Monday, September 5, 2011

Operation Black Tulip Report: DigiNotar Certificate Authority Breach

http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

Background

The company DigiNotar B.V. provides digital certificate services; it hosts a number of Certificate Authorities (CA‟s). Certificates issued include default SSL certificates, Qualified Certificates and „PKIoverheid‟ (Government accredited) certificates.

On the evening of Monday August 29th it became public knowledge that a rogue *.google.com certificate was presented to a number of Internet users in Iran. This false certificate had been issued by DigiNotar B.V. and was revoked1 that same evening.

On the morning of the following Tuesday, Fox-IT was contacted and asked to investigate the breach and report its findings before the end of the week.

Fox-IT assembled a team and started the investigation immediately. The investigation team includes forensic IT experts, cybercrime investigators, malware analysts and a security expert with PKI experience. The team was headed by CEO J.R. Prins directly.

It was communicated and understood from the outset, that Fox-IT wouldn't be able to complete an in- depth investigation of the incident within this limited timeframe. This is due to the complexity of the PKI environment and the uncommon nature of the breach.

Rather, due to the urgency of this matter, Fox-IT agreed to prepare an interim report at the end of the week with its preliminary findings, which would be published.


-------------------------------------------------------------------------------------

Diginotar Investigation:
Visualisation of OCSP requests for the rogue *.google.com certificate by Fox-IT
http://www.youtube.com/watch?v=wZsWoSxxwVY

-------------------------------------------------------------------------------------

Here are a couple of statements in the report that catch my eye:

  • Page 8 - "On August 4th the number of request rose quickly until the certificate was revoked on August 29th at 19:09. Around 300.000 unique requesting IPs to google.com have been identified. Of these IPs >99% originated from Iran."
  • Page 9 - "In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011."
  • Page 9 - "The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran.
  • Page 9 - "The most critical servers contain malicious software that can normally be detected by anti-virus software."
  • Page 9 - " The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers."    

No comments:

Post a Comment