DigiNotar breach due to disastrous security - Update
The "Black Tulip" report into the compromising of DigiNotar says that all the systems in the certificate authority were in a single Windows domain. The interim report, published by the Dutch Government, was written by Fox-IT BV. It reveals how attackers obtained domain administrator rights which gave them access to all of the CA servers. The password to the administrator account was described as "not very strong and could easily be brute forced".
The attacker's software arsenal included some specially written software for requesting certificates. One script, which used a scripting language only used for the development of PKI software, generated signatures by the CA for previously requested certificates. The attackers also used common hacker tools such as Cain&Able, a well known toolkit which is detected by most anti-virus software; however, the investigators found that there was no anti-virus software on the investigated servers; these servers all contained malicious software.
The architecture of the DigiNotar network was also seen to be at fault. Critical components of the network were not effectively separated and the investigators believe that in spite of the servers being "physically very secure in a tempest proof environment" they were in fact accessible over the network from the management LAN. The DigiNotar public web servers' software was out of date and unpatched, giving the attackers their first foothold into the network; although an intrusion protection system was in operation, it was unclear "why it didn't block some of the outside web server attacks".
The software and scripts used were a mix of advanced and amateurish, said Fox-IT's report, and appeared to include deliberate fingerprints from the hackers which were also found during the investigation into the Comodo breach in March 2011. The report confirms that 531 certificates were issued by the attacker, but because some log files were deleted after the attack, it cannot say that further rogue certificates were not issued.
Although the attackers had control of the DigiNotar servers including the PKIoverheid and Qualified CA servers, analysis of the log files suggests they have not been tampered with or misused. There are two serial numbers of certificates on the servers which cannot be associated with trusted certificates and because of that, the investigators "cannot rule out the possibility that these relate to rogue certificates".
Monitoring of OCSP traffic for the bogus *.google.com certificate confirmed the attack was centred around Iran with 99% of the traffic coming from the area. A separate analysis by TrendMicro noted that over 40 different networks belonging to ISPs or universities in Iran were subject to the man-in-the-middle attack. It is unlikely that an attack of that scale could take place without some government assistance.
Update: The alleged Comodo and DigiNotar hacker has published a new message to his Pastebin account. In it, the hacker claims to have access to four other "high profile CAs"; he specifically mentions GlobalSign by name. He also claims responsibility for the June attack on the Israeli StartSSL Certificate Authority.
- Dutch government takes control of DigiNotar CA, a report by The H
- DigiNotar attackers got over 500 certificates, a report by The H
- Attackers behind CA hack also targeted Tor, a report by The H