DigiNotar Breach Affected 531 Certificates

Updated

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar's servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

Security firm Fox-IT, which was hired by DigiNotar to investigate the "incident", found that DigiNotar's infrastructure was not secure enough to withstand a serious attack. Also, it seems that DigiNotar did not react fast enough and diligently enough to deal with the attack once it was detected. 128 fake certificates were deleted on July 19, 129 were removed on July 21 and an additional 75 on July 29. Of course, the critical *.google.com certificate went unnoticed until August 27. It was revoked on August 29.

DigiNotar has now rightfully been hit with an outpour of complaints that it did not secure its network to protect its CA infrastructure and therefore endangered the virtual and physical security of Internet users, especially those in Iran. The much more serious problem may be that DigiNotar was aware of the break in, but kept the breach secret. On July 28, DigiNotar found that rogue certificates were verified by Internet addresses "originating from Iran." The Fox-IT report confirms that users in Iran were the most likely target of the attack. Relating to the fraudulent Google certificate, 300,000 IPs were identified to have accessed google.com - 99% came from Iran.

DigiNotar said that it now believes that the hack was politically motivated. However, it appears that Comodohacker is claiming responsibility for the attack. According to a Pastebin post, the attack enabled him to "own the entire computer network of DigiNotar." At this time, he says that he has access to four more CAs and is apparently planning to do more damage. Other than current belief he notes that he is not an "Army" in Iran, but a 21-year old single hacker. There was no explanation why he targeted users in Iran, but he is clearly upset about the Dutch government's connection to the Srebrenica massacre in 1995:

"I heard also that Dutch government tries to gather documents and make a compliment against Iran, really? Shame on you man! Have you been in court for Srebrenica? Who should file compliment for Srebrenica? You should pay, these are consequences of Srebrenica, just know it! This is consequence of fighting with Islam and Muslims in your parliament."

Between 7500 and 8000 Muslims were slaughtered during the Srebrenica massacre. Bosnian Serbs overran 110 lightly armed Dutch troops that were positioned to protect the town and its residents. The Dutch government was later blamed for not having prevented the massacre, which forced the entire Dutch cabinet to resign in 2002 when a report found that the government and senior military officials may have been at fault for not protecting the town.