Slashdot Mirror

← Back to Stories (view on slashdot.org)

(Possible) Diginotar Hacker Comes Forward

Posted by timothy on from the have-in-my-hand-a-list-of-names dept.

arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"

3 of 215 comments (clear)

  1. Honest question: by Haedrian · · Score: 5, Insightful

    How DOES one become a trusted CA? Shouldn't there at least be some sort of procedure to check that they can be trusted?

  2. 'Claiming' to be the hacker? by plover · · Score: 5, Insightful

    Hell, if he really hacked it, he'd have signed the message with DigiNotar's key. He's the only person in this whole debaucle I'd trust to actually have a clue as to how to really use their certificates.

    --
    John
  3. From the report... by MtHuurne · · Score: 5, Informative

    First, here is the actual PDF instead of some web-based PDF viewer surrounded by dubious ads.

    The most damning statement from the report (in my opinion) didn't make the summary: "The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN."

    I have worked at company that generated encryption keys and they did so on a PC in a locked rack in a locked room with no network connection; such an approach would have prevented this attack.

    This fragment from the timeline is also interesting:

    19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
    02-Jul-2011 First attempt creating a rogue certificate
    10-Jul-2011 The first succeeded rogue certificate (*.Google.com)

    So an incident was detected three weeks before the first rogue cert was issued.