Slashdot Mirror

← Back to Stories (view on slashdot.org)

(Possible) Diginotar Hacker Comes Forward

Posted by timothy on from the have-in-my-hand-a-list-of-names dept.

arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"

9 of 215 comments (clear)

  1. Fear the mighty script kiddy by jellomizer · · Score: 3, Insightful

    We need to stop giving these "Hackers" such press. Oh they broke into a insecure system. They must be real Computer Geniuses. There should be far more press about the state of the hacked sites security, and less on those actual hackers. The hackers are just some dumb kids who did some quick searching around and got some silly tools. The real story is that such organizations have such a poor security.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Honest question: by Haedrian · · Score: 5, Insightful

    How DOES one become a trusted CA? Shouldn't there at least be some sort of procedure to check that they can be trusted?

    1. Re:Honest question: by tetromino · · Score: 4, Informative

      Well, here are the requirements for a CA's certificate to be included in Mozilla products. In particular, they require an independent audit of the CA's policies and internal operations. Presumably other browser vendors follow similar procedures.

    2. Re:Honest question: by bill_mcgonigle · · Score: 3, Interesting

      And Mozilla gave these jokers a pass while raking CACert across the coals.

      That distinction is very instructive as to the real motivations of the PKI industry.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. Re:Weakest link by drolli · · Score: 3, Insightful

    A good security system is not as weak as the weakest link.

  4. 'Claiming' to be the hacker? by plover · · Score: 5, Insightful

    Hell, if he really hacked it, he'd have signed the message with DigiNotar's key. He's the only person in this whole debaucle I'd trust to actually have a clue as to how to really use their certificates.

    --
    John
  5. Re:Weakest link by arglebargle_xiv · · Score: 4, Funny

    And crap like this is why I don't understand why my browser has to go apeshit over self singed cirts.

    The browser is acting as a food critic. Everyone knows cirts should be cooked rare, not singed. That just spoils the flavour.

  6. From the report... by MtHuurne · · Score: 5, Informative

    First, here is the actual PDF instead of some web-based PDF viewer surrounded by dubious ads.

    The most damning statement from the report (in my opinion) didn't make the summary: "The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN."

    I have worked at company that generated encryption keys and they did so on a PC in a locked rack in a locked room with no network connection; such an approach would have prevented this attack.

    This fragment from the timeline is also interesting:

    19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
    02-Jul-2011 First attempt creating a rogue certificate
    10-Jul-2011 The first succeeded rogue certificate (*.Google.com)

    So an incident was detected three weeks before the first rogue cert was issued.

  7. The difference between CACert and DigiNotar by frehe · · Score: 4, Interesting

    I love this comment from Mozilla's Nelson Bolyard in that thread:

    I have no opinion about the worthyness of the particular CA being proposed in this bug. I don't know who it is yet. But my question would be:

    Does webtrust "attest" to this CA?

    I think that should be one of the criteria. PKI is about TRUST. All root CAs that are trusted for (say) SSL service are trusted EQUALLY for that service. If we let a single CA into mozilla's list of trusted CAs, and they do something that betrays the publics' trust, then there is a VERY REAL RISH that the public will lose ALL FAITH in the "security" (the lock icon) in mozilla and its derivatives.

    We don't want that to happen. If that happens, mozilla's PKI becomes nothing more than a joke. If you want to see mozilla's PKI continue to be taken seriously, you will oppose allowing unattested CAs into mozilla's list of trusted root CAs.