The Netherlands-based certificate authority (CA) DigiNotar operated with glaring security weaknesses, including a lack of anti-virus software on certain servers, which permitted hackers to create and issue 531 counterfeit certificates for a myriad of high-profile websites, according to a report released Monday.
The report, from security firm Fox-IT and commissioned by the Dutch government, found that DigiNotar's network infrastructure lacked basic protection mechanisms. Specifically, the investigation found that the most critical servers contained undetectable malware, were accessible via the local area network and were protected by passwords that "could easily be brute-forced." In addition, the servers contained unpatched software and lacked anti-virus defenses.
“The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack,” according to the report. “The network has been severely breached.”
The report follows confirmation from DigiNotar, which is owned by U.S.-based VASCO, that at least one fake SSL certificate, for Google.com, was issued on July 10.
Bogus certs create a false sense of security and permit the cert holder to launch man-in-the-middle attacks to spy on communications and steal credentials. According to Fox-IT, fraudulent certs were issued for a number of other highly trafficked sites, including Facebok and Twitter, but the Google cert appears to be the only known one that appeared in-the-wild.
According to the report, nearly all of the 300,000 unique IP addresses that requested the phony Google.com certificate were based in Iran, leading experts to believe that the attack was orchestrated by the Iranian government to spy on dissidents. (DigiNotar ultimately rescinded the cert on Aug. 29).
"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," the report said.
In a blog post Monday, Feike Hacquebord, a senior threat researcher at security firm Trend Micro, confirmed these findings.
"Analyzing Smart Protection Network data, we saw that a significant number of internet users who loaded the SSL certificate verification URL of DigiNotar were from Iran on Aug. 28," the researcher wrote. "On Aug. 30, most traffic from Iran disappeared, and on (Friday) almost all of the Iranian traffic was gone and DigiNotar received requests mostly only from Dutch internet users, as expected."
Since the revelation, the major web browsers acted to revoke certificates issued by DigiNotar. On Tuesday, Microsoft released a patch, for all supported Windows versions, that rejects DigiNotar credentials and moves them to the "Untrusted Certificate Store," according to an advisory.
In a fact sheet released Monday, the Dutch government "denounced its trust" in DigiNotar certificates.
However, most mobile devices, including iOS and Android products, remain vulnerable, according to experts. Android users are particularly vulnerable as they must wait until phone carriers deliver updates.
Chester Wisniewski, senior security adviser at Sophos Canada, told SCMagazineUS.com on Tuesday that internet users around the world place their trust in a shoddy system.
"I think the biggest thing we should be taking away from this is the wake-up call that the certificate system is broken," Wisniewski said. "The fact that we blindly trust this giant list of certificate authorities puts our entire communications system, when we are using things like SSL and TLS, at risk."
He said that if a breach of that magnitude were to impact a major CA here in the United States, such as VeriSign, government officials and browser manufacturers would be unable to revoke all the certificates because it would result in an unprecedented disruption of web services.
But, there is reason to believe that other CAs could be victimized soon.
In a Monday post to Pastebin, a hacker claimed responsibility for the attack on DigiNotar and said he has access to four other "high-profile" CAs. He named one – Portsmouth, N.H.-based GlobalSign – which announced Tuesday that in light of this claim, it is temporarily suspending the issuance of certificates.
This is the same intruder who claimed he was behind the breach of the Comodo CA earlier this year in which nine counterfeit certs were issued.