Skip Links

One year after DigiNotar breach, Fox-IT details extent of compromise

The hacker gained admin access to all critical DigiNotar certificate authority systems despite network segmentation, investigators say

By Lucian Constantin, IDG News Service
November 01, 2012 10:40 AM ET

IDG News Service - The 2011 security breach at Dutch certificate authority (CA) DigiNotar resulted in an extensive compromise and was facilitated in part by shortcomings in the company's network segmentation and firewall configuration, according to Fox-IT, the security company contracted by the Dutch government to investigate the incident.

"The DigiNotar network was divided into 24 different internal network segments," Fox-IT said in its final investigation report, published earlier this week by the Dutch Ministry of Interior and Kingdom Relations. "An internal and external Demilitarized Zone (DMZ) separated most segments of the internal network from the Internet. The zones were not strictly described or enforced and the firewall contained many rules that specified exceptions for network traffic between the various segments."

BACKGROUND: DigiNotar certificate authority goes bankrupt

The DigiNotar security breach occurred in July 2011 and resulted in a hacker using the company's certificate authority (CA) infrastructure to issue hundreds of rogue digital certificates for high-profile domains, including one for google.com that was later used in a mass surveillance attack against Internet users in Iran. After the incident became public, browser and operating system developers revoked their trust in the certificates and the company filed for bankruptcy.

The breach was significant because it raised questions about the security and trustworthiness of the public key infrastructure (PKI) in its current form, which led to various technical proposals that promise to reduce the impact of certificate authority compromises and prevent the use of rogue digital certificates. There are currently hundreds of certificate authorities trusted by default in Web browsers and operating systems, and all of them can issue valid digital certificates for any domain on the Internet.

The attacker's original points of entry into the DigiNotar network were two Web servers that hosted public websites running on outdated and vulnerable versions of DotNetNuke, a Web content management system. These Web servers were located in the company's external Demilitarized Zone.

The intruder then leveraged the existent firewall rules to access and compromise servers from different network segments -- first from a segment called Office-net and then from a segment called Secure-net, which housed the certificate authority servers used for digital certificate issuing.

"Specialized tools were recovered on systems in these segments, which were used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar's systems that were not directly connected to the Internet," Fox-IT said. "The intruder was able to tunnel Remote Desktop Protocol connections in this way, which provided a graphical user interface on the compromised systems, including the compromised CA servers."

DigiNotar operated multiple subordinate certificate authorities (sub CAs) and used them to issue digital certificates for different purposes, including certificates for the Dutch government's IT operations.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News