DigiNotar hack puts cyberwar on the map

Powered by SC Magazine
 

Hard lessons to be learnt.

The attack on certificate authority (CA) Diginotar will put cyberwar near the top of the political agenda of western governments.

In an almost unprecedented event the Dutch Minister of Internal Affairs gave a press conference on Saturday night announcing that the Government revoked trust in Diginotar.

The company consisted of two seperate branches.

One branch was a CA that dealt with regular business. The other branch, PKIoverheid,  focused on government.

The audit conducted on Diginotar's systems showed the integrity of the PKIoverheid authority couldn't be guaranteed. It should be presumed the integrity is broken.

At the beginning of last week the Dutch Government vouched for the integrity of the PKIoverheid CA.

This caused the browser makers to only blacklist the non-goverment CA from Diginotar. Next time around, browser makers may not be quite as trusting.

A break down of most of the important elements of the attack:
531 rogue certificates

This list of rogue certificates is a very far cry from the dozen or so that Diginotar originally reported compromised.

Certs for intelligence agencies
Some attention has been put toward the rogue certificates generated for the CIA and others. No actionable intelligence would be gathered from snooping on traffic to the CIA web site.

WindowsUpdates
A rogue certificate for WindowsUpdates was also issued. It's my understanding WindowsUpdates only runs programs which are digitally signed by Microsoft.

To push malware through WindowsUpdates would require a rogue certificate that also allows the attacker to sign code rather than just run SSL websites. Microsoft may have checks in place that would prevent exploitation by a rogue certificate.

Code signing
This screenshot shows the *.google.com certificate also to be valid for code signing. That means this attack could transcend the browser allowing attackers to send malware to victims that would appear to orginated from Microsoft or other affected parties. At this point it becomes critical for these certificates to be blocked OS-wide, not just in the browser.

Consequences of PKIoverheid CA revokation
The damage sustained to the Dutch Government IT infrastructure is quite significant. A lot of services were no longer available. Communications were disrupted, meaning one could argue the attack was an act of cyberwar.

Cyberwar on the agenda
Stuxnet had a huge impact but there didn't seem to be a sense of urgency to put cyberwar and cybersecurity on most of the political agendas. The DigiNotar attack will.

Mobile devices
While browsers for desktops and laptops are receiving updates to blacklist these CAs, it remains very quiet on the mobile front. This is especially worrisome as *.android.com is one of the targeted domains in this attack. Here's a simple guideline: If a device can do email or web browsing then the CAs need to be revoked on that device.

Apple
So far it's not known if Apple is even planning on revoking these CAs. I don't understand why Apple is keeping radio silence on this and quite frankly it's unacceptable. Using third party web browsers and email clients is the way to go.

Other CAs
Diginotar was excommunicated because it didn't disclose the breach. With some 500 authorities out there, it's hard to believe Diginotar is the only compromised CA. This should serve as a very strong message for CAs to go public with any breach.

This blog first appeared on KasperskyLabs' SecureList.

Copyright © SC Magazine, Australia


DigiNotar hack puts cyberwar on the map
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 432

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 208

Vote