DigiNotar Goes Bankrupt After Hack

twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

Security is expensive

[erroneus]

Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.

I think this is simply obvious.

Re:Security is expensive

[ge7]

You can't secure everything. Not in the real world and not on the internet either. There's always way to go around security, both in the real world and internet. Laws exist so that people don't do something just because they can.

Re:Security is expensive

[Cryacin]

Yes, but you can perform due diligence. If you're a bank offering secure storage, one would expect a safe that not just anyone can access. This is like putting a giant 6ft steel door on your safe, but having the entry code as 1-2-3-4-5, and known by all staff members - including the janitor.

Re:Security is expensive

[neokushan]

This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.

Re:Security is expensive

[Bert64]

And with the numbers on the keypad 1-5 being shiny clean, while the remaining numbers are dirty due to never being used...

Re:Security is expensive

[Amouth]

including the janitor.

but how else is he going to empty the trash?

sorry i had this argument with my boss a few months ago - about locking up records and bookkeeping stuff.. they wanted the GM, Me to have the keys and someone suggested giving one to the Janitor so he could empty the trash.. the fact that i had to explain how bad of an idea that is just kills me..

Re:Security is expensive

[betterunixthanunix]

Then why bother with CAs? Why not just use the law to handle these sorts of things?

Re:Security is expensive

[Stepnsteph]

I agree with Neokushan. In reading about just how bad this attack hit DigiNotar, I'm of the opinion that they fully deserved to go bankrupt. They don't need to ever be in business again.

It's a security company, and they were running no anti-virus solution, had a simple LAN with a single username & simple password, and they didn't keep their web servers up to date. Nobody in their right mind would do that to a company, but for a firm that worked in the security field? CA, no less. That's dangerously negligent.

I'm going to guess that there are a lot of IT people here, and that their heads are close to exploding from the stupidity involved at DigiNotar.

How this could happen I could only guess. No sys admin would ever let this fly. This almost had to be policy from the top, deliberately blocking any money being spent to secure their system.

Somewhere a sys admin is on the floor laughing, both from having been driven insane at the company, and at the relief of their new found freedom.

Re:Security is expensive

[plover]

Businesses have a strong profit motive. The people who run businesses are greedy.

In the case of this security firm, (yes, they were a security firm because selling certificates is participating in the security business,) insecurity has proven to be the ultimate risk to not only profits, but to their investments as well.

I only hope that the employees of other security firms will email copies of news articles like these to their management and investors. "If you don't take security seriously and fund it appropriately, you will go bankrupt."

Re:Security is expensive

[plover]

Then why bother with CAs? Why not just use the law to handle these sorts of things?

911 operator: How may I assist you? /Me: I need to do some banking over the internet right away, and I don't trust the CAs to securely issue certificates.
911: Sir, all banks use certificates. Just type https:/// and trust your bank. /Me: Can't I just use http:/// and if a bad guy steals my account, you catch him, right?
911: Sir, there aren't enough police to catch every on-line bank hacker if nobody bothered to protect their communications. I also have real emergencies to deal with now, so you'll have to hang up.

Re:Security is expensive

[erroneus]

As with the case of the financial crisis, taking large risk is nothing that business is concerned about these days. Shareholders are only interested in short-term gains and micro-second investments and transactions. "Long term goals" has been removed from the dictionary. The SEC has long since had regulations in place to prevent excessive risk-taking... and once those regulations had been pulled back, increased risk taking occurred which led to the crash we all witnessed and have been feeling all this time.

So while we, as "engineering types" seek to reduce and even remove risk, the "money types" see risk as "leverage" to increase their profits.

Re:Security is expensive

[Opportunist]

You'd be surprised, you're not alone. Yes, even convenience trumps security in a company.

I have seen the "janitor gets access" quite a few times. Even in high security areas. As soon as it would inconvenience a decision maker, security goes out the window.

Re:Security is expensive

[xelah]

Just as important, security is invisible. People who run businesses don't understand things they can't see, and certainly don't understand spending money on it.

Or, possibly, only understand spending money on it. We spent a lot of money on that TEMPEST protected room....doesn't that mean security is dealt with and we can stop worrying about it? It doesn't cost a lot of money to use a better password.

Re:Security is expensive

[VGPowerlord]

That's amazing. I've got the same combination on my luggage!

Re:Security is expensive

[Tanktalus]

Do you leave your doors unlocked? Why not just leave your doors open and use the law to handle these sorts of things?

Simple: you put up rudimentary security to dissuade opportunists (the vast majority of low-level criminals, in my estimation), and even the more seasoned criminals who look for value for difficulty. If you have more security than value, you'll be skipped. If you have more value than security, you'll be targeted. Eventually.

By limiting police resources to only situations where value is more than security can reasonably provide for, we reduce overall effects of crime.

That said, this is a "who watches the watchers" type of scenario. Who ensures the security firms are themselves secure? It looks like we're going through some sort of Darwinian clean-up of this space. Too bad there will be innocents involved - people fooled by the incorrect certificates.

Re:Security is expensive

[kdemetter]

Space Balls :-)

Re:Security is expensive

[lgw]

That's overly cynical. Most of the day-to-day activity in stock trading is very short term (which only stands to reason), but most stock ownership is long term, controlled in mutual funds and pension plans by managers who do care about risk. You can see the results of this in the market: day-by-day everything moves by fashion, but year-by-year companies with long-term plans tend to do markedly better - it's just nearly lost in the noise of the day-to-day price changes.

Bankrupt?

How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.

Re:Bankrupt?

[ultraexactzz]

You sell one product, properly validated certificates, and now you can't sell that product. No income = bankruptcy.

Re:Bankrupt?

[mcvos]

Good point. On the one hand, they deserve to go bankrupt for failing at the one thing that justified their existence, but dumping the corpse before it can be properly examined smells iffy.

Note that you don't have to be charged with anything to go bankrupt, though. When all your customers leave, you suddenly have no revenue, but you still have your costs. And since it's obvious to everybody that DigiNotar will go bankrupt anyway, nobody loans them money, they quickly lack the money to pay salaries and other costs, and suddenly they're bankrupt.

Re:Bankrupt?

[Kjella]

You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.

Re:Bankrupt?

[fuzzyfuzzyfungus]

What I find bewildering(if not exactly surprising) is that Diginotar can seek bankrupcy protection without VASCO being involved.

Diginotar can be expected to have basically zero income, and a bunch of expenses, in the near future; but (from VASCO's 2010 annual report)
"In January 2011, we acquired all of the intellectual property of DigiNotar Holding B.V. and its subsidiaries and acquired 100% of the stock of DigiNotar B.V. and DigiNotar Notariaat B.V. (collectively, “DigiNotar”), each a private company organized and existing in The Netherlands (collectively, “DigiNotar Acquisition”). The acquisition expands the technological breadth of our product line by expanding our abilities to offer PKI technology throughout the product line. We expect the acquisition will enhance our market position in three areas; (1) as a trusted Internet service provider of PKI certificates, which we expect will improve our ability to penetrate government markets (2) as a licensor of PKI-based products to customers for use in their applications, which we believe will enhance our ability to compete in our traditional business and (3) as a provider of our own PKI-secured applications, such as document signing, registration and storage solutions, which we expect will expand opportunities for us on our services platform."

VASCO aren't just poor li'l small-cap investors here, they own Diginotar lock, stock, and barrel. While I don't doubt that Diginotar declaring bankrupcy and sucking in little or no of VASCO's assets is somehow legal, it seems kind of insane that you can own 100% of a company, its technology, and have plans to merge some of its tech with your existing offerings, and still be separate enough that you can just cut them loose and let them sink so long as VASCO appears to have a variety of assets and ongoing income sources, which they do.

I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control; but a 100% owned operational subsidiary over which you exercise organizational control, and whose technology you are (no longer) actively on track to integrated into your products? Any notion of financial separation seems like the thinnest of legal fictions.

Re:Bankrupt?

[mcvos]

That's what limited liability means, I'm afraid. Though with the recent mess in mismanaged corporations, I'd say it sounds reasonable if the limitations to liability were to be reduced somewhat. In other words, people and corporations should be held accountable, and indeed pay, if they cause big problems like these.

Re:Bankrupt?

[nedlohs]

I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control

That isn't the reason behing limited-liability-corporations. They are vehicles to provide limited libility without regrd to who the shareholders are. Without checking or doing any reasearch I'm going out on a limb and claiming that there are more LLC that are 100% owned by 5 or less pepole than there are owned by more than 5. (Almost every IT person doing consulting jobs incorporates, as do most plumbers, electricians, etc who work for themselves, and so on).

There are costs with those benefits - the entity will have a harder time getting credit and so on than the owner would (in the case in which it's one huge company owning 100% of a small one).

a 100% owned operational subsidiary over which you exercise organizational control, and whose technology you are (no longer) actively on track to integrated into your products? Any notion of financial separation seems like the thinnest of legal fictions.

There are ways to pierce the veil, but usually the i's have been dotted and the t's crossed.

Re:Bankrupt?

[xelah]

A company doesn't have to have no money today to be insolvent. I don't know Holland, but here in the UK your company will be insolvent if it knows it can't pay its bills as they come due, even if they're not due today. Any company will have long term contracts - to pay salaries/redundancy, to pay suppliers, etc. IANAL, but IIRC once insolvent, you have a duty to act in the best interest of your creditors (and not your shareholders) and not to treat any preferentially (pay your friend but not your employees, say). If continuing to trade means that the pot to pay claims from creditors is certain to only get smaller then doing so isn't in your creditors interest. You're also likely to find you'd have to preferentially pay some creditors, too, because some will be in more powerful positions than others.

The definitions, terms and rules will be different in different places, of course, but I doubt there are many well developed legal systems that will let you carry on pointlessly throwing away what cash you have left until you reach zero once bankruptcy is unavoidable.

Re:Bankrupt?

[rjmx]

Something I've never understood: exactly what benefit does the community gain from allowing limited-liability companies? If someone is free to establish a limited-liability corporation, and it goes broke owing lots of money to others, why should they be allowed to keep their own assets and, if they want, go on to start another such company?

I'm sure there must be a reason we allow this, but for the life of me I can't think of one.

Re:Bankrupt?

[fuzzyfuzzyfungus]

I realize that that is how limited liability companies are in fact used(Ambrose Bierce: "Corporation, n. An ingenious device for obtaining individual profit without individual responsibility."), my puzzlement is just with the fact that such usage persists in law...

There is a certain logic to limited liability ventures in situations where you need large numbers of (relatively) small investors with limited control over the venture in order to accomplish some end(and, back when establishing an LLC required an act of Parliament in the UK, and action of analogous gravity in the US, that was basically the situation in which such was done); but I don't understand the logic behind letting sole or very significant owners extract profits while being insulated from losses...

I understand that that is in fact the case(so much so that people seem to have gotten complacent and are now whining that their legally-separate-entities get taxed as legally separate entities, rather than being identical with their owners when the tax man comes; but separate when bankruptcy strikes...), I just can't fathom the level of illogic, or sheer corruption, that would allow such a strange construct to continue...

Re:Bankrupt?

[nedlohs]

Such a usage persists because without it the risk of running a business would be far too large for most people. But yes the business that do run would go bankrupt less often - the price you pay for that is reducing GDP to 1/10th (completely made up) of what it is now. Most people won't take that trade.

And incorporating doesn't insulate you from losses it limits losses to what you have invested. If some third party is willing to loan a company too much money that's their problem - they knew the deal when they made the loan. (If the government then bails them out then that's what the people get for electing such governments.)

Re:Bankrupt?

[DZign]

In most countries (afaik but I'm not an accountant/lawyer with international experience) there are restrictions..

Especially the first months/year a company starts, the people who run it can be held personal liable.
So don't think of starting a company, getting loans from a bank, increasing debt by not paying your suppliers, and just declare yourself bankrupt after a few months and get away with it. If your business plan wasn't wel defined and you didn't raise enough initial (own) capital to survive 1 or 2 years, you can be held liable (and prevented of starting a new company for the next years)

Same for the last 6 months or so when a company goes bust, all transactions can be examined and reversed, so ie the owner can't sell assets to himself/friends for a price that is too low.
Had this once at a startup company that was in trouble, an employee that left wanted to buy a laptop from the company that he had used, but the director would not do this as he was afraid to be liable if the curator later decided the laptop had been sold too cheap.

Any why limited-liability companies are allowed - to allow for big companies to form. In a Ltd, investors can only lose the amount money they have invested and not more.
If you wouldn't have this protection, no-one would invest anymore in a company, as the risk would be too big when they were also held personally liable for part of the debts.

Re:Bankrupt?

[rjmx]

Thank you. I figured there had to be a reason.

Interestingly, the "fortune" at the bottom of this page has:

> If you are smart enough to know that you're not smart enough to be an Engineer, then you're in Business.

Re:Bankrupt?

[whoever57]

exactly what benefit does the community gain from allowing limited-liability companies?

Imagine that you are a small-time investor. You see that a company called Enron seems to be doing well, but as a small investor, you have no idea that there is anything fishy going on. S you buy a few shares of Enron. Suddenly Enron implodes, and you lost your investment. Now, the people that were owed money by Enron (employees, for example) sue you because there is no limited liability. Not only did you lose your investment, but you could lose your house because you invested a small amount in Enron.

In this scenario, how much money would go into the stock market? How much money would be available for companies to raise for capital projects?

Re:Bankrupt?

[tqk]

"... The acquisition expands the technological breadth of our product line by expanding our abilities to offer PKI technology throughout the product line."

It'll be very interesting watching VASCO in the future, given this fiasco. Are heads at VASCO going to roll considering their abysmal research prior to acquiring DigiNotar? Did they even have any technical people ride along with DigiNotar's operations staff prior to signing on the dotted line? Will the board of directors keep their seats (and if so, why)?

Ya gotta love it when doofuses are shown to be such, live and in Technicolor, splashing their incompetence onto the headlines world-wide. Evolution in action! If I was a VASCO stockholder, I'd be livid right now.

Popcorn time. I also wonder when the Anonymous's and LulzSec's of the world are going to tire of small fry like this and begin to train their sights on "Cloud Providers" like Amazon. If they manage to break into one of those outfits, holy !@#$, it's going to make a lot of noise.

Re:Bankrupt?

[AtomicJake]

1. Cheap security, sell certs
2. Get hacked, face huge liability claims
3. Transfer all money to parent company
4. Close shop
5. Profit $$$

Conclusion: If an CA can declare "bankruptcy" so simple, without having enough money to face liability, the certs of such a CA are worth nothing. We shouldn't trust those CAs in the beginning. What about a mandatory liability insurance for CAs? The insurance will check that you operate securely, I bet ...

Alternatives?

[strayant]

So, if certs cannot be trusted, and this brings to the surface the whole concept of "trust", what are we to do? What should we use?

Re:Alternatives?

[maxume]

What are you using certificates to secure?

If you are just shopping, why worry about it?

If you are securing communications that are important to a business or something, you can build your own certificate chain (meaning you can set it up so that hackers would need to break into a safe or whatever, not some internet connected computer), and so on.

Re:Alternatives?

[betterunixthanunix]

Well, there are these other options:

• Manual verification -- perhaps banks and retail outlets could hand out fliers with QR Code or Data Matrix encoded copied of their pubilc key fingerprints. This does not solve the problem for small businesses that need to deal with people online (potentially people who cannot receive fliers or business cards), but for local businesses or large corporations it is potentially workable. Key replacement is the biggest problem here (anyone who has tried to manage sshd should be familiar with this issue).
• Web of trust -- this requires some minimum number of people who care enough to participate, and probably works better for personal certificates than for businesses.
• Newer ideas like convergence, which is something like a cross between the CA model and the web-of-trust model in that you configure multiple notaries and require a certain number of them to sign a key before it is trusted.

So there you have it, other ideas. The real question is, which of these is most likely to succeed when billions of technically illiterate people try to use it?

Re:Alternatives?

[plover]

You can't use the same path to verify someones identity as you used to find out about the identity in the first place.
Say for example that you encounter a man that claims to be a police officer. To verify this you could ask about some kind of paper verifying the mans identity but if he is a criminal that poses as an officer it is very likely that the paper verifying his identity also is falsified.
A much better method would be to call the police station and ask them to verify that the police officer in question actually exists and is at your location.

If you want to verify that a website actually is what it claims to be you might need to call the ISP the website uses and ask them.

Using Skype, of course.

Re:Alternatives?

[Opportunist]

As long as your business partner is also a company, this might fly. If you're selling to a lot of computer illiterates (like, say, banks trying to convince their customers to use the internet for banking so they can fire a few more clerks), trying to explain to them what constitutes a trustworthy certificate will probably mean higher expenses than keeping the clerks.

Re:Alternatives?

[Opportunist]

No, the cell I use to access their website. Duh!

Good.

Not that it repairs the fuckup, or that anyone else will learn from it, but at least the incompetent got what was coming to them, just this once.

Re:Good.

[fuzzyfuzzyfungus]

Do we have any reason to believe that 'the incompetent' hadn't either already jumped ship, or structured things so that the possible collapse of the scheme would leave them to float gently down on their golden parachutes and on to the next victim?

Low-level incompetents(along with their competent; but low-level peers) tend to go down with the ship; but people with enough power to cause really systemic fuckups are often first to the lifeboats...

In Diginotar's case, the sheer scale of the fuckuppery suggests that it was not a case of "the newb kid on the network team forgot to disable telnet and the receptionist got social engineered..."; but of a company that, as an institution, either couldn't, or couldn't be bothered to, do anything properly.

Re:Good.

[fuzzyfuzzyfungus]

Hard to say whether VASCO were just fuckups in that deal, or whether the plan(that just wasn't executed in time) was to buy DigiNotar to gain their Dutch government contracts and position in lots of trusted CA lists, and then just migrate the whole damn shop to a new platform... The only really valuable bits of a generic CA are their position in the trust lists, any captive legacy customers, and the necessary private keys. A totally dysfunctional, but already operating, CA might actually be the cheapest way to get your hands on those, at which point you can just move the keys to your(hopefully not broken) system and carry on. That would be the sympathetic interpretation...

Re:Good.

[Opportunist]

There's a reason for this: These companies are shells. There's no need to make them secure, they're in the name of Canary M. Burns and if the shit hits the fan, the Canary gets to croak while the next shell is created.

Give it a week or two and we'll see a new company take over, that miraculously is somehow connected to the parent of DigiNotar.

Re:Good.

[jnpcl]

I mean, sheesh, this would be like a bank security company having its own payroll stolen.

... but still not as bad as getting attacked by Reavers.

Re:Comodo

[Spad]

Mostly because they caught the intrusion (which was at a 3rd party rather than directly part of Comodo) and reported it immediately as well as putting in place measures to try and prevent it from happening again.

DigiNotar didn't notice that they'd been hacked for months and didn't tell anyone for months more and even then they didn't know how badly they'd been hacked or exactly which certs may have been issued to whom.

What else do you expect?

[sam0737]

With major browsers kicked its CA cert out of the trusted list, the CA by definition and practically could generate no profit...

What else do you expect, huh? Of course it could only get closed!

Re:What else do you expect?

[maweki]

Yeah, nobody should be surprised by this. They sell trust and if they no longer have any trust to sell, they go bankrupt. It's not like you could import trust for a dime a dozen from China.

Re:What else do you expect?

[KiloByte]

It's not like you could import trust for a dime a dozen from China.

If you pull the right strings, CNNIC will gladly cross-sign your root key. It will cost you more than 10/12 cents, though.

Re:What else do you expect?

[Amouth]

also with their CA pulled - anyone with a cert from them (legit) could go after them to foot the bill for a cert on a competitor.. I bet that's the main reason for filing bankruptcy, so they don't have to pay customers back.

i do love how the "parent" company says losses will be high.. they are going to write off/avoid the brunt of the "losses" when they file bankruptcy for the sub company.

Re:What else do you expect?

[wvmarle]

Close down yes. Bankrupt, not so fast. If they can't survive even weeks without income and have no choice to go bust leaving behind large debt (as is suggested in the article) their business was not financially sound at all. Which in turn may explain why they did not take the safety measures they should have taken.

Re:What else do you expect?

[Lennie]

Only if they create a new root, most browsers completely blocked the CA even as a sub-CA.

Re:What else do you expect?

[xelah]

Continuing without income means burning through cash which could otherwise be distributed to creditors. Unless that's somehow going to make things better for creditors that's unlikely to be allowed. If they either had some reasonable prospect of recovering their business, or had enough cash to pay all of their redundancy payments, all of the future payments on their long term contracts, etc. then they could have chosen to continue. If not, then it's quite possible (I don't know the local law) that they're required to appoint a liquidator who will share out what's left according to legal rules.

(Those legal rules seem to have a nasty habit of resulting in most of the money being shared out to.....the liquidator! But that's what you get when the system puts the liquidator in control of the company they're billing.)

Re:What else do you expect?

[wvmarle]

Of course, but liquidating doesn't necessarily means that the business is bankrupt. Businesses close for whatever reason other than bankruptcy (owner retires; landlord raises rents too much; business simply unprofitable but also not loss making). And also in those cases a liquidator is appointed to take care of that.

teach 'em a lesson

[burris]

Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.

Re:teach 'em a lesson

Exactly, Comodo stepped up, announced the problems the had, and kept folks informed of changes they made as a result of their breach. They are still in business, and may actually be seen as more trustworthy as a result.

Re:teach 'em a lesson

[Like2Byte]

I think you missed the parent's point (or joke) and I think he was being ironic. I believe he meant that all CA's will learn from this is that the company should never, ever reveal that they've had a data breach.

Of course he's joking. Any company that tried to keep secret that their certs server was hacked in any way, shape or form would be subject to extortion and other legal liabilities.

Re:teach 'em a lesson

[burris]

Yes I agree with you all, covering it up made things worse for DigiNotar, but that doesn't mean the execs in charge of some of the CA's won't take away the lesson of keeping mum.

Re:teach 'em a lesson

[WWWWolf]

Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.

The problem is, the shady people who get the certificates end up actually using them, usually in the open Internet. The moment some third party notices any signs of impersonation, they go "now just wait a fucking second!" and there'll be some explaining to do.

Bad Analogy Time: In ye olde days, thieves just wrote memoirs along the lines of "60 years ago, I busted myself into the most secure bank vault at the time and they still have no idea where the money went". In a digital-currency world, the thieves have to go out there and spend the stolen money. Which has the bank's supposedly unforgeable digital signature on it. Which makes people go to the bank and ask inconvenient questions about their security, while the manager has to say that "look, this may look pretty bad, but our security is top notch, I assure you".

Re:teach 'em a lesson

[Opportunist]

Quite the opposite: If you're a CA, don't even try to hush it up since it WILL get out and then any semblance of trust (which is your ONLY asset as a CA) is destroyed.

Look at Comodo for how to do it right. Yes, they fucked up too, and they will get some heat for that, but they're nowhere near being kicked out of the trusted CAs list of any browser.

If you notice a breach, you can actually react properly and easily fix it by NOT covering up but by coming forwards with it. The expense to recover from a breach is minimal. What do you have to do? Essentially, revoke your CAs as invalid, create a new root key pair and issue new CAs to all your licensees. The expense for that is very close to zero. Sure, some trust will be lost in your certs, but you're nowhere near the complete elimination of any kind of trust DigiNotar is in for now.

Re:teach 'em a lesson

[Opportunist]

That would be a pretty dumb thing to learn from this. I don't think very highly of managers, but that would even be stupid for the average BA degree holder.

Something like this WILL get out sooner or later. Either the hacker gloats or one of your techies will blab. You have exactly zero chance to hush something like this up in the long run. Sure, a manager could think in the usual quarter-report nearsightedness (did I mention that I consider them having the long term memory of gold fish?), but after THIS fallout, I guess they might get to learn a thing from it. We're not talking about your bonus payment lacking a million. We're talking about you being the guy that sent his company into bankruptcy.

Re:teach 'em a lesson

[Kalriath]

Or Verisign, who managed to lose Microsoft's Code Signing certificate. Didn't get in too much crap for that...

Re:teach 'em a lesson

[Caetel]

I think the treatment of DigiNotar vs Comodo is really an issue of 'too big to fail'. Removing DigiNotar was essentially a painless exercise because nobody used their certs. I very much doubt they would follow the same course of action for a major player such as Comodo.

Misplaced paranoia.

[the_raptor]

My favourite part of the article:

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

TEMPEST http://en.wikipedia.org/wiki/TEMPEST is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.

Re:Misplaced paranoia.

[betterunixthanunix]

For example the US government could supposedly read CRT monitors from a fair distance away.

That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen, and Ross Andersen's book describes how less than $1000 of equipment is enough to pick up stray emissions from a VGA cable and reconstruct the image from a neighboring building.

Re:Misplaced paranoia.

[fuzzyfuzzyfungus]

It is especially ironic that they were using (pitifully weak) password authentication, when they are a wholly-owned subsidiary of a 2-factor authentication vendor...

I can only assume that having good authentication is hard, boring, and forces people to remember stuff, while getting to open the Big Serious Door and walk into your (probably sold by the vendor as "military grade") TEMPEST datacenter, with all the blinkenlights, involved no ongoing effort after the initial install and gave everyone involved the feeling of being big boys now...

Re:Misplaced paranoia.

[wvmarle]

I'd guess a simple and effective counter measure against that is to have say a hundred monitors present in the same room as the one you try to secure, and have them just showing a screen saver or so. Some that move, others that are mostly static, whatever. Good luck filtering the signal of one monitor out of that!

Re:Misplaced paranoia.

[fbjon]

That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen.

I do this every day using organically grown Eyeball technology, in fact.

Re:Misplaced paranoia.

[cptdondo]

I thought a part of TEMPEST was that the machine could not be connected to a LAN except to other TEMPEST machines... ISTR that our tempest machines had removable drives that were stored separately in a safe and only inserted when the machine was booted. No LAN connection was allowed at all outside the room.

Re:Misplaced paranoia.

[Opportunist]

Want to bet that some ISO 27k auditor wanted the Tempest-proof environment and didn't care about the single user/pass access?

And here I wonder why security auditors have such a bad name...

Re:Misplaced paranoia.

[yuhong]

I think they were acquired only recently.

Re:Comodo

this. all the issue is not in the breach. that kind of stuff happens.

what should never ever happen is a certification authority, whom live on trust, try to cover the shit up.

Re:Comodo

[heypete]

That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.

The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.

At least that was my understanding of what happened, based on information I read several months ago.

Re:Comodo

[wvmarle]

Worse: according to the second linked article DigiNotar knew about the attacks already at 19 July. That's when they started revoking numerous certificates. Yet they did not notify the public. Also it seems they did not take extra countermeasures, and the measures in place were far from what's considered "good practice" for highly secure sites.

Deserved, but the real problem stays

[AtomicJake]

DigiNotar got what it deserved.

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

The whole CA system in broken. I would rather like to trust only CAs that have earned the trust. E.g. CAs that have been validated by my bank for online payments (but not for my email).

Re:Deserved, but the real problem stays

[icebraining]

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

Re:Deserved, but the real problem stays

[magamiako1]

A good way to do this would be to come up with a reputation-based system that filters down.

For example, CAs would need a higher reputation than that of sites and services.

This model won't work with the existing CA business model, however.

Re:Deserved, but the real problem stays

[AtomicJake]

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

Well, it can only happen to CAs, which do not know security (and since we have hundreds of them in our browsers, it is very likely that there are others that are as bad as DigiNotar). However, reducing the number of CAs is not a solution, as this will just elevate the risk for a each security breach at a CA. The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

And it is a BIG problem, that each CA can issue a cert, even for Web sites that already have a cert from another CA (as it happened for gmail in the DigiNotar case).

Re:Deserved, but the real problem stays

[ToasterMonkey]

At the same time we have too many trusted CAs I've heard others claim.

Hogwash

Big CAs can use multiple intermediate keys to spread the risk. Browser and OS vendors are the first link in the chain of trust, they have more than enough sway to demand levels of risk acceptable to them. You are the next link, complain to your browser / OS vendor and raise a stink. They'll demand stronger audits or contracts. Money talks folks.

There's nothing wrong with a chain of trust, or you wouldn't be trusting anything else you receive at retail, software or otherwise. The Internet just needs to grow the fuck up.

Self regulate or be regulated, plain and simple.

Re:Deserved, but the real problem stays

[gnasher719]

The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all. And of course the victim of a hack will not be in contact with the bank's website, because the whole point is to redirect victims to a hacker's website, which can pretend to be the bank's website because they have a genuine fake certificate.

Let's say I call an incompetent CA and say "Hi, my name is Joe Google, I need a certificate for my website www.google.com" and the incompetent CA sells me a certificate for $9.99. Nothing that Google can do about this, and in no way Google's fault.

Re:Deserved, but the real problem stays

[AtomicJake]

The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all.

No, the idea is that you only trust the CAs that have been trusted by the bank and not the dodgy CAs (so no more default lists of hundreds of 'trustworthy" CAs). Did I explain it that badly that this was not obvious?

Convergence

[eddy]

Some say Convergence is the answer. I haven't been able to make it work, personally, so it's probably not ready for prime-time. Also, I don't like the name.

Re:Can't be allowed to happen

[plover]

Any CA trying to cover up a breach will go down the same path as Diginotar.

What makes you so certain that a CA who publicly acknowledged a breach would not also immediately die in a meltdown? There is no evidence that honestly in a similar situation would save a CA.

If Digital Signature Trust Co.* were to publicly announce "We discovered just this morning that we have been breached, and while we can't give complete details because of the ongoing investigation, we found the hackers forged Google certificates," the public reaction would be almost identical to that of DigiNotar. If I were a customer, the chances would be high that I'd be shopping elsewhere for new certs to replace the ones that I could no longer trust. If I weren't a customer, there are obviously more reputable places to buy a cert. The incident itself is enough to cause me to lose trust, and that's really the only thing they're able to sell. I predict they'd go bankrupt as well, it might just take a few months longer.

Perhaps hiding the breach for the extra months was a strategy to give the executive rats time to flee the sinking ship. If so, we can only hope their behavior catches up to their personal reputations.

* As far as I know Digital Signature Trust Co. is a healthy and secure firm, and is rightly trusted by companies and browsers worldwide. I am using their name only as an example because I like the way it sounds.

Idiots

[Arancaytar]

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.

Re:Can't be allowed to happen

[MadMaverick9]

Then who can you trust?

on the internet? ... nobody.

Re:Can't be allowed to happen

[Opportunist]

Then it ain't time for government bailout but for government finally issuing some 'hang-em-at-their-balls" laws for CEOs that try to hush up security breaches. The current ones are a weak joke, the fines aren't even remotely anywhere near the damage if it gets leaked somehow. And last time I checked, the fines should be a multiple of the damage of the leakage, or the formula "benefit vs. risk*fine" falls flat on its face and hushing up is the sensible thing to do.

Re:Data breaches are worse for some companies

[Lennie]

"The first one anyone can do in two minutes, including the time to download GPG."

Well, probably not you. Because GPG is not used for generating certificates.

Re:Pay your IT like shit

[Opportunist]

Try IT security. You'd be amazed what kind of prestidigitators peddle in my profession. They come in, pull off a "demonstration" with a lot of smokes and mirrors and wow people into buying their crap. I've come to a lot of companies who showed me their latest and greatest security systems with unhidden pride, only to throw a tantrum when they get to see it shatter.

It's really disheartening. Anyone who has ever managed to get nmap to produce some output other than the help page considers himself a security professional today. And what's worse, these idiots get hired. Because their managers know even less about security and they are cheap. There are also very few certificates that are generally accepted. And getting a CISA or CISM is usually overkill.

Not really.

[khasim]

Security is expensive

Not really. It does cost more than NO security but not much more. Example, how much does it cost you to have a decent password instead of Password1?

Businesses have a strong profit motive. The people who run businesses are greedy.

Yes and yes. But that isn't the core of the problem. Greedy people can have the best security. They don't want criminals to take their money.

They will sacrifice everything, including security related expenses in order to boost profits in some way.

In some case you are probably correct. In other cases the company/person will increase the security to keep the assets out of the hands of the criminals.

In my experience, the problem with security is Pavlovian.
If you do something insecure, once, and nothing bad happens ...
Particularly if it was just a little bit easier to skip the security. Such as typing in a 5 character dictionary word rather than a 16 character password. It doesn't take much to be "easier".

And as long as nothing bad is happening, people will "learn" that they're "secure" and what they are doing is "right" and anyone who is advocating real security just doesn't understand the situation. That's Pavlovian. The reward is the slightly easier administration.

If management does not understand real security, there aren't many ways to get them to change. They already KNOW they're doing it "right".

Hence all the recent cracks.

Re:Not really.

[ttong]

Example, how much does it cost you to have a decent password instead of Password1?

Hey! How did you get my password?

What amazes me is that you succeeded.

[khasim]

I'm just amazed that you were able to get that concept through their heads. I've been in similar situations where "let us not make this too difficult" trumps real security every time.

How much does a decent password cost? Nothing.
How much does NOT using that same password everywhere cost? Nothing.
Yet we constantly see cracks where the crappy password was used on multiple, critical systems.

Re:What amazes me is that you succeeded.

[kdemetter]

You are forgetting the cost of education people, so they know why a weak password is a bad idea.
So it doesn't cost nothing.

However, the benefits certainly outweigh the costs.
But that's the problem : they don't see the long term benefits , just the short term costs.

Re:What amazes me is that you succeeded.

[lgw]

Asking most people (including me) to remeber a bunch of different strong passwords is a crappy idea. User-invented-convenience will trup security in ways that defeat security, every time.

Instead, use a scheme that's convenient for the user but doesn't require a strong password. For example, there are plenty of two-factor auth solutions (from vendors who haven't been pwnt yet). These days, using the user's mobile device itself as one factor -- storing a stong random key on it, and adding a user-select PIN -- is a great answer, becaus people notice when they lose their phone.

You'll never make users smarter, but you can make that not matter.

Re:Comodo

[arglebargle_xiv]

Having done business in NL for 30 years myself I bet that DigiNotar management has already incorporated a new company which will be selling the same/similar products to the very same Dutch government that allowed kept DigiNotar alive.

As this cartoon has already pointed out ("Don't worry folks, we'll be back in three months under a new name").

Filing for bankruptcy or gone bankrupt

[sgt+scrub]

would be 'significant.'

I think they are filing for bankruptcy while they still have money in their pockets to avoid law suites as opposed to gone bankrupt. I believe "gone bankrupt" means they are broke and giving up.

Hate to say it

[hesaigo999ca]

I have said so many times that we are not strict enough on punishment for the cyber crimes that affect companies, this should prove as a perfect example why certain individuals that bring down a company due to their hacking ventures, should face proper penalties.

Re:Can't be allowed to happen

[Lennie]

No, it would not. Look at the Comodo breach in March.

Monopoly €1000 certs, that's a not a biz mode

[colfer]

can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.

The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.

Re:Monopoly €1000 certs, that's a not a biz m

[colfer]

Monopoly €1000 certs, that's a not a biz model you can fix. Someday I will understand Slashdot editing.

The problems with that ...

[khasim]

For example, there are plenty of two-factor auth solutions (from vendors who haven't been pwnt yet).

Which cost money to implement.

These days, using the user's mobile device itself as one factor -- storing a stong random key on it, and adding a user-select PIN -- is a great answer, becaus people notice when they lose their phone.

Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.

Again, which costs money.

You'll never make users smarter, but you can make that not matter.

It's not that the users aren't smart. It's that management and the people setting up the systems do not understand security.

On most modern systems, it costs nothing to go from crap security (allowing 5 character dictionary words as a password) to better security (16 character passwords with some complexity).

The problem is that it is always easier to go with the worse security. No matter how easy you make the better security.

And every day you don't get cracked (or know that you were) is reinforcement of the bad security practices.

Re:The problems with that ...

[lgw]

Sure, making workable security takes (non-free) effort, no argument there. But if you ask for 16 character passwords, youll get them written down, self-sent by email, and so on. In practice, making it harder for the user does not increase security, because work-arounds increase proportionally.

Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.

OT, but does any company still pay for phones? I thought those were gone the way of the company car. Work phones virtualized on personal phones are my bet for the future.

Re:Pay your IT like shit

[Caerdwyn]

IT is almost always the most underfunded department in a company. It is also the department whose requests are most frequently and easily overridden by either executive mandates or other departments. Since in most cases IT's efforts are not directly what the company produces ("we sell toasters and vitamin pills, not authentication mechanisms!"), IT spending is seen as a necessary evil, and IT intervention in company processes is met with resentment. Note: IT people saying "you're too stupid to understand why you have to do what I say" DOES NOT HELP. It is possible to be right, passive-aggressive, and unemployed all at the same time.

Within IT, security is always at the bottom of the list for allocation of resources (people and money). Expanding file servers, deploying enterprise applications, provisioning more bandwidth, getting people to work instead of hang out on Facebook (or Slashdot) all day long, and the like always come first, because spending on infrastructure and productivity results in tangible, positive, immediately-visible benefits. Spending on security does not offer tangible benefits, and they prevent negative events, which is much more difficult to prove.

Within infosec, intrusion detection is always at the bottom of the list. Antivirus software, firewalls and RFID keycards always come first, because it is possible to use analogies to explain what they do. Try explaining TKIP to an accountant. (in fairness, ask an engineer to explain what each of the items in a prospectus and quarterly statement mean... you'll get a blank stare followed by a libertarian screed and a credit card "somehow" over its limit)

And yes, there is a lot of snake oil being sold. But there are also a lot of people who simply aren't qualified to tell the difference between snake oil and a real security product, but who think they are (including sysadmins... knowing how to compile a Linux kernel does not automatically make you a security expert, but try telling a sysadmin that... most sysadmins think they are experts in everything network-related).

Yeah. It's difficult.

Google pointed out the REAL reaason for the attack

[Jerry]

which was carried out by the hacker-soldiers of the government of Iran for the purposes of identifying the 300,000 Iranians that radical fundamentalist Theocracy wants to muzzle. In other words, state sponsored terrorism.

So?

[khasim]

But if you ask for 16 character passwords, youll get them written down, self-sent by email, and so on.

First off, I can easily remember my passwords. Even the ones that are more than 16 characters long.

Secondly, if you cannot, what's wrong with writing them down and keeping them in your wallet?

In practice, making it harder for the user does not increase security, because work-arounds increase proportionally.

No. The point was that it will ALWAYS be easier for the user to ignore the security (if that is an option).

Even if "easier" is as minor as having a 16 character password instead of a 5 character dictionary word.

As others here have noted, once you introduce "easier" you end up with situations where the janitor has keys to the secure area because it is "easier" that way than to take the garbage out yourself.

Or, more currently, when the CA was cracked because there was one password (easily cracked) used on multiple servers.

Yes, having one easily cracked password on multiple servers is EASIER than having multiple, complex passwords.

But it is also insecure. As was demonstrated.

Re:Data breaches are worse for some companies

[Kalriath]

I think it's quite legitimate to say you can generate a random private/public key pair with GPG. That's kind of the point of it.

Re:Can't be allowed to happen

[Kalriath]

I would disagree. Comodo is safe as long as everyone and their dog resells their products. Even more so since these people don't disclose whose SSL they are reselling.