DigiNotar scandal worsens: 500+ rogue certificates issued, five CAs breached

The hacker who breached the DigiNotar certificate authority has come out, or at least claimed to. He appears to be the same hacker who breached Comodo, another CA, several months ago. (Hat tip to F-Secure.) "COMODOHACKER" seems to have a problem with the Dutch government.

He claims to have gotten past numerous sophisticated protections in DigiNotar's systems, the details of which he will divulge later, and that he retains inside access to four other "high-profile" CAs and can still issue rogue certificates from them. He also claims that the password for the PRODUCTION\Administrator account (the domain administrator of certificate network) is "Pr0d@dm1n".

As more details come out about the actual hack, the news just gets worse and worse. Among the fraudulent certificates issued were the wildcards *.*.com and *.*.org. Some of the best detail can be found in this blog posting at the TOR Project.

The TOR posting includes a link to a spreadsheet with 531 rogue certificates issued by COMODOHACKER on behalf of DigiNotar. One of them appears to be a calling card. I quote the TOR posting:

"Of particular note is this certificate:
CN=*.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare Toro Ham Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR
The text here appears to be be an entry like any other but it is infact a calling card from a Farsi speaker. RamzShekaneBozorg.com is not a valid domain as of this writing.
Thanks to an anonymous Farsi speaker, I now understand that the above certificate is actually a comment to anyone who bothers to read between the lines:
"RamzShekaneBozorg" is "great cracker"
"Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption"
"Sare Toro Ham Mishkanam" translates to 'i hate/break your head'"

Reactions continue to roll in from around the web. Microsoft has updated their response to it. They dismiss the significance of the *.windowsupdate.com certificate as the domain is not used and Microsoft's update software has multiple protections against false updates. They note the *.microsoft.com certificate but make no particular remarks about it.

Vista, Windows 7, Windows Server 2008 and 2008 R2 users have been protected for some time against these fraudulent certificates because of updates Microsoft made to an online CA list they maintain. The picture for Windows XP and Windows Server 2003 users is less clear. KB2607712 says that "Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003." Are they still vulnerable? The lack of a claim that they aren't would seem to be confirmation that they are.

Trend Micro's Malware Blog argues that these certificates were used to spy on Iranian Internet users on a large scale. The certificates were encountered by users across the country.

Kaspersky's Roel Schouwenberg says that the DigiNotar scandal may turn out more important than Stuxnet, not because of sophistication, but because of ominous consequences. DigiNotar had operated a CA used for Dutch government operations and that CA is also presumed broken. Government services and communication have been disrupted. Schouwenberg: "Because of this one could make an argument the attack is an act of cyberwar." He also expresses concern that Apple has taken no actions to revoke the bogus certificates nor made any announcements that they plan to.

Many claim that this is proof of the failure of the CA system. I'm not sure it's worth going that far, but this incident does underscore the main weakness of that system, namely the great amount of trust placed in certificate authorities by client software, mainly web browsers, and therefore by users of those programs. If the CAs are not trustworthy, the security of the system collapses.

Photo Credit: Jimmi/Shutterstock

Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.