Slashdot Mirror

← Back to Stories (view on slashdot.org)

DigiNotar Goes Bankrupt After Hack

Posted by timothy on from the it's-the-little-things dept.

twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

8 of 136 comments (clear)

  1. Security is expensive by erroneus · · Score: 3, Insightful

    Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.

    I think this is simply obvious.

  2. Bankrupt? by Anonymous Coward · · Score: 4, Informative

    How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.

    1. Re:Bankrupt? by mcvos · · Score: 3, Insightful

      Good point. On the one hand, they deserve to go bankrupt for failing at the one thing that justified their existence, but dumping the corpse before it can be properly examined smells iffy.

      Note that you don't have to be charged with anything to go bankrupt, though. When all your customers leave, you suddenly have no revenue, but you still have your costs. And since it's obvious to everybody that DigiNotar will go bankrupt anyway, nobody loans them money, they quickly lack the money to pay salaries and other costs, and suddenly they're bankrupt.

    2. Re:Bankrupt? by Kjella · · Score: 3, Interesting

      You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.

      --
      Live today, because you never know what tomorrow brings
  3. Re:Comodo by Spad · · Score: 4, Informative

    Mostly because they caught the intrusion (which was at a 3rd party rather than directly part of Comodo) and reported it immediately as well as putting in place measures to try and prevent it from happening again.

    DigiNotar didn't notice that they'd been hacked for months and didn't tell anyone for months more and even then they didn't know how badly they'd been hacked or exactly which certs may have been issued to whom.

  4. Misplaced paranoia. by the_raptor · · Score: 4, Interesting

    My favourite part of the article:

    We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

    TEMPEST http://en.wikipedia.org/wiki/TEMPEST is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

    However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

    It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.

    --

    ========
    CINC, 4th Penguin Legion
  5. Re:Comodo by heypete · · Score: 4, Informative

    That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.

    The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.

    At least that was my understanding of what happened, based on information I read several months ago.

  6. Idiots by Arancaytar · · Score: 3, Interesting

    We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

    It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.