There are more signs that a July compromise of DigiNotar, a certificate authority based in the Netherlands, may have been driven by political motives. A Dutch Web site, nu.nl, reported on Wednesday that digital certificates belonging to Mozilla, Yahoo.com, WordPress and The Tor Project were among dozens reported stolen from DigiNotar.
The story, based on information from a confidential source, fills in details about which other firms were among “dozens” that DigiNotar and its parent company Vasco have admitted were victims of the break in. It also adds weight to speculation that the hack may have had links to the Iranian regime and may have had, as its goal, the surveillance and identification of political activists and bloggers within the country.
Vasco, Yahoo and The Tor Project didn’t immediately respond to requests for comment from Threatpost.
The forged certificates could be used most easily in man in the middle attacks, allowing attacks to carry out very sophisticated spear phishing attacks using Web sites that would appear to be legitimate, said Kris Harms, an incident responder at Mandiant Inc. of Alexandria, Va.
“We align certificate authority hacks with attacking organizations who are encountering security at target organizations that they wish to work around,” he told Threatpost. “These are the same types of people who would be interested in breaching a company like RSA.”
In the case of DigiNotar, there have been suggestions from the very first that the hack may have been directed by Iran. For one thing, the first reports about man in the middle attacks using forged Google certificates originated in Iran. A subsequent review of DigiNotar’s Web site found a page that was defaced with the name of an Iranian hacking group.
Attribution for the hack will probably never be determined. However, Harms said that attacks of this caliber – involving a multi stage attack against sophisticated organizations – are often perpetrated by nation states. “This is consistent with other nation-state sponsored attacks,” he said.
In the meantime, the world is left guessing about the extent of the attack. There were reports from The Register on Wednesday that, in the absence of word from Vasco and DigiNotar, Google was hard coding hundreds of certificate revocations into its new version of Chrome.
Writing on Securelist, the blog of Kaspersky Lab’s research group, malware researcher Roel Schouwenberg said that statements from the company about the extent of the breach don’t add up. Among other things, DigiNotar claims that the breach was limited to a “few dozen” rogue certificates, while Google has blocked more than 250 of them. The company, Schouwenberg adds, may not actually know how many rogue certificates were generated -either because no logs exist or because they were deleted after the attack was complete.
Assuming that the DigiNotar attack has links to Iran’s government, it could be an effort by supporters of the regime to monitor political dissidents within the country using compromised Web browsers, blogging software (WordPress), by snooping on Web mail sessions (Yahoo and Google) or unravelling efforts to mask a user’s identity using Tor and other anonymity services.
Details about the breach have been hard to come by, leaving Dutch officials scrambling to reassure citizens who rely on DigiNotar certificates for securing many government services and to undergird the country’s DigID digital identity service to wonder. However, vendors, including Google, Mozilla and Microsoft have all moved quickly to suspend DigiNotar’s certificate authorities – a move that is likely to cause major disruptions for the company’s commercial customers.
Harms said the Diginotar hack, combined with those on RSA and the certificate authority Comodo are bound to prompt some soul searching among security professionals, governments and Internet governance groups.
“This is a serious trend. You’re talking about attacking the foundational security mechanisms of the Internet. Two factor authentication and certificates are used everywhere, so this really shakes the confidence of the security mechanisms we have in place today,” he said.
CORRECTION: This article originally quoted Chris Nutt, a principal at Mandiant Inc. The quotes attributed to Nutt were actually made by Kris Harms, an incident responder at Mandiant. The story has been updated to reflect the correct source of the quotes. 9/1/2011
