DigiNotar stated that the attack happened on July 19th and all the affected certificates had been withdrawn. But clearly their own audit of the security breach had not been thorough enough since the faked Google certificate suddenly appeared. And later there had been found more certificates in the wild and it quickly revealed that more serious certificates had been compromised including CIA, MI6 and Mossad. All major browsers have stated that they will issue an update blocking all of DigiNotar's certificates.
With the scandal that hit the CA the Dutch government chose to do an external audit of the breach to determine how this could have happened. The security auditors Fox-IT who where hired to examine the compromised servers revealed that the level of security within DigiNotar's system had been ridiculously low and pointed out such insecurities as,
- A single administrator account on a windows machine owned all the certificates.
- The administrator account was protected by a weak password that was easily brute-forced.
- The tools used by the hacker would have been detected by anti-virus, had it been present.
- The software running on the server was outdated and unpatched.
Those are some of the problems listed by Fox-IT and it really shows the lack of DigiNotar's responsibility and common sense. A Certificate Authority provides a service of security that is used to verify a website is what it claims to be and is used to encrypt credit card information on payments and to encrypt the data sent between citizens and public institutions and much more. I only ask, how can there be such an insecure system to govern the certificates? One would expect such companies to at least know common practices when guarding data you don't want to be compromised.
As of now almost 99% of the queries to the false certificates have originated from Iran which make the Iranian government prime suspect of this attack. Iran was also one of the suspects when Comodo (a South-American CA) was hacked earlier this year.
Oh wow, that's crazy.
ReplyDelete