Tuesday, August 30, 2011

DigiNotar Says Its CA Infrastructure Was Compromised

Via Threatpost.com -

VASCO, the parent company of DigiNotar, says that the fraudulent certificate for Google's domains that the certificate authority issued was just one of many such bogus certificates it handed out in recent months, and blamed the growing scandal on an attack on its CA infrastructure.

In a statement responding to stories detailing the use of the fraudulent--but valid--wildcard certificate DigiNotar issued to an unknown third party for Google domains, VASCO officials said that the company became aware of the attack on its CA infrastructure on July 19, which is nine days after the Google certificate was issued. DigiNotar has stopped issuing certificates for the time being while it tries to figure out what happened.

"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures," the statement says.

"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."


Dark Reading: Digital Certificate Authority Hacked, Dozens Of Phony Digital Certificates Issued

But security experts say the problem is that if the fake certificates were used for man-in-the-middle attacks, the damage may already have been done. "This press release only has made me more worried about how much this may be just the tip of the iceberg," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "The google.com cert was only revoked yesterday afternoon EST."

Schouwenberg says DigiNotar's statement raises more questions. "The conducted audit does not inspire any confidence. How did they miss the Google cert? How did they miss the website hacks pointed out by F-Secure?" he says, referring to a F-Secure Mikko Hypponen's post today showing what appears to be evidence of Iranian hackers having broken into DigiNotar's servers, and one page by alleged Turkish hackers back in 2009.

Hyponnen weighed in on DigiNotar's statement as well. "It raises more questions than answers. Diginotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while Diginotar revoked the other rogue certificates, they missed the one issued to Google. Didn't Diginotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places?" Hypponen, chief research officer of F-Secure blogged. "And when Diginotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?"


Another problem is that revocation isn't a sure thing. The rogue certs could be used for one-off, targeted attacks, and therefore would be tough to pinpoint, experts say.

"Additionally, there are ways to bypass revocation notices. So currently, we're depending on browser updates to fully protect us," Kaspersky's Schouwenberg says. "The average turnaround time is rather suboptimal. Let's hope Apple will be faster than with the Comodo case."

He says it also appears that not all of the CAs have been revoked, either: A separate DigiNotar CA handles the EV-SSL certs, and Chrome currently appears to be still accepting that CA, he says.

No comments:

Post a Comment