DigiNotar Breach and Fraudulent Certificates Investigation Reveals Incompetence


Last week, we at SiliconANGLE reported on a hack that struck at the root of the certificate authority that keeps the web safe came under significant attack. A certificate authority registrar, DigiNotar, lost control of its servers and an attacker became able to forge certificates pretending to be DigiNotar. This put numerous users in Iran in danger and allowed their SSL/TLS communications with websites to be read. What we initially knew about was that google.com (mostly Google mail) had been forged; however, later it was revealed that the number of forged certificates included Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress (we can thank Tor for compiling that list.)

A security firm hired to look into the breach, Fox-IT, has come back with a lot of disturbing news about DigiNotar’s incompetence and general bad response to the attacks.

Aside from more interesting discoveries, it’s been fairly much confirmed that DigiNotar was compromised for more than a month before they did anything about it—and an entire second month before they released the news of the compromise to the public.

The Fox-IT report shows that the initial breach happened on June 17th and DigNotar noticed the compromise on the 19th. As far as we’re aware, the first forged certificate for google.com was generated as late as July 10th (all of the 530 rogue certificates were generated between July 10th and 20th.)

According to an article on Sophos, by Chester Wisniewski who perused the Fox-IT document, the number of total forged certificates and how slow DigiNotar was to respond only reveal the tip of the iceberg of their security failure:

There are several very disturbing conclusions about security at DigiNotar and the investigation isn’t even complete yet:

  1. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.
  2. The administrator password was simple and could be easily brute forced.
  3. Much of the malware and tools used in the attack would have been easily detected by anti-virus, had it been present.
  4. The software on public-facing servers was out of date and unpatched.
  5. They had no centralized nor secure logging.
  6. There was no effective separation of critical components.

The attacker was even kind enough to leave behind a bit of a calling card, a message that read in part: “THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE.”

The hack had apparently been directed almost entirely towards Iranian targets; but the compromise of the root authority could have been used against anyone in the world. If it wasn’t for the enhanced security in Firefox, the breach might not have been discovered as soon as it did.

Looking back at this, it’s a good thing that DigiNotar’s authority has been all-but entirely stripped by everyone that matters on the web from Microsoft to Google. Their failure in this matter blows an extremely wide hole through the web of trust that makes the digital certificate authority for SSL/TLS connections work.