"GlobalSign takes this claim very seriously and is currently investigating," according to a statement released by the company, which is the fifth-largest CA. "As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible."
Security experts praised the company's move. "It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater Internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.
GlobalSign's actions were triggered by boasts posted to Pastebin on Monday by "Comodohacker," saying that he'd exploited not only Dutch certificate authority DigiNotar, but also four more certificate authorities, including GlobalSign.
On Tuesday, another post from Comodohacker noted that his attack against the StartCom Certification Authority, based in Israel, had been blocked by the company, even though he'd gained access to a hardware security module (HSM). "I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification."
Commenting on the matter in a post to Twitter, StartCom's COO and CTO, Eddy Nigg, said, "Security should always be designed on the assumption that a breach will occur."
Security at DigiNotar, which was bought by Chicago-based Vasco in 2010, apparently wasn't as robust. According to a report from Fox-IT--which was commissioned by the Dutch government to investigate the exploit of DigiNotar--the first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.
But the attack didn't come to light until August 27, when a user in Iran reported on a Google forum that his Google Chrome browser said that something was wrong with his Google certificate. All told, at least 531 bad certificates were issued.
Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre. He also suggested that he wasn't operating under the auspices of Iranian authorities. "I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain," he said.
The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens--in a country with a population of 17 million--that use DigiD, a government website for accessing services, such as paying taxes. According to news reports, the country's lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet. The Netherlands has also indefinitely extended the country's tax deadline.
According to the Fox-IT audit, the hacker or hackers who compromised DigiNotar knew what they were doing. "They used known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March, 2011. Parts of the log files, which would reveal more about the creation of the signatures, have been deleted."
In the wake of the exploit of DigiNotar, on Tuesday, Microsoft released a security advisory announcing that it was treating all DigiNotar certificates as untrusted. It also downplayed reports that fake digital certificates, for example for Windows Update, could be used to install malicious software on targeted PCs.
But Comodohacker suggested otherwise. "I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false!" he said. "I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API."
See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.