DigiNotar dies from certificate hack caper
'Unlikely many are going to shed tears' over Dutch company's demise, says security researcher
Computerworld - The Dutch company that was hacked earlier this summer by certificate thieves has gone bust and shut down, its U.S.-based owner said Tuesday.
DigiNotar filed for bankruptcy in a Netherland court on Monday, and its assets will be liquidated by a court-appointed trustee, said Vasco Data Security International, the Chicago company that purchased DigiNotar last January for $13.1 million.
"Effective as of the beginning of business today, the Trustee has taken over the management of DigiNotar's business activities," Vasco said in a statement on Tuesday.
In late August, DigiNotar admitted that hackers had illegally generated numerous SSL (secure socket layer) certificates, including one for google.com that was later found to have been used to spy on some 300,000 Iranians through their Gmail accounts.
DigiNotar confirmed that it had first discovered the intrusion on July 19, but had not disclosed the breach to browser makers, the Dutch government -- which used DigiNotar certificates to validate the identities of many of its websites -- or other customers until more than a month later.
An investigation sponsored by the Dutch government revealed that the hacker or hackers first compromised DigiNotar's servers in mid-June and made off with more than 500 certificates.
After DigiNotar went public, all five of the major browser makers -- Apple, Google, Microsoft, Mozilla and Opera -- issued updates that barred users from reaching sites secured with DigiNotar-issued certificates.
DigiNotar's filing for bankruptcy was not unexpected.
On Sept. 15, Vasco filed a statement with the U.S. Securities and Exchange Commission (SEC) that noted the company's investment in DigiNotar had been "materially impaired," and added that it was "not able to determine the amount of impairment loss Vasco may incur or estimate the amount of future cash expenditures that the Company may incur in connection with the impairment."
Vasco credited the loss to a Sept. 14 decision by the Dutch Independent Post and Telecommunications Authority (OPTA) to terminate DigiNotar as a certificate authority (CA), preventing it from issuing any further certificates.
But the browser makers' moves to block, then bar, DigiNotar certificates also played a part, said a security expert.
"Ultimately, the power is in the hands of the browser makers to trust any CA," said Andrew Storms, director of security operations at nCircle Security. "Going by that logic, the browsers then have the same power to create the demise of a CA."
Microsoft declined to comment on the death of DigiNotar, and neither Mozilla or Google responded to a request for comment.
Vasco purchased DigiNotar in January for $13.1 million, and in its most recent quarterly filing with the SEC, tallied the Dutch company's "goodwill" and "intangible assets" at nearly $12.8 million. In its Tuesday statement, Vasco said it was still working on putting a number to DigiNotar's vanishing act, but voiced confidence that some of DigiNotar's intellectual property rights would still be valuable.
Vasco also distanced its own products and services from the now-dead Dutch firm.
"The incident at DigiNotar has no impact on Vasco's core authentication technology," argued T. Kendall Hunt, Vasco's CEO and chairman.
Jan Valcke, president and chief operating officer of Vasco, added that the company would steer clear of the certificate business. "We do not plan to re-enter the certificate authority business in the near future," said Valcke in the same statement.
Vasco's stock has taken a beating since the company announced the intrusion, with the share price down 31.5% since the close of the market on Aug. 29. As recently as July 11, Vasco's shares traded at $13.82.
"It's unlikely that many people are going to shed many tears over the demise of DigiNotar," said Graham Cluley, senior technology consultant at security firm Sophos, in a Tuesday blog. "The firm lost all trust when it was discovered that it had known that it had suffered a security breach weeks before coming clean about the problem."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- U.S. is investigating Target data breach, AG Holder says
- Russian man pleads guilty in SpyEye malware case
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts