DigiNotar Goes Bankrupt After Hack

twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

Security is expensive

[erroneus]

Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.

I think this is simply obvious.

Re:Security is expensive

[Cryacin]

Yes, but you can perform due diligence. If you're a bank offering secure storage, one would expect a safe that not just anyone can access. This is like putting a giant 6ft steel door on your safe, but having the entry code as 1-2-3-4-5, and known by all staff members - including the janitor.

Re:Security is expensive

[neokushan]

This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.

Re:Security is expensive

[Opportunist]

You'd be surprised, you're not alone. Yes, even convenience trumps security in a company.

I have seen the "janitor gets access" quite a few times. Even in high security areas. As soon as it would inconvenience a decision maker, security goes out the window.

Bankrupt?

How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.

Re:Bankrupt?

[ultraexactzz]

You sell one product, properly validated certificates, and now you can't sell that product. No income = bankruptcy.

Re:Bankrupt?

[mcvos]

Good point. On the one hand, they deserve to go bankrupt for failing at the one thing that justified their existence, but dumping the corpse before it can be properly examined smells iffy.

Note that you don't have to be charged with anything to go bankrupt, though. When all your customers leave, you suddenly have no revenue, but you still have your costs. And since it's obvious to everybody that DigiNotar will go bankrupt anyway, nobody loans them money, they quickly lack the money to pay salaries and other costs, and suddenly they're bankrupt.

Re:Bankrupt?

[Kjella]

You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.

Re:Bankrupt?

[fuzzyfuzzyfungus]

What I find bewildering(if not exactly surprising) is that Diginotar can seek bankrupcy protection without VASCO being involved.

Diginotar can be expected to have basically zero income, and a bunch of expenses, in the near future; but (from VASCO's 2010 annual report)
"In January 2011, we acquired all of the intellectual property of DigiNotar Holding B.V. and its subsidiaries and acquired 100% of the stock of DigiNotar B.V. and DigiNotar Notariaat B.V. (collectively, “DigiNotar”), each a private company organized and existing in The Netherlands (collectively, “DigiNotar Acquisition”). The acquisition expands the technological breadth of our product line by expanding our abilities to offer PKI technology throughout the product line. We expect the acquisition will enhance our market position in three areas; (1) as a trusted Internet service provider of PKI certificates, which we expect will improve our ability to penetrate government markets (2) as a licensor of PKI-based products to customers for use in their applications, which we believe will enhance our ability to compete in our traditional business and (3) as a provider of our own PKI-secured applications, such as document signing, registration and storage solutions, which we expect will expand opportunities for us on our services platform."

VASCO aren't just poor li'l small-cap investors here, they own Diginotar lock, stock, and barrel. While I don't doubt that Diginotar declaring bankrupcy and sucking in little or no of VASCO's assets is somehow legal, it seems kind of insane that you can own 100% of a company, its technology, and have plans to merge some of its tech with your existing offerings, and still be separate enough that you can just cut them loose and let them sink so long as VASCO appears to have a variety of assets and ongoing income sources, which they do.

I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control; but a 100% owned operational subsidiary over which you exercise organizational control, and whose technology you are (no longer) actively on track to integrated into your products? Any notion of financial separation seems like the thinnest of legal fictions.

Re:Bankrupt?

[nedlohs]

I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control

That isn't the reason behing limited-liability-corporations. They are vehicles to provide limited libility without regrd to who the shareholders are. Without checking or doing any reasearch I'm going out on a limb and claiming that there are more LLC that are 100% owned by 5 or less pepole than there are owned by more than 5. (Almost every IT person doing consulting jobs incorporates, as do most plumbers, electricians, etc who work for themselves, and so on).

There are costs with those benefits - the entity will have a harder time getting credit and so on than the owner would (in the case in which it's one huge company owning 100% of a small one).

a 100% owned operational subsidiary over which you exercise organizational control, and whose technology you are (no longer) actively on track to integrated into your products? Any notion of financial separation seems like the thinnest of legal fictions.

There are ways to pierce the veil, but usually the i's have been dotted and the t's crossed.

Re:Bankrupt?

[DZign]

In most countries (afaik but I'm not an accountant/lawyer with international experience) there are restrictions..

Especially the first months/year a company starts, the people who run it can be held personal liable.
So don't think of starting a company, getting loans from a bank, increasing debt by not paying your suppliers, and just declare yourself bankrupt after a few months and get away with it. If your business plan wasn't wel defined and you didn't raise enough initial (own) capital to survive 1 or 2 years, you can be held liable (and prevented of starting a new company for the next years)

Same for the last 6 months or so when a company goes bust, all transactions can be examined and reversed, so ie the owner can't sell assets to himself/friends for a price that is too low.
Had this once at a startup company that was in trouble, an employee that left wanted to buy a laptop from the company that he had used, but the director would not do this as he was afraid to be liable if the curator later decided the laptop had been sold too cheap.

Any why limited-liability companies are allowed - to allow for big companies to form. In a Ltd, investors can only lose the amount money they have invested and not more.
If you wouldn't have this protection, no-one would invest anymore in a company, as the risk would be too big when they were also held personally liable for part of the debts.

Re:Comodo

[Spad]

Mostly because they caught the intrusion (which was at a 3rd party rather than directly part of Comodo) and reported it immediately as well as putting in place measures to try and prevent it from happening again.

DigiNotar didn't notice that they'd been hacked for months and didn't tell anyone for months more and even then they didn't know how badly they'd been hacked or exactly which certs may have been issued to whom.

Re:Alternatives?

[betterunixthanunix]

Well, there are these other options:

• Manual verification -- perhaps banks and retail outlets could hand out fliers with QR Code or Data Matrix encoded copied of their pubilc key fingerprints. This does not solve the problem for small businesses that need to deal with people online (potentially people who cannot receive fliers or business cards), but for local businesses or large corporations it is potentially workable. Key replacement is the biggest problem here (anyone who has tried to manage sshd should be familiar with this issue).
• Web of trust -- this requires some minimum number of people who care enough to participate, and probably works better for personal certificates than for businesses.
• Newer ideas like convergence, which is something like a cross between the CA model and the web-of-trust model in that you configure multiple notaries and require a certain number of them to sign a key before it is trusted.

So there you have it, other ideas. The real question is, which of these is most likely to succeed when billions of technically illiterate people try to use it?

teach 'em a lesson

[burris]

Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.

Re:teach 'em a lesson

[Opportunist]

Quite the opposite: If you're a CA, don't even try to hush it up since it WILL get out and then any semblance of trust (which is your ONLY asset as a CA) is destroyed.

Look at Comodo for how to do it right. Yes, they fucked up too, and they will get some heat for that, but they're nowhere near being kicked out of the trusted CAs list of any browser.

If you notice a breach, you can actually react properly and easily fix it by NOT covering up but by coming forwards with it. The expense to recover from a breach is minimal. What do you have to do? Essentially, revoke your CAs as invalid, create a new root key pair and issue new CAs to all your licensees. The expense for that is very close to zero. Sure, some trust will be lost in your certs, but you're nowhere near the complete elimination of any kind of trust DigiNotar is in for now.

Misplaced paranoia.

[the_raptor]

My favourite part of the article:

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

TEMPEST http://en.wikipedia.org/wiki/TEMPEST is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.

Re:Misplaced paranoia.

[fbjon]

That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen.

I do this every day using organically grown Eyeball technology, in fact.

Re:Comodo

[heypete]

That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.

The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.

At least that was my understanding of what happened, based on information I read several months ago.

Deserved, but the real problem stays

[AtomicJake]

DigiNotar got what it deserved.

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

The whole CA system in broken. I would rather like to trust only CAs that have earned the trust. E.g. CAs that have been validated by my bank for online payments (but not for my email).

Re:Deserved, but the real problem stays

[icebraining]

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

Re:Deserved, but the real problem stays

[gnasher719]

The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all. And of course the victim of a hack will not be in contact with the bank's website, because the whole point is to redirect victims to a hacker's website, which can pretend to be the bank's website because they have a genuine fake certificate.

Let's say I call an incompetent CA and say "Hi, my name is Joe Google, I need a certificate for my website www.google.com" and the incompetent CA sells me a certificate for $9.99. Nothing that Google can do about this, and in no way Google's fault.

Idiots

[Arancaytar]

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.

Monopoly €1000 certs, that's a not a biz mode

[colfer]

can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.

The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.

The problems with that ...

[khasim]

For example, there are plenty of two-factor auth solutions (from vendors who haven't been pwnt yet).

Which cost money to implement.

These days, using the user's mobile device itself as one factor -- storing a stong random key on it, and adding a user-select PIN -- is a great answer, becaus people notice when they lose their phone.

Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.

Again, which costs money.

You'll never make users smarter, but you can make that not matter.

It's not that the users aren't smart. It's that management and the people setting up the systems do not understand security.

On most modern systems, it costs nothing to go from crap security (allowing 5 character dictionary words as a password) to better security (16 character passwords with some complexity).

The problem is that it is always easier to go with the worse security. No matter how easy you make the better security.

And every day you don't get cracked (or know that you were) is reinforcement of the bad security practices.