DigiNotar Certificate Authority Breach

See the Fox-IT preliminary report for conditions which enabled the DigiNotar Certificate Authority (CA) to be breached. The breach enabled attackers to create their own digital certificates. Note that the role of a CA is to allow people and systems to have reason to trust that the destination referred to is who they say they are, or that software is created by who says they created it, or that the message is from who it says it is. The breach enabled the attackers to create their own certificates, which could not be trusted. Successful authentication does not confer trust.

Note that this example underscores the need to be able to revoke certificates and to remove CAs from trusted authorities. You cannot rely upon an operating system vendor or web browser vendor to address this maintenance for you (although you should expect them to provide a maintenance mechanism).

Conditions which enabled the breach:

The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.

The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn’t block some of the outside web server attacks. No secure central network logging is in place.


Comments are closed.