Tuesday, September 6, 2011

Audit of hacked Certificate Authority reveals poor security

Recently, the Dutch Certificate Authority (CA) DigiNotar was hacked and brought with it a huge scandal since it was proven that hackers had successfully created fake Google SSL certificates.


It began with a fake Google certificate that had been used by someone to impersonate Google. SSL certificates are used to verify a domains ownership but are also used to encrypt the data sent between the client and the certificate holder. The fake certificate caused some stir within the IT community and raised the question whether or not to trust CA's since this is a second CA that has been hacked in the past year. The false certificate was traced back to DigiNotar and was discussed on the web and also in news stories but DigiNotar first admitted they have had a security breach a couple of days after this was revealed.

DigiNotar stated that the attack happened on July 19th and all the affected certificates had been withdrawn. But clearly their own audit of the security breach had not been thorough enough since the faked Google certificate suddenly appeared. And later there had been found more certificates in the wild and it quickly revealed that more serious certificates had been compromised including CIA, MI6 and Mossad. All major browsers have stated that they will issue an update blocking all of DigiNotar's certificates.

With the scandal that hit the CA the Dutch government chose to do an external audit of the breach to determine how this could have happened. The security auditors Fox-IT who where hired to examine the compromised servers revealed that the level of security within DigiNotar's system had been ridiculously low and pointed out such insecurities as,

  1. A single administrator account on a windows machine owned all the certificates.
  2. The administrator account was protected by a weak password that was easily brute-forced.
  3. The tools used by the hacker would have been detected by anti-virus, had it been present.
  4. The software running on the server was outdated and unpatched.

Those are some of the problems listed by Fox-IT and it really shows the lack of DigiNotar's responsibility and common sense. A Certificate Authority provides a service of security that is used to verify a website is what it claims to be and is used to encrypt credit card information on payments and to encrypt the data sent between citizens and public institutions and much more. I only ask, how can there be such an insecure system to govern the certificates? One would expect such companies to at least know common practices when guarding data you don't want to be compromised.

As of now almost 99% of the queries to the false certificates have originated from Iran which make the Iranian government prime suspect of this attack. Iran was also one of the suspects when Comodo (a South-American CA) was hacked earlier this year.

1 comment: