When DigiNotar, the Dutch certificate authority (CA) company which is a wholly-owned subsidiary of VASCO Data Security International, Inc., announced on the 30th of August that it had been breached "which resulted in the fraudulent issuance of public key certificate requests for a number of domains," the general feeling in the IT security community was one of, "Oh, oh, here we go again."
Last March, you may remember, the Italian partners (registration authorities) of the certificate authority company Comodo (namely GlobalTrust.it and InstantSSL.it) were hacked and nine Secure Sockets Layer (SSL) encryption certificates fraudulently issued for Google, Microsoft, Skype, and Yahoo, among others. SSL encryption certificates are meant, to quote from VeriSign, the first company to issue SSL's in 1995, to help "... assure customers that they are safe from search to browse to buy and sign-in. When customers see the VeriSign Trust(tm) Seal, they know they can trust the link, trust the site, and trust the transaction."
The attack on DigiNotar was detected on the 19th of July the company said in its press release, and it also reported that it had revoked the fraudulent certificates that were issued. Its press release did not say how many certificates had been issued, however, only that one involved Google. However, one certificate was apparently overlooked during the detection process and that one only came to light when the Dutch government informed DigiNotar. But not to worry, government sites were not at risk of being compromised, DigiNotar claimed.
Fingers were pointed at the government of Iran as being the source of the attack, since it looked like the fake Google certificate was being used to spy on Iranian Gmail accounts.
The press release tried to sound upbeat, with VASCO stating that it "... expects the impact of the breach of DigiNotar’s SSL and EVSSL [Extended Validation SSL] business to be minimal." A Dutch IT security company - Fox-IT BV - was hired to conduct an investigation into the incident, which came to be called internally, "Operation Black Tulip."
However, almost immediately after the public announcement of the breach, it became clear that the attack on DigiNotar might be worse than what the company was letting on. A story appearing in ComputerWorld soon after DigiNotar's announcement indicated that the fraudulent Google certificate was issued on July 10, over a week before DigiNotar said it had first detected the breach. In addition, a DigiNotar spokesperson admitted to ComputerWorld that "several dozen" certificates had been faked, not just a small number as it previously implied.
By the 3rd of September, it was becoming clear that the IT security situation caused by the breach was indeed becoming dire for some. For on that day, reported the AP, the Dutch government announced that because of the breach, "it could not guarantee the security of its own Web sites." In addition, the government said it was taking over DigiNotar's operations, a move the company did not fight against.
The AP story (at the New York Times) quoted the Dutch Interior Minister Piet Hein Donner as saying that visitors to Dutch government web sites could not be sure that "that he is on the site where he wanted to be."
Press speculation continued that the hack attack was the work of the Iranian government.
Then on the 4th of September, the news turned even more ominous. A story in ComputerWorld said that the "several dozen" faked certificates actually numbered more than 500 and included ones for "intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad." This news caused Google, Microsoft, Mozilla, etc. to move to "untrust" any and all certificates that had been issued by DigiNotar. News also surfaced, said ComputerWorld, that DigiNotar may have been compromised as early as May 2009.
For all intents and purposes, DigiNotar's CA operation was now out of business. So much for VASCO's claim of the breach having little material impact on DigiNotar's business.
On the 5th of September, DigiNotar released an interim report by Fox-IT on its investigation into the Operation Black Tulip attack. The report (PDF) is not pretty reading (an overview of the report can be found in this ComputerWorld article). Traces of the attack could be found as early as the 17th of June, it stated, meaning that it had gone undetected for more than a month. Further, a total of 531 fraudulent certificates were issued for 344 domain names. In addition, it appeared that some 300,000 Gmail accounts - mostly in Iran - had been compromised.
Moreover, DigiNotar's IT security was woefully deficient for its trusted role as a CA. The report said:
"The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN."
"The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced."
"The software installed on the public web servers was outdated and not patched."
"No antivirus protection was present on the investigated servers."
"An intrusion prevention system is operational. It is not clear at the moment why it didn't block some of the outside web server attacks. No secure central network logging is in place."
The Fox-IT report declined, for obvious reasons, to describe exactly how the attack successfully penetrated DigiNotar.
The news that 300,000 Iranian email accounts had been compromised reinforced the idea that the attack was government-sponsored, and primarily aimed at spying on Iranian dissidents.
On the 6th of September, the AP ran a story that reported Dutch prosecutors were investigating DigiNotar for possible criminal negligence because it was slow to disclose the breach. A New York Times article on the same day reported that the Dutch data protection agency, OPTA, had asked DigiNotar to investigate whether Dutch taxpayer information had been compromised.
A very interesting Wall Street Journal story on the 7th of September talked about how the Dutch government was telling its 17 million citizens basically to return to the use of pen and paper when dealing with the government until the situation could be fully resolved!
Also on the 6th of September, word was filtering out that the Iranian "Comodo hacker" was claiming responsibility for the DigiNotar hack as well. According to this story in PCWorld, the hacker - who says he is 21 - attacked DigiNotar "... in order to punish the Dutch government for the actions of its soldiers in Srebrenica, where 8,000 Muslims were killed by Serbian forces in 1995 during the Bosnian War."
The hacker also said that he succeeded in penetrating GlobalSign - another CA - and three others. A ComputerWorld story said that GlobalSign was going to investigate the claim and for now, stop issuing SSL certificates.
Yesterday, a ComputerWorld story said that the hacker is now threatening to unleash attacks against US, European and Israeli web sites. He also is threatening to publish a "how to" guide on hacking CA's or other high value targets for others in the hacking community. And a ComputerWorld story today reports the hacker claiming that he can exploit Windows Update, although Microsoft says that it’s not possible.
At the very least, the attacks against Comodo and now DigiNotar and possibly GlobalSign and several others demonstrates that at least some CA authorities are not nearly as secure as was generally believed.
In fact, Mozilla, the Register reported yesterday, has told the 54 CA's with root certificates in its Network Security Services to check for intrusions or compromises and make sure their IT security is solid, and report back to it by the 16th of September. While it isn't making any direct threats to those that don't do what it asks, Mozilla has said it will "take whatever steps are necessary to keep our users safe."
While Mozilla's actions are not yet being publicly followed by Google, Microsoft, etc., I suspect behind the scenes they are exerting their own pressure on CA's to tighten up their security. I wouldn't be surprised to see lawsuits filed against DigiNotar in the near future, either.
The attack also shows what can happen when the trust in the Internet is severely undercut as has happened in the Netherlands.
I'll post updated information on this story as it emerges, especially on the situation in the Netherlands.
Update: 21 September 2011
As one reader has already noted, yesterday DigiNotar announced that it had filed for voluntary bankruptcy, which a Dutch court has approved. Dutch regulators last week ruled that the company had to revoke all of its certificates and could not issue any more. That action effectively sealed the company's fate.
It's parent company, VASCO, put out a press release that in part said:
"Although we are saddened by this action and the circumstances that necessitated it, we would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business. In addition, we plan to cooperate with the Trustee and the Judge to the fullest extent reasonably practicable to bring the affairs of DigiNotar to an appropriate conclusion for its employees and customers. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar. "
The company also said that it didn't know what the impact would be on its financials:
"We are working to quantify the damages caused by the hacker’s intrusion into DigiNotar’s system and will provide an estimate of the range of losses as soon as possible... We expect to report the results of the DigiNotar operations, the losses related to the impairment of intangible assets specifically associated with DigiNotar and the estimated costs associated with the closure of DigiNotar either as a discontinued operation in our future financial statements or we will provide proforma information to identify the impact of DigiNotar on our consolidated results. While the losses associated with DigiNotar are expected to be significant, we do not expect, given the manner in which the acquisition of DigiNotar was structured, that the value of all of the intangible assets acquired will be fully impaired."
So much for VASCO's prediction a few weeks ago that the DigiNotar hack attack would have a minimal impact. Now the company is obviously in major damage limitation mode.
In other related news, GlobalSign decided, after an internal investigation, that it was safe for the company to reissue certificates last week. And as can be expected in a situation like this, spammers are trying to exploit the hack attack by "... telling bank business customers that their SSL certificates had expired."
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.