DigiNotar Goes Bankrupt After Hack

twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

Misplaced paranoia.

[the_raptor]

My favourite part of the article:

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

TEMPEST http://en.wikipedia.org/wiki/TEMPEST [wikipedia.org] is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.

Re:Bankrupt?

[Kjella]

You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.

Idiots

[Arancaytar]

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.