September 25, 2016

Another Dutch CA Hacked?

(LiveHacking.Com) – Gemnet, a subsidiary of KPN (a leading telecommunications and ICT service provider in The Netherlands), has taken its website offline to investigate a possible hack. Hacked websites are not a rarity today, however according to Webwereld the hack is related to CA certificates.

In response to these allegations KPN issued a statement saying that the suggestions that there is a connection between the hack and creation of certificates is true. “The hack of the site has no connection with the issuance and management of Government PKI certificates.

Despite the statement issued by KPN,  a second website belonging to a subsidiary of the telecommunications  company that also issues digital certificates to the Dutch government was also taken down.

According to the original Webwereld article by Brenno de Winter, the attack was launched through a PHP MyAdmin account that didn’t have a password. The attacker then used the database to create files including executable scripts.

Stolen Certificate Used to Sign Malware

(LiveHacking.Com) –  A certificate stolen from the Malaysian Agricultural Research and Development Institute, which was taken “quite some time ago”, has turned up as the digital signature used on a piece of malware known as Trojan-Downloader:W32/Agent.DTIW.

The malware, which spreads via malicious PDF files that install it after exploiting holes in Adobe Reader 8, downloads additional malicious components from a server called worldnewsmagazines.org.

By using a private signing certificate that belongs to the Malaysian government the malware is able to bypass the warnings issued by Windows about untrusted software.

According to F-Secure, who discovered the malware signed with the a stolen certificate:

It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.

The use of digital certificates and the role of Certificate Authorities (CA) continues to be a hot topic following several well publicized security breaches (Diginotar and Comodo) and the subsequent revoking of fraudulently issued certificates.

Microsoft to Revoke Trust in Malaysian CA

Microsoft has issued a notice that it will shortly revoke the trust in the Intermediate Certificate Authority DigiCert Sdn. Bhd. (Digicert Malaysia) via Windows Update. The reason for the revoke isn’t that the CA has been compromised or suffered a security breach, but rather they were caught issuing certificates with weak 512 bit keys.

The requirements of the  the Microsoft Root Program are that a minimum crypto key size of RSA 2048-bit modulus is used for any root and all issuing CAs. Microsoft used to accept root certificates with RSA 1024-bit modulus however these existing legacy 1024-bit RSA root certificates were phased out at the end of last year. The fact that this Malaysian CA issued 512-bit certificates is a clear violation of Microsoft requirements.

“The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates” said Jerry Bryant, Group manager, Response Communications, Trustworthy Computing.

Although Microsoft have no indication that any of the 22 certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised.  These compromised certificates could allow an attacker to impersonate the legitimate owner and make a user believe they are trusting a website or signed software that was created for malicious use.