SANS Digital Forensics and Incident Response Blog

UPDATED DigiNotarSSL Incident Response Report: No Logging, Weak Password, No Protected Network

On Monday evening, as the host of CyberJungleRadio, I received a copy of the then just published report that appears to be from the security firm Fox-IT, the company hired by DigiNotar to investigate the massive SSL breach.

On page nine of the thirteen page report, a shocking series of security omissions are revealed:

  1. No secure central network logging is in place.
  2. All CA [Certificate Authority] servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The [domain] password was not very strong and could easily be brute-forced.
  3. Strong indications that the CA-servers were accessible over the network from the management LAN.
  4. The software installed on the public web servers was outdated and not patched.
  5. No antivirus protection was present on the investigated servers.

DigiNotar is owned by two-factor provider VASCO. What a total failure if it's true that VASCO didn't even use it's own two-factor authentication to protect it's own networks. Should customers be concerned that similar problems exist within VASCO? What if their systems are compromised just like RSA's two factor authentication was, earlier this year? According to the Fox-IT report, DigiNotar was compromised long before this summer.

The report also spells out how long DigiNotar took to announce the breach: over a month. That lack of timely disclosure, along with the lack of basic security hygene speaks volumes about how it appears that DigiNotar or its parent company VASCO, did not view information security as a strategic asset. It appears that they may have viewed information security as an expense, and therefore, potentially left the doors open for a large scale breach.

The CEO of Venefi, Jeff Hudson recommends that business put into place an SSL Certificate Authority breach response plan now, in the event that future SSL "events" occur to other Certificate Authorities. You can hear his interview in this week's episode of CyberJungle Radio (#228).

UPDATE Tues Sept 6, 14:30 GMT : The alleged attacker of DigiNotar has posted an update on PasteBin. He claims that he has access to four other Certificate Authorities, and he names two of them: StartCom and GlobalSign. Jeff Hudson's recommendation for an SSL Certificate Authority incident response plan may be more relevant now than ever. Read the PasteBin posting here.

Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.

2 Comments

Posted September 6, 2011 at 1:48 PM | Permalink | Reply

Tobias

Posted link to the report is not working, should be http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf

Posted September 6, 2011 at 2:14 PM | Permalink | Reply

Sandro Suffert

Many related links / comments on the Diginotar incident here: http://bit.ly/oE2CVU
Best,
Sandro Sffert