Dutch firm DigiNotar issued twice as many fraudulent security certificates as initially believed, according to the auditors investigating the breach – and affected intelligence agencies including the CIA.
The intrusion came to light a week ago, when Google warned that its security certificate had been compromised, potentially allowing ‘man-in-the-middle attacks against users of Gmail and other Google services.
Fox-IT says that the initial compromise took place on June 17 – and was discovered by DigiNotar two days later – but that the first rogue certificate wasn’t issued until July 10th.
And over the next ten days, says Fox-IT, 530 fraudulent certificates were issued – more than twice as many as initially reported.
Sites including the CIA, MI6, Mossad, Facebook, Microsoft, Skype and Twitter were hit.
During the the active attack period, more than 99 percent of queries originated in Iran, indicating that the Iranian government may have been responsible, possibly targeting the country’s dissidents.
The Fox-IT report indicates that security procedures at DigiNotar were laxer than they should be. All of the certificate servers belonged to one Windows domain, allowing everything to be controlled once the hackers were in.
The administrator password was simple and could be easily brute forced – and much of the malware and tools used in the attack could have been easily detected by anti-virus systems.
Perhaps worst of all, DigiNotar appears to have been totally owned for well over a month before it took action, and even then it was another month before it notified the public.
“This incident demonstrates in a real way the fragility of the SSL/TLS certificate trust model in use on the net today. I hope adoption of replacement technologies like Moxie Marlinspike’s Convergence take off in a meaningful way to provide us with more confidence in the security of our communications,” says Chester Wisniewski of Sophos.
“We now know not to trust certificates issued by DigiNotar, but how many of the 600-plus other certificate authorities have similar security holes and may already be compromised?”