Feeds

GlobalSign stops issuing SSL certs, probes hacker claims

Better to do it and not need to than vice versa

3 Big data security analytics techniques

GlobalSign has suspended the publication of SSL certificates as a precaution in the wake of unverified claims by a hacker linked to attacks on Comodo and DigiNotar.

The self-named Comodohacker used pastebin in March to claim responsibility for hacks against Comodo that allowed the publication of bogus SSL certificates. The hacker, after months of silence, claimed responsibility this week for the DigiNotar hack and boasted that he was still able to created fake certificates after compromising systems at four other certificate authorities. The hacker, who claims to be an Iranian working alone with no connections to the Iranian government, named one of the compromised CAs as GlobalSign. However, he didn't provide any proof that GlobalSign had been compromised nor did he name the three other supposed victims.

Comodohacker's latest self-aggrandising post suggests that his claimed hack against GlobalSign was ultimately thwarted. "GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."

GlobalSign has responded to the accusation by suspending the publication of digital certificates while it investigates the claims and audits the security of its systems. The firm apologised for the inconvenience while giving no immediate indication on when it might be able to restore services in a statement (extract below) published on its website on Tuesday.

On Sep 5th 2011 the individual/group previously confirmed to have hacked several Comodo resellers, claimed responsibility for the recent DigiNotar hack. In his message posted on Pastebin, he also referred to having access to four further high profile Certificate Authorities, and named GlobalSign as one of the four.

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologise for any inconvenience.

The bold and decisive move contrasts sharply with delays in getting to the root of the problem or going public by DigiNotar after it confirmed its systems had been compromised, to say nothing about the shockingly insecure state of its systems prior to the attack.

Forged certificates created the mechanism to pose as the targeted websites as part of either man-in-the-middle or phishing attacks. Forged Google.com SSL credentials were used to spy on 300,000 Iranian internet users, according to authentication lookup logs on DigiNotar's systems, and separate evidence from Trend Micro.

The Comodohacker posted portions of what purports to be the offending library from systems run by an Italian Comodo reseller to pastebin in order to substantiate claims he was behind the Comodo forged SSL cert hack back in March. In addition, Comodohacker signed a copy of Windows calculator using the private key of a fraudulently-issued Google digital certificate obtained via the Comodo hack. This is solid evidence and contrasts with the lack of proof supplied for other hacks claimed by the Comodogate hacker.

He supplied the supposed admin password of DigiNotar's network in follow-up posts this week, but has yet to supply any evidence that would suggest GlobalSign is compromised.

Security watchers, including Sophos, have praised GlobalSign for forgoing an income stream in order to properly investigate what may turn out to be unsubstantiated claims. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.