Feeds

GlobalSign stops issuing SSL certs, probes hacker claims

Better to do it and not need to than vice versa

Protecting against web application threats using SSL

GlobalSign has suspended the publication of SSL certificates as a precaution in the wake of unverified claims by a hacker linked to attacks on Comodo and DigiNotar.

The self-named Comodohacker used pastebin in March to claim responsibility for hacks against Comodo that allowed the publication of bogus SSL certificates. The hacker, after months of silence, claimed responsibility this week for the DigiNotar hack and boasted that he was still able to created fake certificates after compromising systems at four other certificate authorities. The hacker, who claims to be an Iranian working alone with no connections to the Iranian government, named one of the compromised CAs as GlobalSign. However, he didn't provide any proof that GlobalSign had been compromised nor did he name the three other supposed victims.

Comodohacker's latest self-aggrandising post suggests that his claimed hack against GlobalSign was ultimately thwarted. "GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."

GlobalSign has responded to the accusation by suspending the publication of digital certificates while it investigates the claims and audits the security of its systems. The firm apologised for the inconvenience while giving no immediate indication on when it might be able to restore services in a statement (extract below) published on its website on Tuesday.

On Sep 5th 2011 the individual/group previously confirmed to have hacked several Comodo resellers, claimed responsibility for the recent DigiNotar hack. In his message posted on Pastebin, he also referred to having access to four further high profile Certificate Authorities, and named GlobalSign as one of the four.

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologise for any inconvenience.

The bold and decisive move contrasts sharply with delays in getting to the root of the problem or going public by DigiNotar after it confirmed its systems had been compromised, to say nothing about the shockingly insecure state of its systems prior to the attack.

Forged certificates created the mechanism to pose as the targeted websites as part of either man-in-the-middle or phishing attacks. Forged Google.com SSL credentials were used to spy on 300,000 Iranian internet users, according to authentication lookup logs on DigiNotar's systems, and separate evidence from Trend Micro.

The Comodohacker posted portions of what purports to be the offending library from systems run by an Italian Comodo reseller to pastebin in order to substantiate claims he was behind the Comodo forged SSL cert hack back in March. In addition, Comodohacker signed a copy of Windows calculator using the private key of a fraudulently-issued Google digital certificate obtained via the Comodo hack. This is solid evidence and contrasts with the lack of proof supplied for other hacks claimed by the Comodogate hacker.

He supplied the supposed admin password of DigiNotar's network in follow-up posts this week, but has yet to supply any evidence that would suggest GlobalSign is compromised.

Security watchers, including Sophos, have praised GlobalSign for forgoing an income stream in order to properly investigate what may turn out to be unsubstantiated claims. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.