Wednesday, August 31, 2011

Dutch Site Claims Mozilla, Yahoo, Wordpress, Tor Project All Targets in Diginotar Certificate Theft

Via -

There are more signs that a July compromise of Diginotar, a certificate authority based in the Netherlands, may have been driven by political motives. A Dutch Web site,, reported on Wednesday that digital certificates belonging to Mozilla,, Wordpress and The Tor Project were among dozens reported stolen from Diginotar.

The story, based on information from a confidential source, fills in details about which other firms were among "dozens" that Diginotar and its parent company Vasco have admitted were victims of the break in. It also adds weight to speculation that the hack may have had links to the Iranian regime and may have had, as its goal, the surveillance and identification of political activists and bloggers within the country.

Vasco, Yahoo and The Tor Project didn't immediately respond to requests for comment from Threatpost.

The forged certificates could be used most easily in man in the middle attacks, allowing attackes to carry out very sophisticated spear phishing attacks using Web sites that would appear to be legitimate, said Chris Nutt, a principal consultant at Mandiant Inc. of Alexandria, Virginia.

"We align certificate authority hacks with attacking organizations who are encountering security at target organizations that they wish to work around," he told Threatpost. "These are the same types of people who would be interested in breaching a company like RSA."

In the case of Diginotar, there have been suggestions from the very first that the hack may have been directed by Iran. For one thing, the first reports about man in the middle attacks using forged Google certificates originated in Iran. A subsequent review of Diginotar's Web site found a page that was defaced with the name of an Iranian hacking group.

Attribution for the hack will probably never be determined. However, Nutt said that attacks of this caliber - involving a multi stage attack against sophisticated organizations - are often perpetrated by nation states. "This is consistent with other nation-state sponsored attacks," he said.


Writing on Securelist, the blog of Kaspersky Lab's research group, Kaspersky Lab Expert Roel Schouwenberg said that statements from the company about the extent of the breach don't add up. Among other things, Diginotar claims that the breach was limited to a "few dozen" rogue certificates, while Google has blocked more than 250 of them. The company, Schouwenberg adds, may not actually know how many rogue certificates were generated -either because no logs exist or because they were deleted after the attack was complete.

Assuming that the Diginotar attack has links to Iran's government, it could be an effort by supporters of the regime to monitor political dissidents within the country using compromised Web browsers, blogging software (Wordpress), by snooping on Web mail sessions (Yahoo and Google) or unravelling efforts to mask a user's identity using Tor and other anonymity services.


Nutt said the Diginotar hack, combined with those on RSA and the certificate authority Comodo are bound to prompt some soul searching among security professionals, governments and Internet governance groups.

"This is a serious trend. You're talking about attacking the foundational security mechanisms of the Internet. Two factor authentication and certificates are used everywhere, so this really shakes the confidence of the security mechanisms we have in place today," he said.

No comments:

Post a Comment