Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

GlobalSign Says No New Certificates, Pending Investigation

Move follows GlobalSign breach by Comodo hacker. Microsoft treats all DigiNotar certificates as untrusted, but downplays a related Windows malware threat.

After boasts by the Comodo hacker that he'd compromised GlobalSign, the certificate authority (CA) on Tuesday announced that it would temporarily cease issuing any new certificates.

"GlobalSign takes this claim very seriously and is currently investigating," according to a statement released by the company, which is the fifth-largest CA. "As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible."

Security experts praised the company's move. "It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater Internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

GlobalSign's actions were triggered by boasts posted to Pastebin on Monday by "Comodohacker," saying that he'd exploited not only Dutch certificate authority DigiNotar, but also four more certificate authorities, including GlobalSign.

On Tuesday, another post from Comodohacker noted that his attack against the StartCom Certification Authority, based in Israel, had been blocked by the company, even though he'd gained access to a hardware security module (HSM). "I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification."

Commenting on the matter in a post to Twitter, StartCom's COO and CTO, Eddy Nigg, said, "Security should always be designed on the assumption that a breach will occur."

Security at DigiNotar, which was bought by Chicago-based Vasco in 2010, apparently wasn't as robust. According to a report from Fox-IT--which was commissioned by the Dutch government to investigate the exploit of DigiNotar--the first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.

But the attack didn't come to light until August 27, when a user in Iran reported on a Google forum that his Google Chrome browser said that something was wrong with his Google certificate. All told, at least 531 bad certificates were issued.

Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre. He also suggested that he wasn't operating under the auspices of Iranian authorities. "I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain," he said.

The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens--in a country with a population of 17 million--that use DigiD, a government website for accessing services, such as paying taxes. According to news reports, the country's lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet. The Netherlands has also indefinitely extended the country's tax deadline.

According to the Fox-IT audit, the hacker or hackers who compromised DigiNotar knew what they were doing. "They used known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March, 2011. Parts of the log files, which would reveal more about the creation of the signatures, have been deleted."

In the wake of the exploit of DigiNotar, on Tuesday, Microsoft released a security advisory announcing that it was treating all DigiNotar certificates as untrusted. It also downplayed reports that fake digital certificates, for example for Windows Update, could be used to install malicious software on targeted PCs.

But Comodohacker suggested otherwise. "I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false!" he said. "I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API."

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
CVE-2020-13439
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
CVE-2020-13440
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
CVE-2020-13433
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.