Interim-report on DigiNotar digital breach published
As a result of the Diginotar breach, Fox-IT conducted an investigation into the computer systems of DigiNotar. Among other aspects, Fox-IT investigated how perpetrators accessed the network and what rogue certificates were issued. DigiNotar publishes electronic certificates including SSL, qualified and ‘PKIOverheid’ certificates. DigiNotar hosts a number of computer systems to accomplish these tasks.
Fox-IT published a preliminary report of this investigation on the 5th of September 2011.
A number of important findings in the Fox-IT report are:
- The DigiNotar computer systems were used to generate hundreds of rogue certificates.
- Since an unregistered certificate was found at the CA-server, the total number of generated rogue certificates remains unknown
- The hacker acquired access with Administrator privileges to all CA-servers.
- Some hacker software scripts found on the servers give an amateurish impression, while other scripts are very sophisticated and sometimes specifically designed for this purpose.
- The hacker left a fingerprint that shows a clear relation to the ‘Comodo hack’ of March 2011.
- Malware was found on the most critical servers that normally should have been detected with anti-virus software.
Inadequate security set-up and procedures
The following inadequacies in the set-up and procedures of the information security made the breach possible:
- Software on the public web server was outdated and not patched with the latest (security) updates.
- No anti-virus software was installed on the servers.
- All CA-servers were member of the same Windows domain. Access to these servers was acquired with the same username / password combination.
- The administrator password of the CA-servers was not very strong and could easily be brute-forced.
- The separation of critical components was not functioning or was not in place.
- An intrusion prevention system was operational, but did not adequately block server attacks.
- No secure central network logging was in place. Logfiles on a number of CA-servers were changed by the hacker.
Based on these findings, it can be concluded that standard security measures were not well implemented or not implemented at all. These include the installation of anti-virus software, timely patching of software and physical separation of components.