October 23, 2014

Patch Tuesday Blocks More DigiNotar Certificates

(LiveHacking.Com) – As anticipated Microsoft has issued five security bulletins bringing a number of updates to Windows and Office. At the same time it has released a new update  (2616676) that blocks six additional DigiNotar root certificates. These new certificates are ones that are cross-signed by Entrust and GTE. They are:

  • DigiNotar Root CA Issued by Entrust (2 certificates)
  • DigiNotar Services 1024 CA Issued by Entrust
  • Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)

The security bulletins issued are

  1. MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege
  2. MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution
  3. MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  4. MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  5. MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

None of the bulletins are rated as Critical but the affected software includes all of Microsoft’s currently supported versions of Windows including XP, Vista, Windows 7 and Windows Server 2003/2008 as well Office 2003, 2007 and 2010.

MS11-071, 072 and 073 all relate to vulnerabilities could allow remote code execution if a user opens a specially crafted file. In some cases, for .doc., .rtf and .txt files, the document needs to be the located in the same network directory as a specially crafted library file for the exploit to work.

GlobalSign To Start Issuing SSL Certificates Again

(LiveHacking.Com) – GlobalSign is to start issuing SSL certificates again after its audit showed that the claims made by ComodoHacker that he has breached other Certificate Authorities (CAs) including GlobalSign were false.

On September 6th, GlobalSign temporarily stopped issuing SSL certificates following a claim that the same hacker responsible for the recent DigiNotar hack has access to four other Certificate Authorities including GlobalSign. GlobalSign then appointed Fox-IT to assist with investigations into the claimed breach. Fox-IT is the Dutch cybersecurity company hired to investigate the compromise of the Dutch CA DigiNotar and therefore already have a wealth of current knowledge and experience of this hacker.

On the 8th, GlobalSign issued a statement that it will start bringing its services back online on Monday (12th):

We have already stated that we deem this to be an industry wide threat due to the mention of multiple CAs. We are adopting a high threat approach to bringing services back online and we are working with a number of organisations to audit the process of bringing the services back online. We apologise again for the delay.

Although GlobalSign will bring its systems back on line on Monday, as part of a sequenced startup, it foresees that customers will only be able to process orders on Tuesday morning.

During its investigations GlobalSign reminded its customers that the GlobalSign CA root was created offline, and is kept offline. Any claims by the ComodoHacker about having a private key can not  refer to the GlobalSign offline root CA. By “offline” the CA means that the Root CA Certificate is not connected to any network of any type. The Root Key  is physically (geographically) separate from any networked systems and is only ever accessed in a controlled manner.

Once Bitten, Twice Shy – Mozilla Tell CAs to Audit Their Systems

(LiveHacking.Com) – Mozilla has sent a message to all the certificate authorities which participate in the Mozilla root certificate program. It has requested that all participating CA’s complete and audit of their PKI systems by September 16, 2011.

This call to review and confirm the integrity of their certificate systems comes after Mozilla removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates.

As part of the audit Mozilla are asking that each CA confirm that it has automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Plus the CA needs to further confirm its process for manually verifying such requests, when blocked.

Mozilla also have reminded the CAs that participation in Mozilla’s root program is at its sole discretion. Which is code for, comply or we will kick you out. However the message does change it tone a little by underlining Mozilla’s commitment to working with CAs as partners, “to foster open and frank communication, and to be diligent in looking for ways to improve.”

Microsoft Follows Mozilla and Google and Revokes All DigiNotar Certificates

(LiveHacking.Com) – Following in the footsteps of Google and Mozilla, Microsoft has revoked all of DigiNotar’s root certificates and issued a Windows update:

  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven

The update is available for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2) and increases the number of revoked certificates from two to five.

In a perfect world Microsoft would just rely on its Microsoft Certificate Trust List to validate the trust of a certification authority. However Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List and as a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.

Interestingly, the update also changes IE’s behaviour in that users are no longer just presented with a warning about any certificates issued by DigiNotar, but they are prevented from accessing sites completely.

In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates. Internet Explorer users who apply this update will be presented with an error message when trying to access a Web site that has been signed by either of the above DigiNotar root certificates. These users will not be able to continue to access the Web site.

GlobalSign Temporarily Halt Issuing Digital Certificates

(LiveHacking.Com) – GlobalSign, the world’s fifth largest certificate issuer, has temporarily halted the issuance of all digital certificates following a claim that the same hacker responsible for the recent DigiNotar hack has access to four other Certificate Authorities, and named GlobalSign as one of them.

A statement on the GlobalSign web site reads:

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologize for any inconvenience.

This is a wise move by GlobalSign and it seems it doesn’t want to repeat the same mistakes that DigiNotar made. One of the reasons DigiNotar losts its trust status was because of its failure to notify companies like Mozilla that fraudulent certificates were issued for its domains. The cost of its attempt to hide the security breach was that it effectively went out of business.

The hacker also claimed in his posting that:

I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google’s cert, I have code signing privilege! You see?

The hacker also says that he has targeted DigiNotar for a specific reason:

Dutch government is paying what they did 16 years ago about Srebrenica…

Fox-IT Interim Report Into DigiNotar Security Breach Points Finger at Iran

(LiveHacking.Com) – Fox-IT, the Dutch security company hired to investigate the security breach at DigiNotar has released its interim report. The day after it became public knowledge that a rogue *.google.com certificate was presented to a number of Internet users in Iran, Fox-IT was contacted and asked to investigate the breach and report its findings. Fox-IT assembled a team and started the investigation known as “Operation Black Tulip.”

The report has some very interesting findings:

  • The rogue certificate found by Google was issued by the DigiNotar Public CA 2025. The serial number of the certificate was, however, not found in the CA system‟s records. This leads to the conclusion that it is unknown how many certificates were issued without any record present.
  • Web browsers perform an Online Certificate Status Protocol (OCSP) check as soon as the browser connects to an SSL protected website through the https-protocol3. The serial number of the certificate presented by the website a user visits is send to the issuing CA OCSP-responder. The OCSP-responder can only answer either with „good‟, „revoked‟ or „unknown‟. If a certificate serial number is presented to the OCSP-responder and no record of this serial is found, the normal OCSP-responder answer would be „good‟4. The OCSP-responder answer „revoked‟ is only returned when the serial is revoked by the CA. In order to prevent misuse of the unknown issued serials the OCSP-responder of DigiNotar has been set to answer „revoked‟ when presented any unknown certificate serial it has authority over. This was done on September 1st.
  • The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran.
Does this mean the hacking was state sponsored? Leave your comments below.

What are Apple Doing About the DigiNotar Security Breach?

(LiveHacking.Com) – The last few days has seen rapid releases and lots of information published by Microsoft, Google and Mozilla to block the fraudulent certificates issued by DigiNotar. The one significant player who has so far remained eerily silent is Apple. The Safari web browser is not only found on OS X and Windows but it is also used in iOS and can be found on the iPhone, iPod Touch and iPad.

As of Monday morning, Safari and OS X itself have not been patched. There are instructions on doing so on the ps | Enable blog, although it is non-trivial.

Also all of Apple’s mobile users are being left in the dark. There have been no updates and no information at all about iOS.

What are Apple doing? Too busy working on the iPhone 5????

Google Releases Chrome 13.0.782.220 to Block All Certificates Issued by DigiNotar

(LiveHacking.Com) – Following the revelation that the DigiNotar debacle included certificates for MI6, the CIA and Mossad, Google has updated Chrome to 13.0.782.220 for Windows, Mac and Linux to revoke Chrome’s  trust for SSL certificates issued by DigiNotar-controlled intermediate CAs used by the Dutch PKIoverheid program. For more details from Google about the security issues see their Security Blog post about DigiNotar.

Mozilla has also published new information about its decision to revoked its trust in the DigiNotar certificate authority. According to Mozilla the block on DigiNotar is “not a temporary suspension, it is a complete removal from our trusted root program.”

Mozilla list three central reasons for its decision:

1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla.

2) The scope of the breach remains unknown. While Mozilla were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. It is now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.

3) The attack is not theoretical. Mozilla have received multiple reports of these certificates being used in the wild.

DigiNotar Issued Fake SSL Certificates for CIA, MI6 and Mossad

(LiveHacking.Com) – The aftermath of the security breach at DigiNotar continues to grow. New revelations about the extent of the breach have now come to light. It appears that since DigiNotar is a “root” certificate, it can assign authority to intermediaries to sign and validate certificates on its behalf. It seems now that the hackers have signed 186 intermediate certificates that masquerade as well-known certificate authorities like Thawte, Verisign and Equifax.

The expanded list of domains for which fraudulent certificates were issued now includes Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. A complete list can be downloaded from the Tor website.

As a result of the wide scale of this incident Google and Mozilla have now blocked all certificates issued by DigiNotar. According to Mozilla “DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden).” The Dutch government has since audited DigiNotar’s performance and removed it from its PKIoverheid role. Therefore all DigiNotar certificates will now be untrusted by Mozilla products.

How Many Certificates Did Hackers Take From DigiNotar?

(LiveHacking.Com) – It looks like the dust isn’t going to settle quickly on the recent security breach at the Dutch Certificate Authority (CA) DigiNotar. A few days ago, DigiNotar’s parent company VASCO Data Security International, Inc. admitted that a security breach in its Certificate Authority (CA) infrastructure allowed the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. It now seems that the actual number is over 200, maybe even more than 250.

Recent changes to Chromium, the open-source project that acts as a base for Google’s Chrome browser, list 247 DigiNotar certificates that are now blacklisted plus two intermediate certificates.

There is a growing sense that DigiNotar haven’t been as upfront about this incident as they could be.

It has now come to light that a certificate was also issued for addons.mozilla.org. “DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,” Johnathan Nightingale, Mozilla’s director of Firefox development, wrote in a statement. “In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users.”