations, after Fox IT’s report stated that the official Dutch government CA, PKIOverheid, also run by Diginotar, may also have been compromised.

Still, while the investigation remains ongoing, there are many questions that need answers.

  • Why did DigiNotar BV not notify the proper authorities regarding this breach nearly a month ago?
  • If DigiNotar had notified browser makers immediately, would the follow on invasions of privacy in Iran have happened?
  • How on earth were their most valued, and critical assets so readily available to the outside, and unpatched and outdated?
  • What requirements, policies, standards, and governance do Certificate Authorities need to adhere to, to remain a trusted CA?  For that matter, is there any governance?
  • SSL is the only real technology at this time meant to provide true data integrity, and protection to it’s users on the Internet.  What happens when we cannot count on the CA’s to provide prompt and proper notification, so that we may remain protected? The fact remains that SSL relies on an imperfect trust relationship between Certificate Authorities. Moxie Marlinspike’s presentation from Black Hat 2011, SSL And The Future of Authenticity, details a more distributed alternative.

Okay, so now that you understand the scope of the problem and how bad this is, what can you do to protect yourself?

  • Make sure you browser is up to date
  • Utilize browsers who are taking the necessary steps to protect the users
  • Remain vigilant when browsing secured websites, if you suspect something is amiss, notify the sites abuse or security department immediately with as many details you can document

This and similar past events covered by Cyber Squared where fraudulent certificate signing was involved , makes one wonder if the foundation of Internet trust we have become accustomed, can be trusted in itself.   Although scary, I hope that this serves as a wake-up call that CA’s are targets for sophisticated cyber threats, and that there is currently a lack of policies, standards, and governance that the certificate authorities must adhere to to maintain their “trusted” status.

Read the original blog entry...

More Stories By Adam Vincent

Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect™, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, two children, and dog.

Latest Stories
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
FinTechs use the cloud to operate at the speed and scale of digital financial activity, but are often hindered by the complexity of managing security and compliance in the cloud. In his session at 20th Cloud Expo, Sesh Murthy, co-founder and CTO of Cloud Raxak, showed how proactive and automated cloud security enables FinTechs to leverage the cloud to achieve their business goals. Through business-driven cloud security, FinTechs can speed time-to-market, diminish risk and costs, maintain continu...
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, discussed the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information.
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
As businesses adopt functionalities in cloud computing, it’s imperative that IT operations consistently ensure cloud systems work correctly – all of the time, and to their best capabilities. In his session at @BigDataExpo, Bernd Harzog, CEO and founder of OpsDataStore, presented an industry answer to the common question, “Are you running IT operations as efficiently and as cost effectively as you need to?” He then expounded on the industry issues he frequently came up against as an analyst, and ...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
"DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy," said Roger Strukhoff, Conference Chair. "DX World Expo has organized these issues along 10 tracks with more than 150 of the world's top speakers coming to Istanbul to help change the world."
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We provide IoT solutions. We provide the most compatible solutions for many applications. Our solutions are industry agnostic and also protocol agnostic," explained Richard Han, Head of Sales and Marketing and Engineering at Systena America, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...