Hackers may have stolen over 200 SSL certificates
Source say DigiNotar breach generated fraudulent certs for Mozilla, Yahoo and Tor, not just Google
Computerworld - Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project, a security researcher reported today.
The count is considerably higher than DigiNotar has acknowledged. Earlier this week, a company spokesman said that "several dozen" certificates had been acquired by the attackers.
"About 200 certificates were generated by the attackers," said Hans Van de Looy, principal security consultant and founder of Madison Gurka, a Dutch security company, citing a source he said wished to remain confidential.
Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, Van de Looy's source said, were ones valid for mozilla.com, yahoo.com and torproject.org.
Tor is a system that lets people connect to the Web anonymously, and is often used in countries where governments monitor their citizens' online activities.
Mozilla confirmed that a certificate for its add-on site had been obtained by the DigiNotar attackers. "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," said Johnathan Nightingale, director of Firefox development, in a statement today.
Looy's number is similar to the tally of certificates that Google has blacklisted in Chrome.
An entry in the Chromium bug-tracking database lists 247 certificates that the project blacklisted yesterday. Chromium is the open-source project that feeds code to the Chrome browser and Chrome OS.
"Were these all issued by DigiNotar? It is difficult to tell," said Chet Wisniewski, a security researcher with U.K.-based Sophos, in a blog post Tuesday. "However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident."
DigiNotar, a Dutch firm that was acquired by U.S.-based Vasco earlier this year, discovered the network breach on July 19, and has confirmed intruders issued themselves valid certificates for a number of domains.
The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public with its mea culpa only after users reported their findings to Google last week.
Security researchers now wonder what else DigiNotar hasn't told users.
"They say they found all but the [certificate for] google.com," said Wisniewski in an interview Tuesday. "But what other sites were we at risk from visiting earlier? Were those other certificates for Microsoft or Yahoo or PayPal? How come they're not saying?"
Wisniewski was concerned because of the timeline that DigiNotar laid out.
DigiNotar essentially admitted that it was unaware of the hack for over a week: The Google certificate was issued July 10, according to information posted to Pastebin.com last Saturday, nine days before DigiNotar said it became aware of the attack.
"For nine days they didn't know about it," said Wisniewski. "Then how long did it take them to revoke those they knew about?"
Wisniewski said DigiNotar had revoked multiple certificates on July 19, July 26 and Aug. 16, all dates that were prior to the Dutch firm acknowledging the attack.
"We should be very concerned about this. When this kind of thing happens, the sweeping under the rug is almost an abuse of the entire system of trust," said Wisniewski, referring to the SSL (secure socket layer) certificate model.
Roel Schouwenberg, a senior malware researcher at Moscow-based Kaspersky Lab, also took DigiNotar to the woodshed.
"According to DigiNotar, they're not able to track which rogue certificates were generated," said Schouwenberg in a Wednesday blog. "So more of these rogue certificates may be out there. How is this possible? Either DigiNotar performs no logging of the certificates they create or their logs got cleaned out during the attack."
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts