Certification Authority Breaches; was Diginotar the only one?

  • 3

Certification Authority Breaches; was Diginotar the only one?

2011 was a year of data breaches of CA’s. At least from an Information Security Perspective.  The Certification Authority authentication model was hacked several times.One of them was declared Bankrupt: Diginotar. This company was compromised by the infamous Comodo Hacker. However he had already compromised other Certification Authorities earlier that year. The hacks seamed to be for political reasons. And as a retaliation for Stuxnet.

The attacks against CA’s started virtually in 2010. This was Stuxnet itself. It was the first malware using a driver signed with a valid certificate beloning o Realtek Semiconductors Corps.After that, there were about eleven other breaches; eavesdropping (Comodo Hacker), malware driver signatures, or compromised servers.


Jan 25 2011, Stuxnet
The Stuxnet driver is discovered to be signed with a valid certificate, belonging tp Realtek Semiconductor Corps. On July 16 2011, Verisign revokes Realtek Semiconductor Corps certificate.
Article: Symantec

Mar 24 2011, Comodo
As a revenge for Stuxnet, an Iranian Hackers forges fake certificates for Google email services.
Article: Pastebin

Aug 29 2011, Diginotar
A user finds a certificate warning about a revoked SSL certificate Google services. The certificate was issued on July 10th by Dutch Diginotar. The fake certificate was forged by Comodo Hacker, and revoked immediately.
Article: Sophos

Sep 6 2011, Diginotar, Globalsign and StartCom
The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. The Commodo Hacker also claims to own more CA’s among wich GlobalSign which precaution ally suspends issuance of certificates. Another one was StartCom was able to avoid the hack since it’s CEO was sitting in front of HSM, although the attacker claims to own emails, DB and Customer data.
Article: Pastebin

Sep 7 2011, Symantec
As a consequence of Comodo Hacker’s claims, Symantec releases a statement to reassure their customers their infrastructure has been audited and it is not compromised.
Article: Symantec

Sep 7 2011, Thawte
Panic is spreading on the Certification Authority industry. Thawte publishes a similar announcement than Symantec after an erroneous report from a Dutch Government agency  according to which the Security firm had been breached.
Article: Thawte

Sep 9 2011, GlobalSign
After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website.
Article: Globalsign

Oct 19 2011, Duqu
Researches discover that Duqu, the son of Stuxnet, masks itself als legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, identified by F-Secure, as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware.
Article: Wired

Nov 3 2011, Digicert Malaysia
Mozilla announces to revoke another intermediate signing certificate used by a registrar in Malasia, DigiCert Sdn.Bhd.  (Not the same as the US based DigiCert) which had issued 22 weak certificates ( RSA 512) to the Malaysian government that could lead to abuse or compromise. Entrust stated that two of the certificates issued were used to sign malware used in a spear phishing attack against another Asian certificate authority. Three other certificates were also involved, but were not issued by DigiCert Sdn.Bhd.
Article: Sophos

 Nov 4 2011, Getronics (KPN)
After Diginotar, another Dutch certificate authority, KPN, stops issuing digital certificates as a precaution after finding an attack DDoS tool during an audit on a server in it’s Web infrastructure. The tool may have been there for as long as four years.
Article: Threatpost

Nov 14 2011, Malasian Agricultural Research an Development Institute
F-Secure detects a malware signed with a Governmental Signing Key belonging to mardi.gov.my which is part of the Government of Malaysia. According the information received from the Malaysian authorities this certificate has been stolen “quite some time ago:.
Article: F-Secure

Dec 8 2011, Gemnet (KPN)
Another Dutch Certification Authority breached: security firm Gemnet suffers a data breach including administrative credentials. Parent company KPN has suspended sister company Gemnet CSP’s certificate signing operations.
Article: Sophos

Dec 2012: Director of Diginotar Tony de Bos starts a new company: Cybbos

CYBBOS is a innovative and fast-growing organization who specializes in preventing, detecting and resolving incidents on the field of cyber security. Their philosophy is not only to prevent but also detect and resolve incidents quickly, as organization by continuous control.
Website: Cybbos


Diginotar was not the only one. Out of eleven breaches in one year (2011), three Dutch companies were involved: Diginotar, Getronics (KPN) and Gemnet (KPN). However Diginotar was hacked before.
Article: F-Secure

KPN seems to be more vulnerable, in february 2012 KPN got hacked again:
Article: Telecompaper
And this time the hacker was arrested:
Article: Computerworld


What happend with the Comodo Hacker?

According to the Dutch Government nobody was found or arrested, the investigation blead to death.  Article: Computable (Dutch)

Related articles:
De opkomst en ondergang van Diginotar (Dutch)


About Author

Tamara Eikelenboom-Kamp

Tamara Eikelenboom-Kamp

Tamara Eikelenboom-Kamp is managing director at Innovice-IT. She is mainly publishing about CyberSecurity. She is working with several specialists based on their knowledge and skills in cyber-security and cyber-safety. The emphasis is on conceptual thinking, developing plans, innovative software or innovative methods. The main activities of Innovice-IT are Cyber Security Consulting, Penetration Testing and Secure Managed Hosting.


Innovice-IT on Twitter

  1. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20 percent from 1.5 million in 2015, accordin…

  2. Bas Eikelenboom

  3. Bas Eikelenboom
    Bas Eikelenboom: RT @RidT: A few observations on today's "online escalation" New York Times story. I see lots of people making assumptions and jumping to co…

  4. Bas Eikelenboom
    Bas Eikelenboom: RT @bellingcat: Bellingcat's @Timmi_Allen put together the following video demonstrating how various images of the Kokuka Courageous match…

  5. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: AI and 5G will create an explosion in cybersecurity risks, says FBI agent and general counsel at $50 billion firm https…