Attacks/Breaches
9/6/2011
06:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Comodo Hacker Takes Credit For Massive DigiNotar Hack

Even as the number of rogue digital certificates skyrockets to more than 500 -- with some spoofing major domains -- overall impact so far has mostly been minimal outside of Iran, experts say

The fallout from the recent breach of certificate authority (CA) DigiNotar continues at a rapid pace as more details about the scope of the attack come to light: More than 500 rogue digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft's windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, have been compromised.

The plot further thickened today when the hacker who breached certificate authority Comodo earlier this year claimed he was also behind the DigiNotar attack, and has hacked four more CAs, including GlobalSign and StartCom: "I told all that I can do it again, I told all in interviews that I still have accesses in Comodo resellers, I told all I have access to most of CAs," wrote the hacker, who goes by the alias "ComodoHacker" and claims to be Iranian. He indicated that the attacks were in retaliation for the 16-year anniversary of a massacre of thousands of Muslims during the Bosnian War in the town of Srebrenica.

He says he has 300 code-signing certs, including code-signing privileges with Google's certificate. "I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol" he wrote today.

GlobalSign as of today has temporarily suspended the issuance of digital certificates until it can investigate ComodoHacker's claims. "We saw the Pastebin message. We are currently investigating and take this very seriously," says Steve Wait, chief marketing officer at GlobalSign.

And Microsoft today moved all DigiNotar certs to its "untrusted certificate store" -- not just the initial offending ones that Microsoft and other browser makers revoked last week -- and yesterday said that no Microsoft users were at risk of phony Windows Updates from attackers using the rogue windowsupdate.com certificate. "The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised," blogged Dave Forstrom, director of Microsoft's Trustworthy Computing program.

But what does the breach of the Dutch CA DigiNotar really mean for most U.S. businesses and individuals?

Aside from providing a stark example of just how broken the CA system really is, not much, some security experts say. An official preliminary audit report by Fox-IT on the DigiNotar hack, as well as a report by Trend Micro, show how the attackers appear to be going after intercepting communications in Iran.

"The impact on the rest of the world is pretty small," says Ivan Ristic, director of engineering at Qualys and an SSL expert. The worst-case scenario is that Iranian citizens who oppose their government have had their encrypted Gmail correspondence intercepted and read, he says. "Their lives could be ruined," Ristic says of the Iranian dissidents who might have had their SSL communications hijacked.

"But there's been virtually no impact outside Iran" thus far, he says. And this type of attack typically doesn't have much shelf life, anyway, he says. "Hijacking of a CA is not a reliable [method in the long run] because it's easy to detect," he says. "This was the first big case. In the future, people will be more vigilant and able to detect these things more quickly. Then the usefulness of this attack is going to decrease."

According to the Fox-IT report, the evidence points to targeting Iranians. "Fingerprints" also were left behind that are linked to the ComodoHacker, according to the report. "They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011," Fox-IT said in its report.

"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," the report says.

Trend Micro also has posted evidence of what it says demonstrates that the attack was targeting Iranians. "We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack," blogged Feike Hacquebord, senior threat researcher for Trend Micro.

Even so, there's real potential for collateral damage when phony certs are floating around, experts say.

Jeff Hudson, CEO at Venafi, says enterprises must "wake up" because a forged certificate can compromise an entire network: "Get out of denial. Understand that this is a huge issue of business continuity," he says. "And don't think you won't be compromised, because you will."

He recommends taking a close look at certificate-protected servers and apps. "All enterprises need to look at their highest-value assets -- servers and applications where sensitive and regulated data flows, and that are protected by certificates," Hudson says. "Plans must be in place to recover anytime the trust provider is compromised."

But Roel Schouwenberg, senior researcher at Kaspersky Lab, says the breach at DigiNotar will place cybersecurity and cyberwarfare "on the political agenda" in a way Stuxnet did not. "Stuxnet had a huge impact. However, there didn’t seem to be a sense of urgency to put cyberwar and cybersecurity on most of the political agendas," he said in a blog post today.

Schouwenberg maintains that the attack was most likely the work of a government body. "Any kind of hints found in the registered certificates could well be decoys," he said.

He also predicted that DigiNotar would be driven out of business, mainly due to its failure to disclose the breach. "With some 500 authorities out there globally, it's hard to believe Diginotar is the only compromised CA out there. Diginotar will quite likely go out of business. This should serve as a very strong message for CAs to go public with any breach," he said.

Meanwhile, the Dutch government is investigating criminal and civil responsibilities for the hack, and DigiNotar could be accused of negligence. And according to a report today in The New York Times, the Dutch government is also looking at whether personal information of Dutch citizens was exposed in the wake of the breach.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.