Hackers may have stolen over 200 SSL certificates
Source say DigiNotar breach generated fraudulent certs for Mozilla, Yahoo and Tor, not just Google
Computerworld - Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project, a security researcher reported today.
The count is considerably higher than DigiNotar has acknowledged. Earlier this week, a company spokesman said that "several dozen" certificates had been acquired by the attackers.
"About 200 certificates were generated by the attackers," said Hans Van de Looy, principal security consultant and founder of Madison Gurka, a Dutch security company, citing a source he said wished to remain confidential.
Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, Van de Looy's source said, were ones valid for mozilla.com, yahoo.com and torproject.org.
Tor is a system that lets people connect to the Web anonymously, and is often used in countries where governments monitor their citizens' online activities.
Mozilla confirmed that a certificate for its add-on site had been obtained by the DigiNotar attackers. "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," said Johnathan Nightingale, director of Firefox development, in a statement today.
Looy's number is similar to the tally of certificates that Google has blacklisted in Chrome.
An entry in the Chromium bug-tracking database lists 247 certificates that the project blacklisted yesterday. Chromium is the open-source project that feeds code to the Chrome browser and Chrome OS.
"Were these all issued by DigiNotar? It is difficult to tell," said Chet Wisniewski, a security researcher with U.K.-based Sophos, in a blog post Tuesday. "However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident."
DigiNotar, a Dutch firm that was acquired by U.S.-based Vasco earlier this year, discovered the network breach on July 19, and has confirmed intruders issued themselves valid certificates for a number of domains.
The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public with its mea culpa only after users reported their findings to Google last week.
Security researchers now wonder what else DigiNotar hasn't told users.
"They say they found all but the [certificate for] google.com," said Wisniewski in an interview Tuesday. "But what other sites were we at risk from visiting earlier? Were those other certificates for Microsoft or Yahoo or PayPal? How come they're not saying?"
Wisniewski was concerned because of the timeline that DigiNotar laid out.
DigiNotar essentially admitted that it was unaware of the hack for over a week: The Google certificate was issued July 10, according to information posted to Pastebin.com last Saturday, nine days before DigiNotar said it became aware of the attack.
"For nine days they didn't know about it," said Wisniewski. "Then how long did it take them to revoke those they knew about?"
Wisniewski said DigiNotar had revoked multiple certificates on July 19, July 26 and Aug. 16, all dates that were prior to the Dutch firm acknowledging the attack.
"We should be very concerned about this. When this kind of thing happens, the sweeping under the rug is almost an abuse of the entire system of trust," said Wisniewski, referring to the SSL (secure socket layer) certificate model.
Roel Schouwenberg, a senior malware researcher at Moscow-based Kaspersky Lab, also took DigiNotar to the woodshed.
"According to DigiNotar, they're not able to track which rogue certificates were generated," said Schouwenberg in a Wednesday blog. "So more of these rogue certificates may be out there. How is this possible? Either DigiNotar performs no logging of the certificates they create or their logs got cleaned out during the attack."
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!