Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:44 PM
Connect Directly

Comodo Hacker Takes Credit For Massive DigiNotar Hack

Even as the number of rogue digital certificates skyrockets to more than 500 -- with some spoofing major domains -- overall impact so far has mostly been minimal outside of Iran, experts say

The fallout from the recent breach of certificate authority (CA) DigiNotar continues at a rapid pace as more details about the scope of the attack come to light: More than 500 rogue digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft's windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, have been compromised.

The plot further thickened today when the hacker who breached certificate authority Comodo earlier this year claimed he was also behind the DigiNotar attack, and has hacked four more CAs, including GlobalSign and StartCom: "I told all that I can do it again, I told all in interviews that I still have accesses in Comodo resellers, I told all I have access to most of CAs," wrote the hacker, who goes by the alias "ComodoHacker" and claims to be Iranian. He indicated that the attacks were in retaliation for the 16-year anniversary of a massacre of thousands of Muslims during the Bosnian War in the town of Srebrenica.

He says he has 300 code-signing certs, including code-signing privileges with Google's certificate. "I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol" he wrote today.

GlobalSign as of today has temporarily suspended the issuance of digital certificates until it can investigate ComodoHacker's claims. "We saw the Pastebin message. We are currently investigating and take this very seriously," says Steve Wait, chief marketing officer at GlobalSign.

And Microsoft today moved all DigiNotar certs to its "untrusted certificate store" -- not just the initial offending ones that Microsoft and other browser makers revoked last week -- and yesterday said that no Microsoft users were at risk of phony Windows Updates from attackers using the rogue windowsupdate.com certificate. "The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised," blogged Dave Forstrom, director of Microsoft's Trustworthy Computing program.

But what does the breach of the Dutch CA DigiNotar really mean for most U.S. businesses and individuals?

Aside from providing a stark example of just how broken the CA system really is, not much, some security experts say. An official preliminary audit report by Fox-IT on the DigiNotar hack, as well as a report by Trend Micro, show how the attackers appear to be going after intercepting communications in Iran.

"The impact on the rest of the world is pretty small," says Ivan Ristic, director of engineering at Qualys and an SSL expert. The worst-case scenario is that Iranian citizens who oppose their government have had their encrypted Gmail correspondence intercepted and read, he says. "Their lives could be ruined," Ristic says of the Iranian dissidents who might have had their SSL communications hijacked.

"But there's been virtually no impact outside Iran" thus far, he says. And this type of attack typically doesn't have much shelf life, anyway, he says. "Hijacking of a CA is not a reliable [method in the long run] because it's easy to detect," he says. "This was the first big case. In the future, people will be more vigilant and able to detect these things more quickly. Then the usefulness of this attack is going to decrease."

According to the Fox-IT report, the evidence points to targeting Iranians. "Fingerprints" also were left behind that are linked to the ComodoHacker, according to the report. "They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011," Fox-IT said in its report.

"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," the report says.

Trend Micro also has posted evidence of what it says demonstrates that the attack was targeting Iranians. "We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack," blogged Feike Hacquebord, senior threat researcher for Trend Micro.

Even so, there's real potential for collateral damage when phony certs are floating around, experts say.

Jeff Hudson, CEO at Venafi, says enterprises must "wake up" because a forged certificate can compromise an entire network: "Get out of denial. Understand that this is a huge issue of business continuity," he says. "And don't think you won't be compromised, because you will."

He recommends taking a close look at certificate-protected servers and apps. "All enterprises need to look at their highest-value assets -- servers and applications where sensitive and regulated data flows, and that are protected by certificates," Hudson says. "Plans must be in place to recover anytime the trust provider is compromised."

But Roel Schouwenberg, senior researcher at Kaspersky Lab, says the breach at DigiNotar will place cybersecurity and cyberwarfare "on the political agenda" in a way Stuxnet did not. "Stuxnet had a huge impact. However, there didn’t seem to be a sense of urgency to put cyberwar and cybersecurity on most of the political agendas," he said in a blog post today.

Schouwenberg maintains that the attack was most likely the work of a government body. "Any kind of hints found in the registered certificates could well be decoys," he said.

He also predicted that DigiNotar would be driven out of business, mainly due to its failure to disclose the breach. "With some 500 authorities out there globally, it's hard to believe Diginotar is the only compromised CA out there. Diginotar will quite likely go out of business. This should serve as a very strong message for CAs to go public with any breach," he said.

Meanwhile, the Dutch government is investigating criminal and civil responsibilities for the hack, and DigiNotar could be accused of negligence. And according to a report today in The New York Times, the Dutch government is also looking at whether personal information of Dutch citizens was exposed in the wake of the breach.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...