Tuesday, September 20, 2011

Week 4 Post: DigiNotar, No More

      DigiNotar, a company based out of the Netherlands (a subsidiary of VASCO Data Security), will officially be going out of business (claiming bankruptcy), largely in part due to the efforts of a lone 21-year old hacker who identifies himself as "Comodohacker."

Earlier this year (July 19th, 2011), DigiNotar was a victim of a cyber attack that resulted in an intrusion of the company's Certificate Authority (CA) infrastructure.  This successful attack allowed for the issuance of fraudulent SSL certificates for hundreds of domains, to include CIA.gov and Google.com.  The fraudulent SSL certificates could be maliciously used by hackers to spoof themselves as a sub-domain of Google.com, CIA.gov, etc.  This could allow hackers to perform phishing attacks, spoof content, and perform main-in-the-middle attacks against internet browsers.  This event caused Microsoft to remove the DigiNotar root certificate from the Microsoft Certificate Trust List (list used in Vista, Windows 7, Server 2008, etc).

DigiNotar was acquired by VASCO Data Security in January, 2011 for $12.9 Million, but in the first 6 months of the 2011 year, DigiNotar has generated less than 100,000 euro in  SSL and EVSSL revenue.  The company has halted sales of its certificates since the incident.

The Court has appointed both a bankruptcy judge and a bankruptcy trustee to manage the bankruptcy process. The trustee is going to work under supervision of the judge and will be responsible for administration actions and the liquidation process of DigiNotar. The Trustee will be submitting his reports to the Judge and reports are expected to be delivered to the public and should serve as the primary source of information to both creditors and stakeholders.

T. Kendall Hunt (VASCO's Chairman and CEO) gave the following statement: "Although we are saddened by this action and the circumstances that necessitated it, we would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO's strong authentication business.”  The only thing missing from his statement to the shareholders is: "p.s. sorry about the $12.9 million dollars we just lost."

This is not the first CA that Comodohacker has hacked into, but it is the first one that has been officially forced out of business as a result of his efforts.    

Comodohacker is reportedly an Iranian loyalist.  He has said that he has developed an unbreakable system for replacing SSL certificates.  He has said the following: “If my country get equal right as USA in controlling emails, I may share my brilliant unbreakable encryption system for replacement of SSL and CA system,”  He's also pumped himself up with the following: “P.S.S. never forget, I'm just 21, you have to see much more from me!”

It simply amazes me that a company whose market IS internet security could be destroyed by the efforts of a lone individual.  If this isn't a form of situational irony, I don't know what is (but since the word irony is so often misused, and seems to have lost its original meaning in our society - thanks Alanis Morissette, chances are this isn't a good example of situational irony whatsoever, but short of tragic, I don't know how to label this event).

Hopefully the next time we hear about Comodohacker it won't follow the headlines of something as horrible as this, an act of digital terrorism, but rather, let's hope he does have an unbreakable system for SSL certificates that he is willing to share with the world.  Unfortunately I highly doubt that will be the case.  
    

Reference:

Lennon, M. (2011).  Hacker Forces DigiNotar Into Bankruptcy.  Retrieved September 21, 2011, from Security Week Web site: http://www.securityweek.com/hacker-forces-diginotar-bankruptcy

No comments:

Post a Comment