GlobalSign Says Web Server Was Hacked, But No Signs of CA Breach

GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack.

GlobalSignGlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack.

The company, which is one of the larger CAs in the world, has been investigating claims by the Comodohacker that he has penetrated the GlobalSign CA infrastructure. It has retained Fox-IT, the same company that did the forensics of DigiNotar’s systems in the wake of its attack, and GlobalSign has suspended its issuance of digital certificates until at least Monday while it finishes the investigation.

However, the company said on Friday that it had not found any direct evidence of a breach of its certificate authority systems.

“Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues,” the GlobalSign statement said.

The attacker who claims to have performed the DigiNotar intrusion has said that he also compromised four other high-profile CAs, naming GlobalSign as one of them. He has not named the other three publicly, but in the aftermath of the attack, Mozilla has asked all of the CAs in the Firefox trusted root program to perform detailed audits of their PKIs, ensure two-factor authentication is in place on systems that issue certificates and take other security precautions.

GlobalSign has said that it plans to bring some of its CA services back online on Monday. The fact that no evidence of a breach has been found so far clearly doesn’t rule out the possibility that the attacker did indeed compromise the GlobalSign CA, but just means that the investigation hasn’t turned up concrete evidence of an intrusion.

In a message posted to his Pastebin page this week, Comodohacker said “GlobalSign (I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain.”

Suggested articles

Discussion

  • Marcus Reid on

    If you read the quote from the cracker, he never makes a claim that he compromised the CA key, just the private key for the globalsign.com SSL cert.  That's consistent with getting root on the webserver and nothing else.

  • Gary on

    To clarify what Marcus wrote, if s/he breached their website, it could be possible for it to have obtained the private key for any SSL certificates issued for www.globalsign.com or any part of their web site that requires logging in -- so if they were using a wildcard cert then that could be what was obtained. Either way, it doesn't mean the PKI infrastructure itself was compromised as a result. That's a bit like someone finding my house key under a rock but upon entry finding all my valubles stored in a safe.

  • Rick on

    Well, as a GlobalSign reseller/customer, I guess this means that he could have gotten my login credentials and then ordered certificates under my accounts (and/or deposit if I have one). But ultimately it isn't going to let him do anything more than I can do. GlobalSign doesn't trust me either, so they verify any cert I order. Thus, unless he got credentials for some special account that might have special privileges/trust, I don't see that this is all that significant. Hacking my credit union's website (and then getting my login credentials) would likely be far more useful.

  • Jeff on

    This whole CA situation is beginning to sound a lot like about 9/15; everybody running around, many in a panic so blind that they're not really paying attention to the people who do have some understanding of the situation, but still perfectly happy to be scared out of their wits again by those who benefit from doing so. Or even those who just enjoy seeing so many others run around in a blind panic.

    Can we all just take a deep, calm breath, everyone?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.