November 22, 2014

DigiNotar Officially Bankrupt

(LiveHacking.Com) – The American parent company of the Dutch certificate authority (CA) DigiNotar has announced that DigiNotar is now officially bankrupt. VASCO Data Security International filed DigiNotar’s voluntary bankruptcy in the Haarlem District Court, The Netherlands at the beginning of this week and one day later the CA was officially declared bankrupt. A bankruptcy trustee, under the supervision of a judge, has now taken over the management of DigiNotar and will work to liquidate the company.

The Dutch government stepped in and took over DigiNotar after it was discovered that the company had been hacked and had been used to issue fake SSL certificates for various major sites, including Google, Mozilla, the CIA, MI6 and Mossad.

T. Kendall Hunt, VASCO’s Chairman and CEO said in a statement, “we would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO’s core authentication technology.”

“We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve VASCO’s core two-factor authentication business,” added Jan Valcke, VASCO’s President and COO.

It was DigiNotar’s failure to be upfront about the security breach which was the main reason it lost all credibility. Having suffered the breach, weeks went past before it started to inform the different domain name owners about what happened. Also the serial numbers for the issued certificates could not be found in DigiNotar’s records. This led to the conclusion that an unknown number of certificates were issued, probably more than 500.

“We are working to quantify the damages caused by the hacker’s intrusion into DigiNotar’s system and will provide an estimate of the range of losses as soon as possible,” said Cliff Bown, VASCO’s Executive Vice President and CFO.

Adobe Updates Acrobat to Fix Security Problems; Also Revokes Trust in DigiNotar

(LiveHacking.Com) – Adobe has released an update to Acrobat and Acrobat Reader to fix various Critical vulnerabilities. Affected versions are Adobe Reader X (10.1) and Adobe Acrobat X (10.1) including earlier versions for Windows and OS X, Adobe Reader 9.4.2 and earlier versions for UNIX. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

The specific problems fixed are:

  • A local privilege-escalation vulnerability (Adobe Reader X (10.x) on Windows only) (CVE-2011-1353).
  • A security bypass vulnerability that could lead to code execution (CVE-2011-2431).
  • A buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432).
  • Heap overflows that could lead to code execution (CVE-2011-2433, CVE-2011-2434).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2011-2435).
  • A heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436).
  • Three stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438).
  • A memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439).
  • A use-after-free vulnerability that could lead to code execution (CVE-2011-2440).
  • Two stack overflow vulnerabilities in the CoolType.dll library that could lead to code execution (CVE-2011-2441).
  • A logic error vulnerability that could lead to code execution (CVE-2011-2442).

Simultaneously Adobe removed the DigiNotar root certificate from its trust list:

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List.

This update has been published for Adobe Reader and Acrobat X which include a trust list that Adobe can dynamically manage without requiring a product update/patch.  A future product update of Adobe Reader and Acrobat version 9.x will also enable dynamic updates of the AATL.

Patch Tuesday Blocks More DigiNotar Certificates

(LiveHacking.Com) – As anticipated Microsoft has issued five security bulletins bringing a number of updates to Windows and Office. At the same time it has released a new update  (2616676) that blocks six additional DigiNotar root certificates. These new certificates are ones that are cross-signed by Entrust and GTE. They are:

  • DigiNotar Root CA Issued by Entrust (2 certificates)
  • DigiNotar Services 1024 CA Issued by Entrust
  • Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)

The security bulletins issued are

  1. MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege
  2. MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution
  3. MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  4. MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  5. MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

None of the bulletins are rated as Critical but the affected software includes all of Microsoft’s currently supported versions of Windows including XP, Vista, Windows 7 and Windows Server 2003/2008 as well Office 2003, 2007 and 2010.

MS11-071, 072 and 073 all relate to vulnerabilities could allow remote code execution if a user opens a specially crafted file. In some cases, for .doc., .rtf and .txt files, the document needs to be the located in the same network directory as a specially crafted library file for the exploit to work.

Apple Finally Revokes Trust for DigiNotar – But Only on OS X

(LiveHacking.Com) – Almost a week after Microsoft, Mozilla and Google revoked trust in all the certificates issued by DigiNotar, Apple has finally issued an update for OS X 10.6 and 10.7.

Security Update 2011-005 reads:

Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

However the update leaves users of PowerPC Mac’s vulnerable as there is no update for OS X 10.4 and nothing yet for iOS devices including the iPhone, iPod Touch and iPad.

The update is available through Mac OS X’s built in Software Update or can be manually downloaded (for Lion or Snow Leopard) and installed.

Once Bitten, Twice Shy – Mozilla Tell CAs to Audit Their Systems

(LiveHacking.Com) – Mozilla has sent a message to all the certificate authorities which participate in the Mozilla root certificate program. It has requested that all participating CA’s complete and audit of their PKI systems by September 16, 2011.

This call to review and confirm the integrity of their certificate systems comes after Mozilla removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates.

As part of the audit Mozilla are asking that each CA confirm that it has automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Plus the CA needs to further confirm its process for manually verifying such requests, when blocked.

Mozilla also have reminded the CAs that participation in Mozilla’s root program is at its sole discretion. Which is code for, comply or we will kick you out. However the message does change it tone a little by underlining Mozilla’s commitment to working with CAs as partners, “to foster open and frank communication, and to be diligent in looking for ways to improve.”

Microsoft Follows Mozilla and Google and Revokes All DigiNotar Certificates

(LiveHacking.Com) – Following in the footsteps of Google and Mozilla, Microsoft has revoked all of DigiNotar’s root certificates and issued a Windows update:

  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven

The update is available for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2) and increases the number of revoked certificates from two to five.

In a perfect world Microsoft would just rely on its Microsoft Certificate Trust List to validate the trust of a certification authority. However Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List and as a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.

Interestingly, the update also changes IE’s behaviour in that users are no longer just presented with a warning about any certificates issued by DigiNotar, but they are prevented from accessing sites completely.

In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates. Internet Explorer users who apply this update will be presented with an error message when trying to access a Web site that has been signed by either of the above DigiNotar root certificates. These users will not be able to continue to access the Web site.

GlobalSign Temporarily Halt Issuing Digital Certificates

(LiveHacking.Com) – GlobalSign, the world’s fifth largest certificate issuer, has temporarily halted the issuance of all digital certificates following a claim that the same hacker responsible for the recent DigiNotar hack has access to four other Certificate Authorities, and named GlobalSign as one of them.

A statement on the GlobalSign web site reads:

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologize for any inconvenience.

This is a wise move by GlobalSign and it seems it doesn’t want to repeat the same mistakes that DigiNotar made. One of the reasons DigiNotar losts its trust status was because of its failure to notify companies like Mozilla that fraudulent certificates were issued for its domains. The cost of its attempt to hide the security breach was that it effectively went out of business.

The hacker also claimed in his posting that:

I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google’s cert, I have code signing privilege! You see?

The hacker also says that he has targeted DigiNotar for a specific reason:

Dutch government is paying what they did 16 years ago about Srebrenica…

Fox-IT Interim Report Into DigiNotar Security Breach Points Finger at Iran

(LiveHacking.Com) – Fox-IT, the Dutch security company hired to investigate the security breach at DigiNotar has released its interim report. The day after it became public knowledge that a rogue *.google.com certificate was presented to a number of Internet users in Iran, Fox-IT was contacted and asked to investigate the breach and report its findings. Fox-IT assembled a team and started the investigation known as “Operation Black Tulip.”

The report has some very interesting findings:

  • The rogue certificate found by Google was issued by the DigiNotar Public CA 2025. The serial number of the certificate was, however, not found in the CA system‟s records. This leads to the conclusion that it is unknown how many certificates were issued without any record present.
  • Web browsers perform an Online Certificate Status Protocol (OCSP) check as soon as the browser connects to an SSL protected website through the https-protocol3. The serial number of the certificate presented by the website a user visits is send to the issuing CA OCSP-responder. The OCSP-responder can only answer either with „good‟, „revoked‟ or „unknown‟. If a certificate serial number is presented to the OCSP-responder and no record of this serial is found, the normal OCSP-responder answer would be „good‟4. The OCSP-responder answer „revoked‟ is only returned when the serial is revoked by the CA. In order to prevent misuse of the unknown issued serials the OCSP-responder of DigiNotar has been set to answer „revoked‟ when presented any unknown certificate serial it has authority over. This was done on September 1st.
  • The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran.
Does this mean the hacking was state sponsored? Leave your comments below.

What are Apple Doing About the DigiNotar Security Breach?

(LiveHacking.Com) – The last few days has seen rapid releases and lots of information published by Microsoft, Google and Mozilla to block the fraudulent certificates issued by DigiNotar. The one significant player who has so far remained eerily silent is Apple. The Safari web browser is not only found on OS X and Windows but it is also used in iOS and can be found on the iPhone, iPod Touch and iPad.

As of Monday morning, Safari and OS X itself have not been patched. There are instructions on doing so on the ps | Enable blog, although it is non-trivial.

Also all of Apple’s mobile users are being left in the dark. There have been no updates and no information at all about iOS.

What are Apple doing? Too busy working on the iPhone 5????

Google Releases Chrome 13.0.782.220 to Block All Certificates Issued by DigiNotar

(LiveHacking.Com) – Following the revelation that the DigiNotar debacle included certificates for MI6, the CIA and Mossad, Google has updated Chrome to 13.0.782.220 for Windows, Mac and Linux to revoke Chrome’s  trust for SSL certificates issued by DigiNotar-controlled intermediate CAs used by the Dutch PKIoverheid program. For more details from Google about the security issues see their Security Blog post about DigiNotar.

Mozilla has also published new information about its decision to revoked its trust in the DigiNotar certificate authority. According to Mozilla the block on DigiNotar is “not a temporary suspension, it is a complete removal from our trusted root program.”

Mozilla list three central reasons for its decision:

1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla.

2) The scope of the breach remains unknown. While Mozilla were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. It is now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.

3) The attack is not theoretical. Mozilla have received multiple reports of these certificates being used in the wild.