Certification Authority Breaches; was Diginotar the only one?
2011 was a year of data breaches of CA’s. At least from an Information Security Perspective. The Certification Authority authentication model was hacked several times.One of them was declared Bankrupt: Diginotar. This company was compromised by the infamous Comodo Hacker. However he had already compromised other Certification Authorities earlier that year. The hacks seamed to be for political reasons. And as a retaliation for Stuxnet.
The attacks against CA’s started virtually in 2010. This was Stuxnet itself. It was the first malware using a driver signed with a valid certificate beloning o Realtek Semiconductors Corps.After that, there were about eleven other breaches; eavesdropping (Comodo Hacker), malware driver signatures, or compromised servers.
Jan 25 2011, Stuxnet
The Stuxnet driver is discovered to be signed with a valid certificate, belonging tp Realtek Semiconductor Corps. On July 16 2011, Verisign revokes Realtek Semiconductor Corps certificate.
Mar 24 2011, Comodo
As a revenge for Stuxnet, an Iranian Hackers forges fake certificates for Google email services.
Aug 29 2011, Diginotar
A user finds a certificate warning about a revoked SSL certificate Google services. The certificate was issued on July 10th by Dutch Diginotar. The fake certificate was forged by Comodo Hacker, and revoked immediately.
Sep 6 2011, Diginotar, Globalsign and StartCom
The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. The Commodo Hacker also claims to own more CA’s among wich GlobalSign which precaution ally suspends issuance of certificates. Another one was StartCom was able to avoid the hack since it’s CEO was sitting in front of HSM, although the attacker claims to own emails, DB and Customer data.
Sep 7 2011, Symantec
As a consequence of Comodo Hacker’s claims, Symantec releases a statement to reassure their customers their infrastructure has been audited and it is not compromised.
Sep 7 2011, Thawte
Panic is spreading on the Certification Authority industry. Thawte publishes a similar announcement than Symantec after an erroneous report from a Dutch Government agency according to which the Security firm had been breached.
Sep 9 2011, GlobalSign
After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website.
Oct 19 2011, Duqu
Researches discover that Duqu, the son of Stuxnet, masks itself als legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, identified by F-Secure, as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware.
Nov 3 2011, Digicert Malaysia
Mozilla announces to revoke another intermediate signing certificate used by a registrar in Malasia, DigiCert Sdn.Bhd. (Not the same as the US based DigiCert) which had issued 22 weak certificates ( RSA 512) to the Malaysian government that could lead to abuse or compromise. Entrust stated that two of the certificates issued were used to sign malware used in a spear phishing attack against another Asian certificate authority. Three other certificates were also involved, but were not issued by DigiCert Sdn.Bhd.
Nov 4 2011, Getronics (KPN)
After Diginotar, another Dutch certificate authority, KPN, stops issuing digital certificates as a precaution after finding an attack DDoS tool during an audit on a server in it’s Web infrastructure. The tool may have been there for as long as four years.
Nov 14 2011, Malasian Agricultural Research an Development Institute
F-Secure detects a malware signed with a Governmental Signing Key belonging to mardi.gov.my which is part of the Government of Malaysia. According the information received from the Malaysian authorities this certificate has been stolen “quite some time ago:.
Dec 8 2011, Gemnet (KPN)
Another Dutch Certification Authority breached: security firm Gemnet suffers a data breach including administrative credentials. Parent company KPN has suspended sister company Gemnet CSP’s certificate signing operations.
Dec 2012: Director of Diginotar Tony de Bos starts a new company: Cybbos
CYBBOS is a innovative and fast-growing organization who specializes in preventing, detecting and resolving incidents on the field of cyber security. Their philosophy is not only to prevent but also detect and resolve incidents quickly, as organization by continuous control.
Diginotar was not the only one. Out of eleven breaches in one year (2011), three Dutch companies were involved: Diginotar, Getronics (KPN) and Gemnet (KPN). However Diginotar was hacked before.
What happend with the Comodo Hacker?
According to the Dutch Government nobody was found or arrested, the investigation blead to death. Article: Computable (Dutch)