DigiNotar audit - intermediate report available
Today the Dutch government released a letter signed by the minister of internal affairs and the minister of security and justice addressed to their house of representatives. The letter has as attachment an interim report by security company Fox-IT's CEO who has been heading an audit at DigiNotar.
The report itself is well worth a read [in English].
For those on limited time, some of the most interesting news and observations:
- The defaced pages dating back to 2009 found by F-secure appear to have been copied during a re-installation of the web server in August.
- The OCSP server's working at DigiNotar has been reversed since Sept 1st. Normally these servers respond with good to all certificates except those on the CRL (a blocklist). The OCSP now operates in whitelist mode: it will call all unknown certificates signed by DigiNotar as revoked (a whitelist).
Hence we need to make sure to use the OCSP server to validate DigiNotar certificates -should we want/need to- and not rely on the published CRLs anymore. - DigiNotar operates multiple CA servers, all of them seem to have been compromised by the hackers and having had Administrator level access, including those used for Qualified certificates and PKIOverheid certificates.
- Some of the CA servers have had parts of their logs deleted, leading to DigiNotar not knowing what certificates were issued.
- Hacker tools including Cain&Abel as well as specialized dedicated scripts -written in a language specific to the PKI environment- were found. Intentional fingerprints left in one of the scripts links it back to the Comodo breach.
- There is a list of 6 CAs that have been found to have emitted rogue certificates
- There is an incomplete list of 24 additional CAs that have had their security compromised but have not shown to have emitted rogue certificates
- The rogue certificate for *.google.com detected in the wild was verified against the DigiNotar OCSP service from August 4th till it was revoked on August 29th. 300 000 different IP addresses verified that certificate. More than 99% of those addresses trace back to Iran.
The report notes that those who had their connections to gmail intercepted could have exposed their authentication cookies and that would expose their email itself, and through that also allow access to reset functionality of other services such as e.g. facebook. It is recommended that those in Iran logout and change passwords. - 2 certificates were found on the PKIOverheid and Qualified environment that cannot be related to a valid certificate.Yet the logs appear to be intact and do not show rogue certificates created.
- There is a list of failures of basic best security practices that have clearly not worked, implemented badly or were omitted. Yet the servers are housed in a tempest protected room.
- The hackers breached the systems possible June 6th already, this got detected by DigiNotar on June 19th, The rogue certificates were created in July and the first time the *.google.com certificate that was detected in the wild was presented on July 27th to the OCSP server. Yet it took till DigiNotar was notified by govCERT.nl before they revoked the certificate.
The letter [in Dutch] summarizes the report itself, and contains some additional information not in the report that is of interest:
- There is now an inquiry into DigiNotar for possible responsibility and negligence
- The search for the hackers continues
- DigiNotar filed an official reported the incident on September 5th
- They suggest leniency and agreements for those cases where the revocation of trust in DigiNotar leads to problems such as with the timely filing of tax information in the Netherlands
--
Swa Frantzen -- Section 66
Microsoft Releases Diginotar Related Patch and Advisory
Microsoft released an advisory [1] earlier today announcing that they will place a number of DigiNotar root certificates on the "not trusted" list.
A blog article further explains how certificate stores can be manipulated manually [2].
One important difference between this most recent advisory, and an earlier advisory [3] is that Windows Mobile 6.x/7/7.5 is no longer listed as affected. The earlier advisory stated that Windows Mobile 6.x and 7 are affected. It didn't mention Windows Mobile 7.5. (thanks to a read for pointing this out)
[1]http://www.microsoft.com/technet/security/advisory/2607712.mspx
[2]http://blogs.technet.com/b/srd/archive/2011/09/04/protecting-yourself-from-attacks-that-leverage-fraudulent-diginotar-digital-certificates.aspx
[3] http://technet.microsoft.com/en-us/security/advisory/2524375
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments