Emphasizing Security Best Practices; the Rise and Fall of Diginotar

Between June 2011 and the end of the year, Diginotar, a Dutch Certificate Authority and wholly owned subsidiary of Vasco Data Security International, fell from a rising Euro tech star to a government takeover and subsequent bankruptcy. Diginotar had the wind in its sails; a deep-pocketed American parent, the full trust and patronage of the Dutch government, and a lucrative business selling SSL certificates. The fates seemed to have lined up for Diginotar. While the term Unicorn had not yet come to carry the same meaning as it does today, Diginotar was clearly ready to join the club of high-flying European security companies with kudos and Porsches for the founders and early investors.

The Breach Event

Then, that July, the world started to cave in. Diginotar Announced that it had been hacked. On July 19, 2011, Diginotar issued a press release acknowledging that a hacker had managed to access its CA systems and issue a number of fake SSL certificates. The initial press release did not state the number of fraudulent certs involved but did mention that one of them involved Google. Vasco issued a press release minimizing the impact of the breach, stating that it “… expects the impact of the breach of DigiNotar’s SSL and EVSSL [Extended Validation SSL] business to be minimal.”

This optimism would prove unfounded. Within days of the announcement, word had leaked that the damage from the breach was indeed serious. The involvement of Google and Gmail would prove significant. In July a Computerworld article indicated that the number of fraudulent SSL certs issued by Diginotar was substantially higher than the anodyne initial press release indicated. And the consequences were indeed dire.

By August it was known that the hacker(s) were Iranian and that one of the consequences was the use of fake Google SSL certs to entrap dissidents who naively believed that the little lock meant they were talking to Google rather than Savak. By September the Dutch government publicly announced that Netizens could not trust any Dutch government Web sites to be what they purported to be. In late September the government took over operations at Diginotar. By year-end, the company was in bankruptcy.

The Fallout from the Breach

As Pogo was known to say, “we have met the enemy and it is us.” When analyzing your systems’ security profile, check list everything. Nothing is too simple or small to remain overlooked.

At the start of the adventure, Diginotar hired the Dutch security consultancy Fox-IT to run a post-mortem. By September 3 the first report was out. In it, according to an article published that month in IEEE Spectrum, “Traces of the attack could be found as early as the 17th of June, it stated, meaning that it had gone undetected for more than a month. Further, a total of 531 fraudulent certificates were issued for 344 domain names. In addition, it appeared that some 300,000 Gmail accounts – mostly in Iran – had been compromised.”

Why focus on PKI and Encryption Key Management Best Practices?

I promised in the intro to tie this to best practices so here is the tie-in. As it turned out, the lack of attention to basic IT best practices exhibited by Diginotar was truly monumental. And this stuff is simple, eat your spinach kind of IT security practices. In the report’s own words:

“All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.”

“The software installed on the public web servers was outdated and not patched.”

“No antivirus protection was present on the investigated servers.”

“An intrusion prevention system is operational. It is not clear at the moment why it didn’t block some of the outside web server attacks. No secure central network logging is in place.”

Diginotar located its servers in Tempest validated facilities. It bought HSMs to protect the root and CA keys.

They did the big stuff but, whether out of hubris or simple carelessness, they overlooked a lot of mundane, day-to-day security best practices.

Unpatched software? Single password access to the CA network? As Pogo was known to say, “we have met the enemy and it is us.” When analyzing your systems’ security profile, checklist everything. Nothing is too simple or small to remain overlooked.

Interested to learn how PKI Solutions helps you take care of the details that matter?

Read how PKI Solutions helped Avarn Security build a State-of-the-artPKI and HSM environment to address the security, privacy, and business requirements of Avarn Security’s customers.