A new report on the security of DigiNotar paints an ugly picture of the certificate authority’s safeguards and network infrastructure, showing that the company had all of its CA servers on one Windows domain and likely failed to separate the critical components on its network, making it easy for the attacker to make his way around the network and into the critical CA servers.
As the scandal surrounding the compromise at DigiNotar, a Dutch certificate authority closely tied to that country’s government, continues to expand, the details of the report prepared by IT security firm Fox-IT will not do anything to improve confidence in the company or the CA system in general. Among the key findings from the audit is the fact that DigiNotar had apparently made some key errors in setting up its network and CA infrastructure.
“The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack. The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place,” the report says. “We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
“The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.”
In a message posted to Pastebin by someone claiming to have performed the attack on DigiNotar, the hacker confirms the Fox-IT findings, saying that he had root access on the CA servers and achieved that result by getting the admin username and password.
The audit by Fox-IT found that DigiNotar’s network was thoroughly compromised and that the attacker was able to stay inside the network for several months, even though the company initially detected the compromise just a few days after it occurred. The attacker went about his business throughout June and July, issuing rogue certificates to himself for a laundry list of valuable domains, including windowsupdate.com, *.google.com, microsoft.com, addons.mozilla.org, cia.gov and several other certificate authorities.
Fox-IT’s audit team found a number of indications about the identity and skill level of the attacker, and said in the report that some of the actions he took look like the work of a highly skilled attacker, while others look less sophisticated. For example, the attacker wrote at least one script in the XUDA scripting language, which is used to develop PKI software.
“We found that the hackers were active for a longer period of time. They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files, which would reveal more about the creation of the signatures, have been deleted,” the report says.