Security Advisor

Reactions to Hijacked Web Certifications

Companies like Mozilla and Microsoft hit the Web to denounce Web certificates issued by Dutch company DigiNotar.

• By Jabulani Leffall
• 09/07/2011

A Dutch Internet security company, international spy agencies, alleged Iranian hackers, an upstart open source browser collective and the largest software company in the world, Microsoft, all converge in a twisted web of cyber security intrigue. It's all straight out of an international crime thriller.

But as the week begins, there are no witty punch lines, big explosions and neat endings -- just an ongoing battle in an increasingly ominous global IT environment in the real world, with real stakes and real dangers.

DigiNotar, a Dutch subsidiary of VASCO Data Security International Inc, announced that it was hit harder that it had previously suspected in July when hackers got into its network and gained access to what the company now says are hundreds of forged secure socket layer (SSL) certificates for third-party domains.

Such domains included MI6, the Central Intelligence Agency, Mossad, Twitter, Facebook, Microsoft and Google. Although it's unlikely that hackers can break in to any of these networks with fake certificates, The Hague, Microsoft and Google are taking this event seriously.

This blogger would also like to add…Yikes.

Microsoft and Mozilla Response
After DigiNotar's announcement, Gervase Markham, a programmer at Mozilla, put a partial list of these certificates online last Saturday.

By Tuesday, Microsoft responded by updating Security Advisory 2607712. It announced, based on its investigation,  that it has deemed all DigiNotar certificates to be untrustworthy and have moved them to the "Untrusted Certificate Store."

The details, found in this MSRC blog post, assured that Microsoft customers and Windows supported third-party applications "are protected."

"Microsoft recognizes that this issue is an industry problem, and has been actively collaborating with certificate authorities, governments, and software vendors to help protect its mutual customers," a company spokesman said, adding that it would update its own blog with new info as it becomes available.

The Iran Connection and a 'Death Sentence'?
Although it's not confirm that Iranian hackers are the ones behind the incursion, what spurred the suspicion is that the attackers created fake certificates with messages praising the Iranian Revolutionary Guard, according to published reports.

As the investigation continues at Redmond and by government authorities at the Hague, the implications are becoming clear: Global networks are vulnerable and it's going to take government and private sector collaboration to stem the tide of a growing number of data breaches.

"We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments, and software vendors to help protect our mutual customers," wrote Dave Forstrom, director of Microsoft's Trustworthy Computing group, in the blog post.

This should be a lesson not only for security companies but corporate entities experiencing data breaches in general.

A tweet from Jeremiah Grossman, the CTO of WhiteHat security, says it best when commenting on how Microsoft and Google rejected all certificates from the Dutch company: Such safeguards are "Effectively a death sentence for DigiNotar," he wrote.