Operation Black Tulip: Fox-IT's report on the DigiNotar breach

Filed Under: Data loss, Featured, Malware, Privacy, Vulnerability

Creative Commons photo of black tulip courtesy of Photography_Gal's Flickr photostreamFox-IT, the security auditors hired to investigate the compromise of DigiNotar, the digital certificate authority that signed fraudulent certificates for Google, the CIA and others, released their preliminary findings this afternoon.

It's at least as bad as many of us thought. DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public.

Fox-IT's report shows that the initial compromise appears to have occurred on June 17th, 2011. On the 19th DigiNotar noticed the incident, but doesn't appear to have done anything about it.

July 2011 calendarThe first rogue certificate (as far as we know), *.google.com, was issued on July 10th, 2011. All of the other 530 rogue certificates were issued between July 10th and 20th.

There are several very disturbing conclusions about security at DigiNotar and the investigation isn't even complete yet:

  1. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.

  2. The administrator password was simple and could be easily brute forced.
  3. Much of the malware and tools used in the attack would have been easily detected by anti-virus, had it been present.
  4. The software on public-facing servers was out of date and unpatched.
  5. They had no centralized nor secure logging.
  6. There was no effective separation of critical components.

The attacker left behind a message in one of the scripts used to generate the rogue certificates, arguably tying this attack to the earlier attack against Comodo back in March of this year.

The message reads in part:

"THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS
MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE"

Flag of IranFox-IT analyzed the lookups against DigiNotar's OCSP servers (which browsers check to see if a certificate has been revoked) and determined that during the active attack period more than 99% of queries originated in Iran.


Video showing origin of OCSP queries against DigiNotar's servers courtesy of Fox-IT.

This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian internet users.

Many of the other requests not originating from Iran appear to have originated via Tor exit nodes or other proxies used by Iranians to avoid censorship.

This indicates that the method used to perform the man-in-the-middle attacks with these certificates likely depended on DNS poisoning at the ISPs.

While some folks are complaining that too much fuss is being made over this attack, it is far more important than many other stories that the security press have been obsessed with over the last two years.

This incident demonstrates in a real way the fragility of the SSL/TLS certificate trust model in use on the net today.

ConvergenceI hope adoption of replacement technologies like Moxie Marlinspike's Convergence take off in a meaningful way to provide us with more confidence in the security of our communications.

We now know not to trust certificates issued by DigiNotar, but how many of the 600+ other certificate authorities have similar security holes and may already be compromised?

Creative Commons photograph of a black tulip courtesy of Photography_Gal's Flickr photostream.

, , , , , , , , , , ,

You might like

3 Responses to Operation Black Tulip: Fox-IT's report on the DigiNotar breach

  1. Peter · 1151 days ago

    What an unnecessary mess. Bottom line is that you should not let incompetent people run a CA and definitely not let those incompetent people decide to use Microsoft products without any anti-virus software, proper logging and what else we don't know yet. If you do a little research you find that banks, stock exchanges, utility companies use Linux (or Unix) for their critical systems. How is a CA different? Whoever came up with the IT architecture of this CA should really take security 101, as well as the admins who clearly had no clue what was going on on their systems . Diginotar is an embarrassment to the CA community and security in general. Wonder how quickly they will disappear. Let's hope more secure alternatives like Convergence get adopted soon so we can be safe again and don't need to rely for our online security on organizations who may not even know or want to share that they have been hacked.

  2. Brad Beckett · 1150 days ago

    I wouldn't run any Certificate Authority on anything except a hardened BSD or SELinux system protected by a dedicated hardware appliance firewall and intrusion detection & data ex-filtration system such as FireEye.

  3. This attack should be made into a reference model with much more metrics collected. How many unpatched vuln? What is the mean time to password crack without a dictionary at 40 M combinations per second? How many servers at risk from the Internet? Samples of MIA firewall rules? Where internal servers consequentially hit? Numbers of Man in the middle sessions exploited?

    Do not state the obvious, "Road Kill systems get run over!" collect metrics on how bad, how fast, how many lucky misses occurred?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.