<<<
NEWS FROM THE LAB - Tuesday, August 30, 2011
>>>
 

 
DigiNotar Hacked by Black.Spook and Iranian Hackers Posted by Mikko @ 09:05 GMT

DigiNotar is a Dutch Certificate Authority. They sell SSL certificates.

DigiNotar

Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.

What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.

But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.

We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It's likely the Government of Iran is using these techniques to monitor local dissidents.

Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Such as DigiNotar.

How was DigiNotar breached? We don't know yet.

But here's something we just discovered.

This is a screenshot of the page online right now at https://www.diginotar.nl/Portals/0/Extrance.txt:

DigiNotar

DigiNotar's portal has been hacked. Somebody claiming to be an Iranian Hacker has gained access.

This would look like a smoking gun. Obviously this has to be connected somehow to the rogue certificate.

But if you keep looking, you'll find this page from https://www.diginotar.nl/Portals/0/owned.txt:

DigiNotar

Another Iranian hacker group?

If you keep digging deeper, you'll find that although these web defacements are still live right now, they are not new. Much worse: they were done years ago.

Here's another one, done in May 2009 by Turkish hackers at https://www.diginotar.nl/Portals/0/fat.txt:

DigiNotar

In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope.

 

P.S. The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here's his blog post from May 2010 (via Google Translate).

hkashfi

P.P.S. More on problems with SSL as a whole in one of our previous blog posts.

P.P.P.S. DigiNotar's public statement on the breach is out now. It raises more questions than answers. DigiNotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while DigiNotar revoked the other rogue certificates, they missed the one issued to Google. Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?

Updated to add: As September 5th, here's the list of known domains that the attacker managed to create fake certificates for:

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawte.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
friends.walla.co.il
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
twitter.com
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.globalsign.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

In addition, the attacker created rogue certificates for these names:

Comodo Root CA
CyberTrust Root CA
DigiCert Root CA
DigiCert Root CA
Equifax Root CA
Equifax Root CA
GlobalSign Root CA
Thawte Root CA
VeriSign Root CA