2011, CAs are under attack. Why steal a certificate?

2011 was a terrible year for the certification authorities, the number of successful attacks against some major companies reported is really high and totally out of any prediction. Many attacks have had disturbing consequences.It all began, or so we were led to believe, with the case Comodo. Comodo officials revealed that the registration authority had been compromised in a March 15 attack and that the username and password of a Comodo Trusted Partner in Southern Europe were stolen. A Registration Autorithy suffered an attack that resulted in a breach of one user account of that specific RA. Its account was then used fraudulently to issue 9 certificates (across 7 different domains including: login.yahoo(NSDQ:YHOO).com, mail.google (NSDQ:GOOG).com, login.skype.com and addons.mozilla.org). All of these certificates were revoked immediately on discovery.

Then came other illustrious victims, like DigiNotar, a Dutch certificate authority owned by VASCO Data Security International.On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar’s systems. A few weeks later the company was declared bankrupt.

Recently KPN, has stopped issuing digital certificates after finding attack tools on its server. They said that there weren’t evidence that it’s CA infrastructure was compromised, all actions have been taken as a precaution.
KPN has the tool during a security audit that found a server with a DDoS tool on it, and that that the tool may have been there for as long as four years. That is really worrying from my point of view, but I’m a stupid … they are smart!
Do you think that is ended? That is wrong, because during the last month also GemNET
Gemnet, a subsidiary of KPN (leading telecommunication and ICT service provider in The Netherlands), has been compromised and according to Webwereld the hack is related to CA certificates.
Today I have read the news regarding the hack also of the Certification Authority GlobalSign happened in September.
Do you think it is enough?

Why attack a steal or rob a CA certificate? Let’s try to answer:

Malware production – Installation for certain types of software could needs that its code is digitally signed with a trusted certificate. By stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happened to Stuxnet virus.

Economic Frauds – digital signature give a warranty on who signed a document and you can decide if you trust the person or company who signed the file and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer from an identity theft, let’s imagine which could be the implication.

Some bot, like happened to the banking with Zeus malware, could be deployed to steal site certificates so that they can fool web browsers into thinking that a phishing site is a legitimate bank website.

Cyber warfare – Criminals or governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered and intercepted. That is for example what occurred in the DigiNotar case … companies like Facebook, Google and also agencies like CIA, MI6 were targeted in Dutch government certificate hack.

It is not my intention to discuss here the topicality of a protocol such as TLS / SSL or alternative possibles and valid approaches. I would like to approach the problem from another point of view … considering the objective responsibility of the CA management, too light that has undermined the confidence in the model. Poor controls and most often carried out in a pedestrian, absent of policies or their wrong implementations, mismanaged infrastructure vulnerable to low complexity attacks are the real cause of what I consider a disaster. How is it conceivable place blind faith in authority compromised for years that decided to make outing as a result of an accident from the possible political implications?
If the same CA are part of the main national Telco Operator, we can imagine what might have really happened and which risks the user has been exposed. Before judging the old model we also evaluate the work of those who would adopt it.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CA, PKI)

[adrotate banner=”5″]

[adrotate banner=”13″]