DigiNotar Goes Bankrupt After Hack

twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

Misplaced paranoia.

[the_raptor]

My favourite part of the article:

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

TEMPEST http://en.wikipedia.org/wiki/TEMPEST is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.