An interim report issued by security audit firm Fox IT, who has been hired to investigate the DigiNotar breach, reveals that things are far worse than we were led to believe.
“The most critical servers contain malicious software that can normally be detected by anti-virus software,” it says. “The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.”
All CA servers were members of one Windows domain and all accessible with one user/password combination. Moreover, the used password was simple and susceptible to brute-force attacks.
The software installed on public-facing web servers was outdated and unpatched, and no antivirus solution was installed on them. There was no secure central network logging in place, and even though the IPS was operational, it is unknown why it didn’t block at least some of the attacks.
The results of the initial audit performed by another security firm – the audit that missed the rogue Google SSL certificate – pinpointed the start of the attack on June 17.
Rifling through the email communication and memos exchanged within the firm, Fox IT managed to see what had happened after that and what actions have been undertaken by DigiNotar to prevent further attacks and minimize the effects of those that have already been executed.
In short, a total of 531 rogue certificates were issued and revoked from July 19 to July 29, but unfortunately, the number might not be final. According to the auditors, it’s still possible that other unknown rogue certificates have been produced and not used yet.
The hackers behind the breach used both well-known hacker tools and tools and scripts specifically developed by them.
“In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011,” they revealed. “Parts of the log files, which would reveal more about the creation of the signatures, have been deleted.”
The “Comodohacker” has claimed responsibility for the DigiNotar breach, and revealed that the attack was made as a retaliation for the massacre in Srebrenica, which the Dutch armed forces failed to prevent.
He also claims that he has compromised four other CAs, including GlobalSign, and that he will be using them for issuing other rogue certificates. He offered some details on how he executed the DigiNotar hack, and has revealed the domain administrator password of the CA network in order to prove his involvement.
The report also confirms what has been claimed by Google and Symantec – that the objective of the attack was to intercept private communications in Iran. All in all, some 300,000 unique IP addresses from Iran have been identified, the traffic from and to which has been intercepted.
The auditors say that Google has been handed the list and is now able to notify the individuals using them of the fact and of the need to change their passwords on Gmail and probably on other online services.