CA’s get hacked off

Earlier this year, one of the biggest names in network-based security, RSA, was hacked. What made the situation a lot worse, was RSA’s hesitance to be forthcoming on the matter. And that unwillingness to disclose seems to be the trend these days. Get hacked. Don’t tell your clients …

This lack of openness is becoming a real problem that governments are looking at with a microscope. The result may be a legal requirement to disclose such breaches to both the government and your shareholders/clients. In fact there are already corporation laws in this direction.

Most often, breaches occur as a result of basic security issues that could have been avoided had proper due diligence taken place. And it’s a common thread that high profile companies ( that should know better ) get breached. Take the example of the Dutch Certificate Authority DigiNotar that was cracked earlier this week. There were a number of basic flaws that lead to what is actually an amateurish breach:

  • all machines were in a single Windows domain
  • the most critical servers contained malicious software that would be removed by any common anti-virus software
  • the administrator password was not strong and was easily brute-forced
  • critical areas of the network were not effectively separated
  • CA servers were accessible via the management LAN
  • the public web server software was out of date, unpatched and vulnerable

I suppose the first question to ask is why were they using a platform, for certificate generation, known to be insecure and easily breached? The 2nd question is why, if the breach started on June17, this only came to light now? This breach is so severe that the Dutch government stepped in to take over management of the CA.

The cracker in question ( ComodoHacker ) has indicated he/she has access to 4 other CAs which makes the situation dire. The issue of false certificates means we can no longer trust the security methods used for banking, online shopping and other secure activities.

It’s time that some control of CA’s are exerted, at least in an effort to make sure they apply basic security functions within their operations. Until then, your online security could be easily compromised with a falsely-issued certificate.