Feeds

DigiNotar goes titsup: Disgraced certificate firm is sunk

Secrecy caused as much trouble as getting hacked

Top 5 reasons to deploy VMware with Tegile

Disgraced digital certificate firm DigiNotar has filed for bankruptcy in The Netherlands.

Hackers broke into DigiNotar's systems in June before creating forged digital certificates in the names of Google and other high-profile targets. The forged Google.com SSL credentials were used to spy on 300,000 Iranian internet users, according to a subsequent analysis of authentication lookup logs on DigiNotar's systems. Comodohacker, the boastful Iranian black hat who had claimed credit for an earlier attack on digital certificate firm Comodo, also claimed credit for the DigiNotar hack.

The hack itself was bad enough but what really did for DigiNotar were two additional aggravating factors: the shockingly insecure set-up of its systems and its failure to promptly come clean on its problems. DigiNotar began revoking certificates in 19 July, after it realised it had been hacked but only got around to revoking the forged *.google.com certificate on 29 July. It only went public a month later, leaving browser makers and internet users ignorant of a huge security hole.

DigiNotar became a security pariah as a result of its handling of the affair, which led browser and operating system developers to bin its certificates in August. A DigiNotar-controlled intermediate was involved in issuing certificates as part of the Dutch government’s public key infrastructure "PKIoverheid" scheme.

The Dutch government initially said that PKIoverheid site certs issued by DigiNotar were still trustworthy, but then changed its mind after getting wind of a damning security audit of DigiNotar's systems and ditching the firm. A preliminary reports from Fox-IT found that although DigiNotar boasted of state-of-the-art facilities, its security was childishly inadequate. Mistakes included a failure to run any anti-virus software on its servers and a lack of segmentation of its network that allowed hackers free rein to plant remote control trojans on its systems.

The certificate agency, which relies on trust to run its business, was never likely to recover from that, so its bankruptcy filing doesn't come as the complete surprise it might otherwise have been.

In a statement issued on Tuesday Vasco (which acquired DigiNotar in January) acknowledged the bankruptcy of its CA subsidiary but maintained this would have no effect on its core authentication business.

“We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve VASCO’s core two-factor authentication business,” said Jan Valcke, VASCO’s President and COO.  “While we do not plan to re-enter the certificate authority business in the near future, we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform.

"As a result, we expect to be able to offer a stronger authentication product line in the coming year to our traditional customers,” he added.

Vasco is in the process of winding up DigiNotar's business while it continues to assist the authorities in investigation the hack that took its subsidiary down. Vasco hopes the continuing value of the DigiNotar technology will help defray part of the write-off costs associated with the closure of the business. But it did admit that its losses may be substantial.

"While the losses associated with DigiNotar are expected to be significant, we do not expect, given the manner in which the acquisition of DigiNotar was structured, that the value of all of the intangible assets acquired will be fully impaired," said Cliff Bown, VASCO’s executive vice president and CFO.

Security watchers at The Internet Storm Centre said other certificate authorities should learn lessons from DigiNotar's demise.

"The CA business is all about selling trust," ISC staffer Swa Frantzen writes. "After all a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked. On the contrary: it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors." ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.