The extent of the breach at Dutch certificate authority, DigiNotar, has broadened this weekafter an audit report analyzing DigiNotars servers released by the Dutch government showed majorsecurity lapses in the firms various CA servers.
Organizations need to understand what they should do if their SSL VPN would break for theirusers or if their e-commerce system would falter with their customers.
Chester Wisniewski, senior security advisor, Sophos LLC
The report, prepared by IT security firm Fox-IT, found the DigiNotar network had been severelybreached compromising more than two dozen CA servers. The extent of the damage increasedsubstantially, with evidence of CA servers that issued hundreds of signed rogue certificatesagainst 20 different domains.
Some experts said the seriousness of the breach shines a light on the problems that plague thecertificate system. Chester Wisniewski, a senior security advisor at UK-based security vendorSophos LLC, said enterprise CISOs need to understand how their organization uses SSL certificatesand come up with a contingency plan if the certificate provider is breached. In addition to SSL usein browsers to verify the authenticity of a website, many enterprises use digital certificates toauthenticate users for SSL VPNs and email servers.
Organizations need to understand what they should do if their SSL VPN would break for theirusers or if their e-commerce system would falter with their customers, Wisniewski said. Askyourself: Is there an alternative plan?
Organizations can obtain certificates from multiple certificate authorities to have a back-upplan for website validation if a CA is breached, he said. Alternatives to the current systemare being tested, but until Google, Microsoft and Mozilla begin to support alternative authenticityvalidation systems, the system is unlikely to change. The Fox-IT report has prompted those browsermakers to blacklist DigiNotar certificates.
Microsoft updated its security advisory Tuesday, pushing out an automatic update to allsupported versions of Windows, revoking the trustin DigiNotar root certificates. The company said it made the move to protect users of InternetExplorer from man-in-the-middle attacks. Rogue digital certificates also enable attackers tospoof content and perform phishing attacks.
Weve deemed all DigiNotar certificates to be untrustworthy and have moved them to theUntrusted Certificate Store, wrote Dave Forstrom, director of Microsoft Trustworthy Computing inthe Microsoft Security Response Center blog. We recognize this issue as an industry problem, andwe have been actively collaborating with certificate authorities, governments and software vendorsto help protect our mutual customers.
Microsoft is waiting a week before rolling out an automatic update to users in the Netherlands.Mozilla and Google have taken similar steps to block the roguedigital certificates.
This is not a temporary suspension, it is a complete removal from our trusted root program,wrote Jonathan Nightingale, director of Firefox engineering in the Mozilla Security blog.Completerevocation of trust is a decision we treat with careful consideration, and employ as a lastresort.
Nightingale said the complete removal ofthe trusted root was taken because the scope of the breach remains unknown. In addition,DigiNotar revoked fraudulent certificates without notifying Mozilla.
In an update issued Sept. 3, Google said it is rejectingall Certificate Authorities operated by DigiNotar. We encourage DigiNotar to provide acomplete analysis of the situation, wrote Heather Adkins, Googles information securitymanager.
The Fox-IT report, which was released by the Dutch government, found serious problems withDigiNotars network.
All CA servers were members of one Windows domain, which made it possible to access them allusing one obtained user/password combination, according to the DigiNotarbreach report, which was made available on the Dutch government website Rijksoverheid. Thepassword was not very strong and could easily be brute-forced.
In addition, the audit investigation found outdated software installed on the DigiNotar publicWeb servers. No antivirus protection was present on the investigated servers, Fox-IT said.
Traces of hacker activity, believed to have emanated from Iran, began June 19 and lasted untilJuly 22. The attackers issued hundreds of rogue certificates, including an SSL certificate forGoogle, Skype, Mozilla add-ons, Microsoft update and others.
DigiNotar revoked the certificates and has added security measures on infrastructure, systemmonitoring and Online Certificate Status Protocol (OCSP) validation to identify the use of roguecertificates and prevent further attacks.
The security measures may have been too late. The report suggests the attackers used the stolenGoogle SSL certificate to snoop on users of Gmail in Iran. Log data analysis found 300,000 uniqueIP requests to Google.com with 99% originating from Iran, according to the report.
In a statement, VASCO Data Security International Inc., which owns DigiNotar, said it wouldfully cooperate with authorities and welcomed a fullreview of its systems by the Dutch government. As part of its proposal, VASCO invites the DutchGovernment to send staff to work together to jointly assess and remedy the problem.
0 comments:
Post a Comment