Final Report on DigiNotar Hack: Really Badly Owned

DigiNotar was a Dutch certificate authority, one of the hundreds of firms issuing SSL certificates for websites. They aren’t anymore, as the Dutch government took them over after they got badly hacked. Now we have a final report to show just how badly hacked they were…

a) All 8 CA servers were pwned.
b) The intruder was probably the same guy behind the Comodo hack.
c) The intruder managed to jump into parts of DigiNotar’s network separated from the public Internet, because DigiNotar was sloppy about maintaining separation.
d) There are almost certainly more undiscovered illegitimately-produced certificates floating around.
e) It’s possible the attacker managed to get around the smart-card authentication built into the hardware security modules protecting the private keys(!) as the legitimate smart cards were safe in a vault for the duration of the attack.

Lesson: Security “solutions” that require you to trust other people suck. Security measures — like SSL — that focus the trust of many people on single institutions (like CA’s) suck even more. It’s simply not realistic to expect one entity to be that trustworthy, and the inevitable failures are catastrophic.

“Millions of Internet users cannot hide behind one tree. It’s been tried.”

“The attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight of the company’s certificate-issuing servers during the operation and he may also have issued some rogue certificates that have not yet been identified. The final report from a security company commissioned to investigate the DigiNotar attack shows that the compromise of the now-bankrupt certificate authority was much deeper than previously thought.[…]

the final report from Fox-IT, the Dutch company brought in at the time of the attack in 2011 to find the root cause and determine the extent of the damage, says in its final report that the attack was a wide-ranging one that likely started more than a month before the CA discovered it.

“The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had been compromised by the intruder. The log files were generally stored on the same servers that had been compromised and evidence was found that they had been tampered with. Consequently, while these log files could be used to make inconclusive observations regarding unauthorized actions that took place, the absence of suspicious entries could not be used to conclude that no unauthorized actions took place,” the report, which was just made public this week, says.

One of the most worrisome aspects of the DigiNotar breach at the time it leaked out was that the company not only was a commercial CA, but it also issued government certificates, calling into question the legitimacy of those certificates, as well. The Fox-IT report says there are some indications in their investigation that the attacker may have issued some rogue certificates that have not been identified yet, a troubling prospect.

“Serial numbers for certificates that did not match the official records of DigiNotar were recovered on multiple CA servers, including the Qualified-CA server which was used to issue both accredited qualified and government certificates, indicating that these servers may have been used to issue additional and currently unknown rogue certificates,” the report says.[…]

DigiNotar had its network highly segmented and had a number of those segments separated from the public Internet. However, the company did not have strict enforcement of the rules on its network, something that may have enabled the attacker to move from the Web server he initially compromised over to the servers that house the certificate authorities.

“The investigation showed that web servers in DigiNotar’s external Demilitarized Zone (DMZ-ext-net) were the first point of entry for the intruder on June 17, 2011. During the intrusion, these servers were used to exchange files between internal and external systems, with scripts that were placed on these systems serving as rudimentary file managers,” the Fox-IT report says.

“From the web servers in DMZ-ext-net, the intruder first compromised systems in the Office-net network segment between the 17th and 29th of June 2011. Subsequently, the Secure-net network segment that contained the CA servers was compromised on July 1, 2011. Specialized tools were recovered on systems in these segments, which were used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar’s systems that were not directly connected to the Internet. The intruder was able to tunnel Remote Desktop Protocol connections in this way, which provided a graphical user interface on the compromised systems, including the compromised CA servers.”

The attack on DigiNotar lasted for nearly six weeks, from start to finish, according to the report, and the attacker was using multiple systems outside and inside the network during the operation.

“The investigation by Fox-IT showed that all servers that managed Certificate Authorities had been compromised by the intruder, including the Qualified-CA server, which was used to issue both accredited qualified and government certificates. In total, a non-exhaustive list of 531 rogue certificates with 140 unique distinguished names (DNs) and 53 unique common names (CNs) could be identified. The last known date for traffic that was initiated from within DigiNotar’s network to an IP address that was presumably (ab)used by the intruder was on July 22, 2011. Traces of activity by the intruder in DMZ-extnet were found up to July 24, 2011,” the report says.

The attacker had complete control of the CA servers during the attack and had the ability to alter log files, which were kept on the same servers as the CAs, and to make changes to the database. An interesting detail from the report is that DigiNotar could not produce any records showing whether a smart card had been used to activate the private keys in the hardware security module that correspond to the compromised CAs. The attacker would not have been able to issue the rogue certificates without the private keys, so he also needed to find a way to activate them.

“The private keys were activated in the netHSM using smartcards. No records could be provided by DigiNotar regarding if and when smartcards were used to activate private keys, except that the smartcard for the Certificate Authorities managed on the CCV-CA server, which is used to issue certificates used for electronic payment in the retail business, had reportedly been in a vault for the entire intrusion period,” Fox-IT’s report says.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: