After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, VASCO announced that DigiNotar, filed a voluntary bankruptcy petition and was declared bankrupt today.
This is unsurprising, since a report issued by security audit firm Fox IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe.
“The most critical servers contain malicious software that can normally be detected by anti-virus software,” it says. “The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.”
All CA servers were members of one Windows domain and all accessible with one user/password combination. Moreover, the used password was simple and susceptible to brute-force attacks.
“Although we are saddened by this action and the circumstances that necessitated it,” said T. Kendall Hunt, VASCO’s Chairman and CEO. “We would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO’s core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar.”