Feeds

GlobalSign stops issuing SSL certs, probes hacker claims

Better to do it and not need to than vice versa

Security for virtualized datacentres

GlobalSign has suspended the publication of SSL certificates as a precaution in the wake of unverified claims by a hacker linked to attacks on Comodo and DigiNotar.

The self-named Comodohacker used pastebin in March to claim responsibility for hacks against Comodo that allowed the publication of bogus SSL certificates. The hacker, after months of silence, claimed responsibility this week for the DigiNotar hack and boasted that he was still able to created fake certificates after compromising systems at four other certificate authorities. The hacker, who claims to be an Iranian working alone with no connections to the Iranian government, named one of the compromised CAs as GlobalSign. However, he didn't provide any proof that GlobalSign had been compromised nor did he name the three other supposed victims.

Comodohacker's latest self-aggrandising post suggests that his claimed hack against GlobalSign was ultimately thwarted. "GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."

GlobalSign has responded to the accusation by suspending the publication of digital certificates while it investigates the claims and audits the security of its systems. The firm apologised for the inconvenience while giving no immediate indication on when it might be able to restore services in a statement (extract below) published on its website on Tuesday.

On Sep 5th 2011 the individual/group previously confirmed to have hacked several Comodo resellers, claimed responsibility for the recent DigiNotar hack. In his message posted on Pastebin, he also referred to having access to four further high profile Certificate Authorities, and named GlobalSign as one of the four.

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologise for any inconvenience.

The bold and decisive move contrasts sharply with delays in getting to the root of the problem or going public by DigiNotar after it confirmed its systems had been compromised, to say nothing about the shockingly insecure state of its systems prior to the attack.

Forged certificates created the mechanism to pose as the targeted websites as part of either man-in-the-middle or phishing attacks. Forged Google.com SSL credentials were used to spy on 300,000 Iranian internet users, according to authentication lookup logs on DigiNotar's systems, and separate evidence from Trend Micro.

The Comodohacker posted portions of what purports to be the offending library from systems run by an Italian Comodo reseller to pastebin in order to substantiate claims he was behind the Comodo forged SSL cert hack back in March. In addition, Comodohacker signed a copy of Windows calculator using the private key of a fraudulently-issued Google digital certificate obtained via the Comodo hack. This is solid evidence and contrasts with the lack of proof supplied for other hacks claimed by the Comodogate hacker.

He supplied the supposed admin password of DigiNotar's network in follow-up posts this week, but has yet to supply any evidence that would suggest GlobalSign is compromised.

Security watchers, including Sophos, have praised GlobalSign for forgoing an income stream in order to properly investigate what may turn out to be unsubstantiated claims. ®

Internet Security Threat Report 2014

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.