Slashdot Mirror
DigiNotar Goes Bankrupt After Hack
twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company."
Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."
Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.
I think this is simply obvious.
How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.
So, if certs cannot be trusted, and this brings to the surface the whole concept of "trust", what are we to do? What should we use?
Not that it repairs the fuckup, or that anyone else will learn from it, but at least the incompetent got what was coming to them, just this once.
Their only asset, their presence in the browsers' trusted CA lists, has been eliminated. Without that asset, they don't have a product. A company without a product goes bankrupt eventually.
Mostly because they caught the intrusion (which was at a 3rd party rather than directly part of Comodo) and reported it immediately as well as putting in place measures to try and prevent it from happening again.
DigiNotar didn't notice that they'd been hacked for months and didn't tell anyone for months more and even then they didn't know how badly they'd been hacked or exactly which certs may have been issued to whom.
"It all goes to show how quickly a data breach can bring down a company."
Well, yes, particularly if what you are selling is security and trust. A CA has two jobs - generate a random private/public key pair, and make sure it is only used to sign legitimate certificates.
The first one anyone can do in two minutes, including the time to download GPG.
Most companies would be damaged by a data breach, but are unlikely to go under so quickly. It's that their only valuable asset - trust - was destroyed.
With major browsers kicked its CA cert out of the trusted list, the CA by definition and practically could generate no profit...
What else do you expect, huh? Of course it could only get closed!
Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.
My favourite part of the article:
We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
TEMPEST http://en.wikipedia.org/wiki/TEMPEST is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.
However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.
It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.
========
CINC, 4th Penguin Legion
Amusing that they comment about weak passwords being used on a windows domain...
Once you have the ability to crack the passwords, ie the hashes, it doesnt matter how strong or weak they are since you can simply use the hashes without cracking them.
The primary reason for kicking Diginotar out of the trusted CA lists was that Diginotar had tried to cover up the breach. This destroyed the trust in their ability to handle security issues reliably and in a trustworthy manner. If anything, the loss of Diginotar's standing and the inevitable bankruptcy that followed are a warning to other companies to be professional about security breaches. The hacking of Diginotar was detected without help from Diginotar, and the fallout from future CA hacks can and will be detected the same way. Any CA trying to cover up a breach will go down the same path as Diginotar.
this. all the issue is not in the breach. that kind of stuff happens.
what should never ever happen is a certification authority, whom live on trust, try to cover the shit up.
That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.
The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.
At least that was my understanding of what happened, based on information I read several months ago.
This is what happens when you pay IT like shit and/or hire under-skilled workers. This is very common, because there is no respect for IT. People ask what I do for a living, and they here anything about a computer, and they think they are capable of doing the same. No other profession is downplayed as much as server administration.
Worse: according to the second linked article DigiNotar knew about the attacks already at 19 July. That's when they started revoking numerous certificates. Yet they did not notify the public. Also it seems they did not take extra countermeasures, and the measures in place were far from what's considered "good practice" for highly secure sites.
DigiNotar got what it deserved.
However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).
The whole CA system in broken. I would rather like to trust only CAs that have earned the trust. E.g. CAs that have been validated by my bank for online payments (but not for my email).
Because of the way the intrusion was handled, responsible people had to remove DigiNotar from their certificates entirely, rather than just a few suspect certificates. Therefore, they were bankrupt in effect long before they were bankrupt in fact.
It's important to note that DigiNotar did not "go" bankrupt in the way that most people seem to interpret this. They were not sued into oblivion or otherwise in financial trouble. The Dutch government mandated that DigiNotar stop issuing certificates and revoke all existing ones. This essentially means the Dutch corporate entity which is DigiNotar is not able to do business. Rather than cleaning up their act to have the government restriction lifted and trying to repair their damaged reputation DigiNotar decided to declare bankruptcy.
Having done business in NL for 30 years myself I bet that DigiNotar management has already incorporated a new company which will be selling the same/similar products to the very same Dutch government that allowed kept DigiNotar alive.
Some say Convergence is the answer. I haven't been able to make it work, personally, so it's probably not ready for prime-time. Also, I don't like the name.
Belief is the currency of delusion.
Any CA trying to cover up a breach will go down the same path as Diginotar.
What makes you so certain that a CA who publicly acknowledged a breach would not also immediately die in a meltdown? There is no evidence that honestly in a similar situation would save a CA.
If Digital Signature Trust Co.* were to publicly announce "We discovered just this morning that we have been breached, and while we can't give complete details because of the ongoing investigation, we found the hackers forged Google certificates," the public reaction would be almost identical to that of DigiNotar. If I were a customer, the chances would be high that I'd be shopping elsewhere for new certs to replace the ones that I could no longer trust. If I weren't a customer, there are obviously more reputable places to buy a cert. The incident itself is enough to cause me to lose trust, and that's really the only thing they're able to sell. I predict they'd go bankrupt as well, it might just take a few months longer.
Perhaps hiding the breach for the extra months was a strategy to give the executive rats time to flee the sinking ship. If so, we can only hope their behavior catches up to their personal reputations.
* As far as I know Digital Signature Trust Co. is a healthy and secure firm, and is rightly trusted by companies and browsers worldwide. I am using their name only as an example because I like the way it sounds.
John
We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.
Then who can you trust?
on the internet? ... nobody.
Then it ain't time for government bailout but for government finally issuing some 'hang-em-at-their-balls" laws for CEOs that try to hush up security breaches. The current ones are a weak joke, the fines aren't even remotely anywhere near the damage if it gets leaked somehow. And last time I checked, the fines should be a multiple of the damage of the leakage, or the formula "benefit vs. risk*fine" falls flat on its face and hushing up is the sensible thing to do.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Fundamental misunderstanding of the trust relation. If you're the customer who buys a certificate from a CA, then your trust isn't based on them not getting hacked. Instead it's based on their ability to provide a certificate that will not cause browsers to warn of an untrusted certificate. There's no reason for you to shop elsewhere, even if you don't trust them to be a good CA, unless you expect that their root certificate will become untrusted. Of course there's a relation, but it's not immediate. The users trust that the browser or OS makers choose only trustworthy CAs for inclusion in the trusted CA list. The browser and OS makers have now shown that they don't take security breach cover-ups lightly, by kicking out Diginotar's root certificate and even banning Diginotar certificates that have been signed by other root CAs. Cases in which a CA has been more cooperative have not resulted in quite as damning trust-withdrawal. If a CA can convince browser makers that it will better itself, then all is well from a business perspective. Being deceptive on the other hand...
It all goes to show how quickly a data breach can bring down a company.
Especially if you're a company whose sole raison d'etre is to promise everyone you won't have a data breach!
A taco stand probably needs to worry far less.
Not really. It does cost more than NO security but not much more. Example, how much does it cost you to have a decent password instead of Password1?
Yes and yes. But that isn't the core of the problem. Greedy people can have the best security. They don't want criminals to take their money.
In some case you are probably correct. In other cases the company/person will increase the security to keep the assets out of the hands of the criminals.
In my experience, the problem with security is Pavlovian. ...
If you do something insecure, once, and nothing bad happens
Particularly if it was just a little bit easier to skip the security. Such as typing in a 5 character dictionary word rather than a 16 character password. It doesn't take much to be "easier".
And as long as nothing bad is happening, people will "learn" that they're "secure" and what they are doing is "right" and anyone who is advocating real security just doesn't understand the situation. That's Pavlovian. The reward is the slightly easier administration.
If management does not understand real security, there aren't many ways to get them to change. They already KNOW they're doing it "right".
Hence all the recent cracks.
I'm just amazed that you were able to get that concept through their heads. I've been in similar situations where "let us not make this too difficult" trumps real security every time.
How much does a decent password cost? Nothing.
How much does NOT using that same password everywhere cost? Nothing.
Yet we constantly see cracks where the crappy password was used on multiple, critical systems.
Having done business in NL for 30 years myself I bet that DigiNotar management has already incorporated a new company which will be selling the same/similar products to the very same Dutch government that allowed kept DigiNotar alive.
As this cartoon has already pointed out ("Don't worry folks, we'll be back in three months under a new name").
would be 'significant.'
I think they are filing for bankruptcy while they still have money in their pockets to avoid law suites as opposed to gone bankrupt. I believe "gone bankrupt" means they are broke and giving up.
Having to work for a living is the root of all evil.
I have said so many times that we are not strict enough on punishment for the cyber crimes that affect companies, this should prove as a perfect example why certain individuals that bring down a company due to their hacking ventures, should face proper penalties.
No, it would not. Look at the Comodo breach in March.
New things are always on the horizon
can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.
The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.
Monopoly €1000 certs, that's a not a biz model you can fix. Someday I will understand Slashdot editing.
I still would not put Comodo at the front of a list of companies I'd trust to securely manage my certificates. There are other CAs out there that have not been hacked.
As a business, Comodo is different from DigiNotar because they sell other products in addition to serving as a CA. If I were a repeat security appliance customer, I would probably continue to buy upgrades from them, but only because it's easier and cheaper than replacing a ton of infrastructure equipment. As a new customer, I would be very hesitant to start with their product line, at least today. I might consider their IDP systems because they're proven to work to notify someone of a security event, or maybe their auditing systems because they were able to record some of the tracks of the hacker, but overall I would be looking at several companies. Maybe in three years I'll have forgotten it happened, but today I wouldn't.
Comodo is surviving the event much longer than DigiNotar, but I don't think that's because of their open notification policy. I think it's because of customer inertia. They may be able to use that to survive the damage to their reputation, but if they were purely a CA, as DigiNotar was, they'd probably be gone, too.
Which cost money to implement.
Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.
Again, which costs money.
It's not that the users aren't smart. It's that management and the people setting up the systems do not understand security.
On most modern systems, it costs nothing to go from crap security (allowing 5 character dictionary words as a password) to better security (16 character passwords with some complexity).
The problem is that it is always easier to go with the worse security. No matter how easy you make the better security.
And every day you don't get cracked (or know that you were) is reinforcement of the bad security practices.
which was carried out by the hacker-soldiers of the government of Iran for the purposes of identifying the 300,000 Iranians that radical fundamentalist Theocracy wants to muzzle. In other words, state sponsored terrorism.
Running with Linux for over 20 years!
First off, I can easily remember my passwords. Even the ones that are more than 16 characters long.
Secondly, if you cannot, what's wrong with writing them down and keeping them in your wallet?
No. The point was that it will ALWAYS be easier for the user to ignore the security (if that is an option).
Even if "easier" is as minor as having a 16 character password instead of a 5 character dictionary word.
As others here have noted, once you introduce "easier" you end up with situations where the janitor has keys to the secure area because it is "easier" that way than to take the garbage out yourself.
Or, more currently, when the CA was cracked because there was one password (easily cracked) used on multiple servers.
Yes, having one easily cracked password on multiple servers is EASIER than having multiple, complex passwords.
But it is also insecure. As was demonstrated.
I would disagree. Comodo is safe as long as everyone and their dog resells their products. Even more so since these people don't disclose whose SSL they are reselling.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
yeah, that was most interesting thing I took from it too.
I wonder where their newfound interest in computer security came from...
Getting hacked wasnt their problem. Keeping quiet about for more than a month untill it was found out by someone else there was the problem. If you cant trust the CA, then they are gone. The end. The whole point of these CAs is that they are TRUSTED to sign things properly. If the major browser vendors remove that trust, then there is n o reason for their clients to buy or renew their certificates with them, they may as well sign their own for free.