Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/7/2011
04:09 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Certificate Authority Uncovers Old Breach

Yet another CA is hacked, suspends issuing certificates -- and there likely will be more

Remember the Netherlands-based certificate authority DigiNotar that was hacked and then went out of business? Well, now the largest CA in the Netherlands, KPN/Getronics, also has been breached and, for now, has suspended issuing digital certificates.

KPN announced this week that it has suspended issuing certificates after discovering the breach of a PKI-related Web server with a distributed denial-of-service tool that apparently had been sitting on the server for at least four years.

The company said existing certificates are valid, but that the firm is having the potential breach investigated and halted issuing certificates as a precaution. "Although there is no evidence that the production of the certificate is compromised, it can not be completely excluded that this did happen," according to a Google translation of the statement. "Therefore, KPN Corporate Market (formerly Getronics) decided the application and issuance of new certificates temporarily discontinued, pending further investigation. This is to ensure that the certificates be issued optimal procedure is safe and reliable. KPN has replaced the web servers."

Interestingly, KPN recently said it had picked up some of DigiNotar's old customers after that firm went out of business. DigiNotar filed for bankruptcy, and its parent company, VASCO, exited the CA business altogether.

Meanwhile, last week Malaysia-based CA reseller Digicert revoked some of its own digital certificates for security reasons, and Mozilla and Microsoft began blocking them.

With the string of CA breaches and the apparent targeting of CAs by Duqu, it's a bad time to be a CA. Dave Marcus, director of security research and communications for McAfee, says the string of CAs getting attacked has major implications. "This is turning into a big deal," he says. "[Attackers] are going after CAs as an industry."

Marcus says this new trend in attacks goes after an entire trust model. "It's not just the website aspect. It's part of the OS ... and the signing of drivers and files. People don't realize what a big deal this potentially is."

And there will be more, security experts predict.

"One of the questions that should also be answered is how a DDoS tool went undetected for four years. However, as companies are ramping up internal security I fully expect to see more 'old breaches' like this one uncovered," Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, said in blog post on Friday.

"What's particularly interesting about KPN's statement is that it could be interpreted as them saying already issued certificates will remain valid (no matter what). KPN is a much bigger certificate authority than Diginotar. Possibly, people could be going into this with the idea of KPN being too big too fall."

A compromised CA and the bad guys issuing phony digital certificates isn't something organizations can easily defend against, either. "It's not an 'update your DAT' issue or 'make sure your firewall is configured a certain way' issue," McAfee's Marcus says. "So much of the remediation lies outside the hands of the end user and the security company."

It also poses potential problems for whitelisting, he says. "Driver-signing is a big portion of that," Marcus says. What if a whitelisted software driver actually has a rogue certificate, he says. "There are big questions that have to be asked here."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4564
PUBLISHED: 2020-10-20
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 and IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially lea...
CVE-2020-4748
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517.
CVE-2020-4749
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through 5.0.5.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link ...
CVE-2020-4755
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595.
CVE-2020-4756
PUBLISHED: 2020-10-20
IBM Spectrum Scale V4.2.0.0 through V4.2.3.23 and V5.0.0.0 through V5.0.5.2 as well as IBM Elastic Storage System 6.0.0 through 6.0.1.0 could allow a local attacker to invoke a subset of ioctls on the device with invalid arguments that could crash the keneral and cause a denial of service. IBM X-For...