Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security The Internet IT

(Possible) Diginotar Hacker Comes Forward 215

Posted by timothy from the have-in-my-hand-a-list-of-names dept.
arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"
This discussion has been archived. No new comments can be posted.

(Possible) Diginotar Hacker Comes Forward More

(Possible) Diginotar Hacker Comes Forward

Comments Filter:

  • Re:Honest question: (Score:5, Informative)

    by tetromino ( 807969 ) on Tuesday September 06, 2011 @10:11AM (#37315618)
    Well, here [mozilla.org] are the requirements for a CA's certificate to be included in Mozilla products. In particular, they require an independent audit of the CA's policies and internal operations. Presumably other browser vendors follow similar procedures.

  • From the report... (Score:5, Informative)

    by MtHuurne ( 602934 ) on Tuesday September 06, 2011 @10:45AM (#37315918) Homepage

    First, here is the actual PDF [rijksoverheid.nl] instead of some web-based PDF viewer surrounded by dubious ads.

    The most damning statement from the report (in my opinion) didn't make the summary: "The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN."

    I have worked at company that generated encryption keys and they did so on a PC in a locked rack in a locked room with no network connection; such an approach would have prevented this attack.

    This fragment from the timeline is also interesting:

    19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
    02-Jul-2011 First attempt creating a rogue certificate
    10-Jul-2011 The first succeeded rogue certificate (*.Google.com)

    So an incident was detected three weeks before the first rogue cert was issued.

  • Re:SSH does it right. (Score:2, Informative)

    by Anonymous Coward on Tuesday September 06, 2011 @11:07AM (#37316152)

    There's an add-on for Firefox called Certificate Patrol which does precisely that - it even shows you the diff between the old and new certificate. Alas, it still requires constant vigilance - Joe Random User will click through any warning, no matter how scary, if promised scantily clad dancing bunnies.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close