DigiNotar Hack: Critical infrastructure protection was inadequate

DigiNotar Hack: Critical infrastructure protection was inadequate

The critical infrastructure in the compromised CA DigiNotar was insufficiently protected. This is evident from the interim report (PDF) of the security firm Fox IT. Accordingly, the CA server but were in a safe environment, however, were accessible via the management LAN. As a result, the attacker could probably continue to shimmy to the outside of the CA servers. The servers were protected with a weak password, which you would easily be able to crack by brute force.

All CA server according to the report were members of a Windows domain, so the attacker could access the captured once access to all servers. On critical servers, security experts discovered the malware that is detected by the usual anti-virus software easily - such was the system but not installed. In addition, the software was outdated on the publicly accessible Web servers, according to the report.

On the compromised systems, the investigators also found next to the mundane security tools like Cain & Abel also specially tailored for this application tools and scripts. The script that the hacker apparently used for signing the false certificates, uses a special API that is used only in the context of CAs. In this script, the attacker is immortalized in the English language with the words: "I know that you shocked my skills there is no hardware or software in the world that can stop my onslaught.."

Signed is the "claim of responsibility" with the Persian words "Janam Fadaye Rahbar," which translates as "I sacrifice myself for the great leader". These words are also found in the manifesto, which has already been suspected of hacking into the net Comodo. Whether it's the same person or a group of hackers used the same sentence is unclear.

The interim report confirms the number of 531 certificates issued by the attacker. However, it should not be excluded that also in the incident, further certificates were issued, there were deleted after the burglary log files. For this reason, according to the report and the Google certificate after the first analysis of the compromise was not called back - plain and simple not DigiNotar knew of its existence.

The attacker also had access to the CA server PKIoverheid, which is used by the Dutch authorities. However, the log files are full here, suggesting, according to experts that the server has not been misused or tampered with, says Fox-IT. While they were here two serial numbers of certificates, hitherto unknown, it is possible that it temporarily from the CA software have been created or caused by a bug, so are the experts.

In the log file analysis of the OCSP responder to send to the browser when you visit a page signed by DigiNotar a request put out that has been abused may only be a Google.com Certificate in grand style for interception. There were several inquiries about 300,000 (unique IPs) one, which more than 99 percent from Iran.

TrendMicro also has registered a sharp increase of OCSP requests to DigiNotar from Iran. Of particular concern is the fact that the requests went out loud TrendMicro of over 40 different ISPs and universities. Such großflächlig scale interception operation is hardly implemented without government assistance.

[Update] Comodo and DigiNotar The alleged hacker has released a second manifesto . In it he states to have access to four other Certificate Authorities to issue any certificates at any time. In particular, he calls in his manifesto but only GlobalSign. He also says he was also the hacker who has invaded in June in the server of the Israeli publisher StartCom certificate.