Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How StartCom Foiled Comodohacker: 4 Lessons

Comodohacker claims to have exploited six certificate authorities including DigiNotar--yet he failed to break into at least one. Here's how StartCom's approach to security worked.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Based on the boasts of "Comodohacker," he's compromised six certificate authorities (CAs) this year, including Comodo in March and DigiNotar in July. He's also claimed to have exploited at least four more, including GlobalSign.

But the Comodohacker also said that he was unable to hack into StartCom Certification Authority, despite managing to access its network and a hardware security module (HSM). "I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy . . . was sitting behind HSM and was doing manual verification," according to a Comodohacker post.

In other words, StartCom successfully defended itself, while--at least by ComodoHacker's count--a half-dozen similar businesses got hacked.

Asked about what exactly tripped up Comodohacker, Eddy Nigg--founder, COO, and CTO of StartCom--said via email that he didn't want to reveal too much. "That's the way he experienced it, [but] from the technical point of view it's obviously a bit different. But I don't want to spoil it and provide unnecessary information, as you might understand."

Technical details aside, what can other businesses learn from StartCom's approach to security? Here are four lessons:

1. Assess Your Business Partners. The attack against Comodo succeeded not in a frontal assault, but by exploiting its reseller business partners. In other words, a business decision by Comodo had security repercussions. "They obviously took an undue risk by letting so-called registration authorities (RA) turned resellers issue certificates directly without any further verification. This is what turned it into a successful attack, by misusing a third party and not Comodo itself," said Nigg. "At StartCom, we made a conscious decision not to implement such a model."

2. In Trust Model, Be Forthright. Why is Comodo still in business, while DigiNotar is not? The issue isn't necessarily that DigiNotar's attacker managed to issue 531 bad certificates, including for Google, Microsoft, as well as the CIA and MI6. Rather, it's that the entire public key infrastructure model is based on trust, and DigiNotar failed to respect that, because its management team didn't warn anyone until weeks after the breach was discovered. "What went wrong [technically] with DigiNotar I really can't say, but the fact that they tried to cover it up was the biggest failure of all," said Nigg. "This is a breach of trust without proportions."

3. Think Like An Attacker. Expect to be hacked. "We anticipated and planned for a possible breaches and attacks in various forms. It's naive to assume that the servers, infrastructure, and networks are secure--one must plan for the event that the front layers are breached, monitor it, detect, and react," said Nigg. Ensure that the plan covers not only policies and procedures, but also program implementation and ongoing operations. And when you get attacked, learn from the experience to make the defenses stronger.

4. Watch Infrastructure Closely. Keep a close eye on infrastructure. "For example, we NEVER leave the CA unattended. We control all critical servers physically and logically all the time. We can shut them down within less than a minute if necessary. We monitor all networks in real time, all the time," said Nigg. "This isn't something you can teach in a few minutes, it's an attitude, a way of life."

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.