July 27, 2014

DigiNotar Issued Fake SSL Certificates for CIA, MI6 and Mossad

(LiveHacking.Com) - The aftermath of the security breach at DigiNotar continues to grow. New revelations about the extent of the breach have now come to light. It appears that since DigiNotar is a “root” certificate, it can assign authority to intermediaries to sign and validate certificates on its behalf. It seems now that the hackers have signed 186 intermediate certificates that masquerade as well-known certificate authorities like Thawte, Verisign and Equifax.

The expanded list of domains for which fraudulent certificates were issued now includes Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. A complete list can be downloaded from the Tor website.

As a result of the wide scale of this incident Google and Mozilla have now blocked all certificates issued by DigiNotar. According to Mozilla “DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden).” The Dutch government has since audited DigiNotar’s performance and removed it from its PKIoverheid role. Therefore all DigiNotar certificates will now be untrusted by Mozilla products.

How Many Certificates Did Hackers Take From DigiNotar?

(LiveHacking.Com) - It looks like the dust isn’t going to settle quickly on the recent security breach at the Dutch Certificate Authority (CA) DigiNotar. A few days ago, DigiNotar’s parent company VASCO Data Security International, Inc. admitted that a security breach in its Certificate Authority (CA) infrastructure allowed the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. It now seems that the actual number is over 200, maybe even more than 250.

Recent changes to Chromium, the open-source project that acts as a base for Google’s Chrome browser, list 247 DigiNotar certificates that are now blacklisted plus two intermediate certificates.

There is a growing sense that DigiNotar haven’t been as upfront about this incident as they could be.

It has now come to light that a certificate was also issued for addons.mozilla.org. “DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,” Johnathan Nightingale, Mozilla’s director of Firefox development, wrote in a statement. “In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users.”

DigiNotar Admits Security Breach Allowed Fake Google Certificate to be Issued

(LiveHacking.Com) - DigiNotar’s parent company VASCO Data Security International, Inc. has admitted that a security breach in its Certificate Authority (CA) infrastructure allowed the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.

The press release goes on to say that “at that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time.  After being notified by [the] Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.”

As I noted yesterday, Microsoft has responded to the news by removing the DigiNotar root certificate from the Microsoft Certificate Trust List.

Mozilla has now announced that it is releasing updates for Firefox (3.6.21, 6.0.1, 7, 8 and 9) and Firefox Mobile (6.0.1, 7, 8 and 9), Thunderbird (3.1.13 and 6.0.1) and SeaMonkey (2.3.2), which will also revoke trust in DigiNotar’s root certificate. They have also posted instructions on how to manually delete the DigiNotar Root CA certificate from Firefox.

Also Google has now released Chrome 13.0.782.218 for Windows, Mac and Linux. This new version contains an updated version of the Adobe Flash Player and has disabled the DigiNotar root certificate.

Fraudulent Google.com Digital Certificate in the Wild

(LiveHacking.Com) - It has come to light that at least one fraudulent digital certificate has been issued by DigiNotar, a root certificate authority, for Google.com. The digital certificate affects the main domain and all the subdomains of Google.com and could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users.

The problem for users is that because the certificate is valid,  the web browser will not display a warning message if a user went to a fake website signed with this certificate.

Microsoft have responded to the news by removing the DigiNotar root certificate from the Microsoft Certificate Trust List. It is likely that others like Apple and Mozilla will also block this certificate in the near future.

This isn’t the firs time that a fake certificate for Google.com has been issued by a certificate authority. Back in March of this year several false certificates where issued for popular domains, including Google.com, when a hacker breached the security at Comodo.

It’s unclear, at this time, how the certificate was obtained, but it is known that DigiNotar has revoked the digital certificate in question.