Another Dutch certificate authority, KPN, has stopped issuing digital certificates after finding attack tools on a server in its Web infrastructures. The CA said that while it doesn’t have evidence right now that it’s CA infrastructure was compromised, it is taking the actions as a precaution.
The company said in a statement that it found evidence during a security audit that it found a server with a DDoS tool on it, and that that the tool may have been there for as long as four years. KPN, a Dutch telecom company that also operates several other businesses under various brands, said in its statement (Dutch) that it had stopped issuing certificates as a precautionary measure and that it was operating under the premise that certificates already issued were still valid.
A Google translation of the KPN statement reads, in part:
“Although there is no evidence that the production of the certificate is compromised, can not be completely excluded that this did happen. Therefore, KPN Corporate Market (formerly Getronics) decided the application and issuance of new certificates temporarily discontinued, pending further investigation. This is to ensure that the certificates be issued optimal procedure is safe and reliable.
KPN has replaced the web servers. An additional, independent investigation takes place to ensure that KPN complies with the required safeguards, procedures and rules applicable to the issue of Internet safety certificates. Interior Ministry and Logius, agency e-government, are closely involved in the process.“
KPN is a much larger company than DigiNotar, the Dutch CA that was compromised this summer and ultimately went out of business as a result of the attack. That incident involved an attacker compromising the company’s CA infrastructure and issuing himself a huge number of fraudulent, but valid, certificates for high-value domains, including some belonging to Google, Yahoo, the CIA and others.
KPN’s Getronics subsidiary handles the PKI business, and the company said in September that it was bringing in a lot of customers who had migrated from DigiNotar after that company’s troubles. A company spokesperson told Reuters in September that it had won “hundreds” of new customers from DigiNotar.
Roel Schouwenberg, a Kaspersky Lab malware researcher who is a native of The Netherlands, said in an analysis of the incident that there are still far more questions than answers.
“One of the questions that should also be answered is how a DDoS tool went undetected for four years. However, as companies are ramping up internal security I fully expect to see more ‘old breaches’ like this one uncovered.” he wrote in his analysis.
“What’s particularly interesting about KPN’s statement is that it could be interpreted as them saying already issued certificates will remain valid (no matter what). KPN is a much bigger certificate authority than Diginotar. Possibly, people could be going into this with the idea of KPN being too big too fall.”