GlobalSign Web Server Hacked, But Not CA

← Back to Stories (view on slashdot.org)

GlobalSign Web Server Hacked, But Not CA

Posted by timothy on Saturday September 10, 2011 @09:43AM from the goes-the-story-thus-far dept.

Trailrunner7 writes "GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack."

35 comments

Min score:

Reason:

Sort:

Correction: by Anonymous Coward · 2011-09-10 09:55 · Score: 1

by the _self claimed_ attacker _supposedly_ responsible for the DigiNotar CA hack**
1. Re:Correction: by Anonymous Coward · 2011-09-10 10:15 · Score: 0
  
  by the _self claimed_ attacker _supposedly_ responsible for the DigiNotar CA hack**
  who signed microsofts calc.exe with a google code signing certifcate issued by diginotar (revoked by now) http://pastebin.com/jhz20PqJ
2. Re:Correction: by Anonymous Coward · 2011-09-10 19:52 · Score: 0
  
  But he didn't sign anything with GlobalSign's certificate yet.
Hint: Not GlobalSign by sudonim2 · 2011-09-10 10:07 · Score: 2

Guess who I'm more inclined to believe: an anonymous supossed hacker or a certificate CA?
1. Re:Hint: Not GlobalSign by Baloroth · 2011-09-10 10:13 · Score: 1
  
  Well, since the hacker only seems to have claimed (according to TFA) that he got access to their webserver, how about both?
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
2. Re:Hint: Not GlobalSign by Anonymous Coward · 2011-09-10 10:15 · Score: 0
  
  I supposed if the Comodohacker has the goods, he won't hesitate to expose GlobalSign if they are lying.
3. Re:Hint: Not GlobalSign by shutdown+-p+now · 2011-09-10 10:37 · Score: 1
  
  If his intent is to cause damage by spreading panic, then it's quite reasonable for him to wait for some time - let folk scramble to fix the problem with DigiNotar first, then he can drop the next bomb on them.
Hoooraaaaay! by roman_mir · 2011-09-10 10:14 · Score: 0

So nothing to see here, right? Move right alone. This is double plus excellent news, just wonderful. You all should have a glass of milk with cookies.
Why am I not believing a word anybody who is in any sort of power and wants to stay in power says anymore I wonder? They may even be telling the truth, it doesn't matter.

--
You can't handle the truth.
1. Re:Hoooraaaaay! by roman_mir · 2011-09-10 10:17 · Score: 0, Troll
  
  Move right along of-course, though it may be alone too. As always, the inner-grammar nazi strikes too late. And it's not a very strict nazi, he doesn't really bother with correct punctuation much. It's a half nazi half old jew from Odessa - aaaaah, what are you going to do?
  
  --
  You can't handle the truth.
2. Re:Hoooraaaaay! by cffrost · 2011-09-11 21:31 · Score: 1
  
  - aaaaah, what are you going to do?
  Burn more karma, apparently.
  
  --
  Thank you, Edward Snowden.
  
  "Arguments from authority are worthless." —Carl Sagan
3. Re:Hoooraaaaay! by roman_mir · 2011-09-11 22:16 · Score: 1
  
  Well, that's pretty stupid moderation.
  
  --
  You can't handle the truth.
Both have good reasons to lie by nzac · 2011-09-10 10:17 · Score: 3, Interesting

The hacker who wants some credibility.
The company who might get their certificates revoked.
Seriously how hard would you look for the security breach that would destroy the entire company (it appears to be their only product). You can go back later and say you found the breach.
There is far too much money at stake to trust the company.
I'm sorry for disrespecting the Bing! by Anonymous Coward · 2011-09-10 10:26 · Score: 0

Honest!
They found a compromise... by mysidia · 2011-09-10 10:34 · Score: 3, Informative

The CA/PKI might not have been invaded yet A compromise of a website can lead to an intruder gaining further access, however.
Suffice to say... access to a webserver is a foothold that an intruder can attempt to leverage to gain further access. Depending on how robust the further lines of defenses are, and if any security mistakes were made (such as webservers allowed through firewalls to some internal hosts or credentials the intruder can capture that can lead to access to systems closer to back office or CA functions).
Even a compromise that doesn't result in immediate PKI access may lead to that, through additional successive breaches, and successive social engineering... also known as "Advanced Persistent Threat" (to use the latest lingo for referring to the situation)
1. Re:They found a compromise... by Anonymous Coward · 2011-09-10 11:34 · Score: 1
  
  Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs." You're making assumptions about their web infrastructure, what was broken into, and what "break into" means.
2. Re:They found a compromise... by Lennie · 2011-09-10 12:02 · Score: 1
  
  Just an example, it can be used to get the cookies/login-information from all the customers.
  
  --
  New things are always on the horizon
3. Re:They found a compromise... by devincook · 2011-09-10 12:11 · Score: 1
  
  Well, another thing they could potentially do is replace the public root certs hosted on the web site with their own... Then anyone who goes looking for that CA's root cert on the site will get the malicious one, opening them up to MITM attacks. Secure key distribution can be difficult.
4. Re:They found a compromise... by mysidia · 2011-09-10 12:59 · Score: 1
  
  It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, when the customer downloads it using the website.
  Anyways, some kind of validation e-mail goes out to the domain's administrative contacts for a domain-validated cert. The last step is the customer clicks on a link in the e-mail, which contains a link to guess what? A page on the CA's website.
  So someone who gained illicit access to the website is potentially in a position to snoop on all that traffic, and possibly generate 'false' traffic of that nature some time in the future. Web designers who do some scripting often aren't well versed in software security design -- there's a good chance that scripts on the website have access to backend databases -- possibly sufficient access to create a false customer record or falsify a "domain verification".
  Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs."
  If someone broke into a car in the parking lot, there might be a chance they could lie in wait for the PKI admin who owns the car to get in, so they can put a gun to their head, and force them to login using the perp's Wifi-enabled laptop, grab the private keys and divulge the passphrase to unlock them.
5. Re:They found a compromise... by Dewin · 2011-09-10 13:14 · Score: 2
  
  It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, when the customer downloads it using the website.
  
  It's been awhile, but I do not believe there is any point in the CSR process where the CA ever gets a copy of your private key.
  
  --
  Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
6. Re:They found a compromise... by Anonymous Coward · 2011-09-10 13:41 · Score: 0
  
  Some CAs will offer to generate a key pair for you, so you don't have to create a CSR - they send you a private key and a certificate. It is not how x509 is supposed to work, but....
7. Re:They found a compromise... by _Shad0w_ · 2011-09-10 19:49 · Score: 1
  
  If I had to guess I'd say the front end probably places the incoming CSRs somewhere the actual CA infrastructure can get them - possibly a common database in a DMZ - but there'd never any direct communication between the two, they always go via the passive intermediary.
  
  --
  Yeah, I had a sig once; I got bored of it.
8. Re:They found a compromise... by Anonymous Coward · 2011-09-10 20:25 · Score: 0
  
  If they ask for it, it's either a fraud or they've been compromised more then George Michaels butt on a Saturday.
Realistically by Pop69 · 2011-09-10 10:56 · Score: 2

They should be assuming their CA is compromised and acting accordingly.

Any other way of looking at it is stupidity of the highest order
1. Re:Realistically by Anonymous Coward · 2011-09-10 12:40 · Score: 0
  
  Exactly.
  Say you run a server.
  Now you got some very suspicious stuff going on, including somebody openly claiming he hacked your server.
  So you check everything for a breach, but you find nothing.
  Would you still trust your server for even one second?
  I have been re-installing my whole system, making everything new, keys, passwords, configurations, auditing everyone again who gets access in any case, adding additional security checks, etc, just out of some suspicious activity in some logs.
  But of course their whole business depends on them appearing "trustworthy". So they think that when they say there was a breach, they would lose their reputation.
  What they don't realize: By saying "We found nothing." instead of "We can guarantee that there is nothing.", they already lost their trust.
  It's too late guys.
  On the other hand, I think that hacker better shows some proof of him accessing the system. Because one single statement having the power to wreck a whole company just is deeply wrong, man.
  I don't believe either "side". (Actually I don't "believe" at all. I observe, I create theories, and I test if they have useful predictions. Because if there is a "real reality", any scientist knows that we can never know it for sure.)
Not CA by andresambrois · 2011-09-10 10:58 · Score: 2

..., But Not CA
For some reason my mind actually read that as "..., But No Cigar". Good Job.
1. Re:Not CA by Taty'sEyes · 2011-09-10 12:49 · Score: 1
  
  ..., But Not CA
  For some reason my mind actually read that as "..., But No Cigar". Good Job.
  I read it as, "..., but not California". SMILE
  
  --
  We show geeks how to get their dream girl at EyesOfOdessa.com
What Style! What Panache! by Anonymous Coward · 2011-09-10 11:06 · Score: 1

Well then. He certainly sounds like an arrogant prick.
Or simple copy all newly issued certificates? by Anonymous Coward · 2011-09-10 14:15 · Score: 0

Do that for a year, and you have a copy of all certificates issued by globalsign, no need to hack anything. Unless of course certificate submission doesn't go through their www server.
1. Re:Or simple copy all newly issued certificates? by tepples · 2011-09-10 14:58 · Score: 1
  
  You can get a copy of the server's public key and the certificates that verify it by just connecting to the server's public IP address on port 443.
2. Re:Or simple copy all newly issued certificates? by blowdart · 2011-09-10 15:08 · Score: 1
  
  And that's meaningless. When you submit a certificate signing request to a CA you are sending the public key of the certificate you want validated. The CA performs their checks, then signs that public key and sends it back to you, where you pair it with your private key that has never left your possession and you have a full certificate.
  So copying the certificates wouldn't be a problem, heck that part of the certificate is viewable to any browser.
3. Re:Or simple copy all newly issued certificates? by TheRaven64 · 2011-09-10 22:19 · Score: 1
  
  Or you could just go to the web sites in question and they will just give you the public keys without needing any hacking!
  More importantly, if you have compromised the web server, then you can upload your own CSR for any of their customers' domains and get a signed certificate back...
  
  --
  I am TheRaven on Soylent News
[citation needed] Re:They found a compromise... by rtfa-troll · 2011-09-10 20:50 · Score: 1

Some CAs will offer to generate a key pair for you, so you don't have to create a CSR - they send you a private key and a certificate. It is not how x509 is supposed to work, but....
Interesting; but without a specific list of what you mean by "some CAs" not very useful. Does anyone have a list?

--
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
1. Re:[citation needed] Re:They found a compromise... by raynet · 2011-09-10 21:06 · Score: 1
  
  Startssl does this and I recall seeing that feature on couple other CAs too, makes things easier for the random customer as they can just purchase the certificate without hassle with their own IT department. Not that good idea for security though.
  
  --
  - Raynet --> .
Oh, they did their own audit by Legion303 · 2011-09-11 01:57 · Score: 1

I mean, it's not like they stand to lose their entire business if they were compromised or anything. I'm sure they can be trusted.