Hackers acquire Google certificate, could hijack Gmail accounts

fsr · Sep 8, 2011

Two updates from GlobalSign

Update from #GlobalSign. We deem these claims to represent an industry wide attack. At this time we continue with our investigation and precautionary measures. We thank our customers, and the industry as a whole, for supporting the difficult decision to halt issuance while these steps are taken. We will update again as soon as we release a defined timeline to reactivate our services.
Click to expand...

Link

Update from #GlobalSign. We will start bringing services back online on Monday. We have already stated that we deem this to be an industry wide threat due to the mention of multiple CAs. We are adopting a high threat approach to bringing services back online and we are working with a number of organisations to audit the process of bringing the services back online. We apologise again for the delay.

We would like to take the opportunity to explain that the GlobalSign CA root was created offline, and always has been offline. Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues.
Click to expand...

Link

fsr · Sep 8, 2011

Mozilla wants all CAs to check their systems for intrusion and report back within a week

All,

I have sent the following communication to CAs with root certificates in
NSS.

Kathleen
==
Dear Certification Authority,

This note requests a set of immediate actions on your behalf, as a
participant in the Mozilla root program.

Mozilla recently removed the DigiNotar root certificate in response to
their failure to promptly detect, contain, and notify Mozilla of a
security breach regarding their root and subordinate certificates
(https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up).
If you ever have reason to suspect a security breach or mis-issuance has
occurred at your CA or elsewhere, please contact secur...@mozilla.org
immediately.

Please confirm completion of the following actions or state when these
actions will be completed, and provide the requested information no
later than September 16, 2011:

1) Audit your PKI and review your systems to check for intrusion or
compromise. This includes all third party CAs and RAs.

2) Send a complete list of CA certificates from other roots in our
program that your roots (including third party CAs and RAs) have
cross-signed. A listing of all root certificates in Mozilla's products
is here: http://www.mozilla.org/projects/security/certs/included

3) Confirm that multi-factor authentication is required for all accounts
capable of directly causing certificate issuance.

4) Confirm that you have automatic blocks in place for high-profile
domain names (including those targeted in the DigiNotar and Comodo
attacks this year). Please further confirm your process for manually
verifying such requests, when blocked.

5) For each external third party (CAs and RAs) that issues certificates
or can directly cause the issuance of certificates within the hierarchy
of the root certificate(s) that you have included in Mozilla products,
either:

a) Implement technical controls to restrict issuance to a specific set
of domain names which you have confirmed that the third party has
registered or has been authorized to act for (e.g. RFC5280 x509 dNSName
name constraints, marked critical)

OR

b) Send a complete list of all third parties along with links to each of
their corresponding Certificate Policy and/or Certification Practice
Statement and provide public attestation of their conformance to the
stated verification requirements and other operational criteria by a
competent independent party or parties with access to details of the
subordinate CA's internal operations.

Each action requested above applies both to your root and to these third
parties.

Participation in Mozilla's root program is at our sole discretion, and
we will take whatever steps are necessary to keep our users safe.
Nevertheless, we believe that the best approach to safeguard that
security is to work with CAs as partners, to foster open and frank
communication, and to be diligent in looking for ways to improve. Thank
you for your participation in this pursuit.

Regards,
Kathleen Wilson
Module Owner of Mozilla's CA Certificates Module

===
Click to expand...

Mozilla Communication: Immediate action requested

Via

BoerenkoolMetWorst · Sep 8, 2011

fsr said:

Mozilla wants all CAs to check their systems for intrusion and report back within a week

Mozilla Communication: Immediate action requested

Via
Click to expand...

That's a step in the good direction

GammaRay · Sep 8, 2011

There's something I'd like to know. With one of those fraudulent certificates, the user would be redirected to another page that isn't Google's or would it still go straight to Google's pages? I mean, if you suspect you're being redirected, checking the IP would alert you if anything unusual is going on, right? Or am I missing something?

JRViejo · Sep 8, 2011

The hacker with links to several breaches of SSL certificate-issuing networks this year admitted sharing stolen certificates with others in Iran, and threatened to extend future spy-style attacks to computer users in the U.S., Europe and Israel.
Click to expand...

DigiNotar hacker threatens to expand spy attacks using stolen certificates by Gregg Keizer.

CloneRanger · Sep 8, 2011

Well just remember who started it first

STUXNET ring any bells ?

Hungry Man · Sep 8, 2011

I would hardly call stuxnet the start of a longwinded political dispute.

dw426 · Sep 8, 2011

CloneRanger said:

Well just remember who started it first

STUXNET ring any bells ?
Click to expand...

Stuxnet didn't "start" anything. It was just a much publicized confirmation that there is indeed cyber ops going on between nations. It's a daily thing all across the globe, Stuxnet just shined a big bright light on it. I have serious doubts a government is behind this certificate incident.

fsr · Sep 9, 2011

Cyber War - by Eddy Nigg, Founder, COO/CTO of StartCom and StartSSL

It wasn’t entirely obvious to me, when we made the decision some six years ago to implement a certification authority that does things differently, that we’d end up against a country sponsored cyber-war. And even though I incidentally called this very blog “Join the Revolution“, I didn’t had in mind to have anything to do with securing a real revolution of any country or protecting dissidents from any regime. Not that kind of revolution anyway.

In fact, StartCom never issued certificates for particular high-profile sites such a Google, FaceBook and Twitter which seem to be the most popular targets these days, so what do we have to do with it?
Click to expand...

More at link

FanJ · Sep 9, 2011

Adobe: DigiNotar and the Adobe Approved Trust List (AATL)
Adobe PSIRT: Update on DigiNotar and the Adobe Approved Trust List (AATL)

by David Lenoe - September 8, 2011

We are in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL) and will post an update on this action tomorrow.

In the meantime, users can manually remove these certificates from Adobe Reader and Acrobat* by following these steps:
(*Note that the AATL is only supported in Adobe Reader and Acrobat versions 9 and X.)

Adobe Reader Version 9
1) Open Adobe Reader.
2) Open the Document Menu and choose Manage Trusted Identities.
3) Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4) Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5) Click Delete, and then confirm the deletion by clicking OK.

Adobe Acrobat Version 9
1) Open Adobe Acrobat.
2) Open the Advanced Menu and choose Manage Trusted Identities.
3) Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4) Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5) Click Delete, and then confirm the deletion by clicking OK.

Adobe Reader and Acrobat X
1) Open Adobe Reader or Acrobat.
2) Open the Edit Menu->Protection->Manage Trusted Identities.
3) Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4) Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5) Click Delete, and then confirm the deletion by clicking OK.

This posting is provided “AS IS” with no warranties and confers no rights.
Click to expand...

ronjor · Sep 9, 2011

DigiNotar certificate fraud addressed with Snow Leopard and Lion updates

By: Topher Kessler

Apple has released a security update for OS X 10.6 Snow Leopard and OS X 10.7 Lion that addresses an issue in which the use of fraudulent certificates could allow an attacker to steal user credentials and other private information through a network connection. The problem revolved around the use of DigiNotar as a trusted certificate authority, which has been removed by this update.
Click to expand...

http://reviews.cnet.com/8301-13727_...-addressed-with-snow-leopard-and-lion-updates

FanJ · Sep 9, 2011

TrendMicro TrendWatch:

CA hack attacks: Just how secure is HTTPS?

And the quote of the week from TrendMicro:
"Just because the browser uses HTTPS doesn’t automatically mean the site is safe to access"

Hungry Man · Sep 9, 2011

http://gmailblog.blogspot.com/2011/09/gmail-account-security-in-iran.html

Again Google reiterates that Chrome users were protected from this attack.

fsr · Sep 10, 2011

GLobalSign admits security breach

Update from #GlobalSign. Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.

All forensics are being shared with the authorities and other CAs to assist with their own investigations into other potentially related attacks.
Click to expand...

Link

fsr · Sep 10, 2011

Dutch Government: Websites' Safety Not Guaranteed

The Dutch government said Saturday it cannot guarantee the security of its own websites, days after the private company it uses to authenticate them admitted it was hacked. An official also said the government was taking over the company's operations.

The announcement affects millions of people who use the Netherlands' government's online services and rely on the authenticator, DigiNotar, to confirm they are visiting the correct sites. To date, however there have been no reports of anyone's identity being stolen or security otherwise breached.
Click to expand...

More at link

fsr · Sep 10, 2011

http://i53.tinypic.com/2nuks4o.png

elapsed · Sep 10, 2011

fsr said:

http://i53.tinypic.com/2nuks4o.png
Click to expand...

Same thing in IE9.

FanJ · Sep 10, 2011

fsr said:

http://i53.tinypic.com/2nuks4o.png
Click to expand...

You can post pictures here on the forum

FanJ · Sep 10, 2011

fsr said:

Dutch Government: Websites' Safety Not Guaranteed

More at link
Click to expand...

which is dated at 3 Sept 2011

fsr · Sep 11, 2011

Hi FanJ,

FanJ said:

You can post pictures here on the forum
Click to expand...

Yes I know, it's just that I was working with that service yesterday. Not sure if content of image is much relevant, anyhow it's not everyday you see a certificate for www.globalsign.com signed by www.globalsign.com

FanJ said:

which is dated at 3 Sept 2011
Click to expand...

Sorry I missed that

fsr · Sep 13, 2011

GlobalSign back in operation

Fellow handler Lenny wrote about GlobalSign being named by a hacker claiming the DigiNotar and Comodo breaches and GlobalSign's response to it by stopping the processes of issuing certificates.

Today GlobalSign should be back in operation and they have kept a public track of their incident response. I suggest to read it bottom up as that way you get the timeline.
Click to expand...

More at link

FanJ · Sep 13, 2011

Quotes from Microsoft at:
http://blogs.technet.com/b/msrc/arc...tar-certificates-and-september-bulletins.aspx

More on DigiNotar Certificates, and September Bulletins

13 Sep 2011 8:38 AM

In an effort to protect customers, last week we released Security Advisory 2607712 along with a non-security update to add fraudulent DigiNotar certificates to the Windows Untrusted Certificate Store. Today, we are releasing another update (2616676), adding six additional DigiNotar root certificates that are cross-signed by Entrust and GTE, to the Untrusted Certificate Store. Update 2616676 supersedes 2607712 and contains the full list of certificates which are:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie - G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven
• DigiNotar Root CA Issued by Entrust (2 certificates)*
• DigiNotar Services 1024 CA Issued by Entrust*
• Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*
Click to expand...

FanJ · Sep 14, 2011

The Dutch "Independent Post and Telecommunications Authority of the Netherlands" (in short OPTA) has now ended DigiNotar registration.
Article in Dutch:
http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3468

(sorry, at the moment I don't see the article in English)

gerardwil · Sep 14, 2011

FanJ said:

The Dutch "Independent Post and Telecommunications Authority of the Netherlands" (in short OPTA) has now ended DigiNotar registration.
Article in Dutch:
http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3468

(sorry, at the moment I don't see the article in English)
Click to expand...

Autotranslator:

Research by OPTA to issue qualified certificates DigiNotar shows that the reliability of these certificates will no longer be guaranteed. OPTA therefore terminate the registration of DigiNotar. This means that the company issued qualified certificates must withdraw and not allowed to issue more new qualified certificates. Qualified certificates are certificates that electronic signatures can be put, often through a card with chip. OPTA has the statutory duty to monitor the issue solely on this type certificates.

OPTA decided late August to conduct research because of the problems that arose with DigiNotar in the issuance of so-called server certificates (SSL). Server certificates, OPTA no oversight, computers are used for establishing secure connections. In examining the issue of qualified certificates OPTA finds that the intrusion on the systems of access DigiNotar also been to the systems on which this certificate is created. According to the regulator is therefore no longer guaranteed that data on these systems have not been manipulated, abused or removed.

DigiNotar is now informing customers about the revocation of qualified certificates. OPTA will monitor. The Ministry of the Interior and Kingdom Relations has been the operational management of the certification systems inherited from DigiNotar.

Because the certificates are no longer qualified to use, the new qualified certificates to users registered providers to apply. On the OPTA website is a list of registered providers to consult. Currently there are four commercial providers of qualified certificates.
Click to expand...

fsr · Sep 15, 2011

DigiNotar looses their accreditation for qualified certificates, (Thu, Sep 15th)

Next to being a provider of SSLcertificates (which most browsers now distrust), DigiNotar also issued so-called qualified certificates. These are used to create digital signatures and they are much stricter regulated that the run of the mill SSLand EVSSLcertificates we all know from web servers and the like.
OPTA, the Dutch independent post and telecommunication authority - think of them as the regulator- , has terminated [in Dutch] the accreditation of DigiNotar as a certificate provider on Sept 14th, 2011. This pertains to their qualified certificates.
It's probably best to give a very short introduction on what qualified certificates, accredited providers are and why this is so important.
Click to expand...

http://isc.sans.edu/diary.html?storyid=11590

Latest public update from GlobalSign

We are now bringing customers back online in a controlled way, we appreciate the patience as we work through the account reactivation and order backlog. We apologise, but there will be some delays returning some specific services to normal operation.
Click to expand...

http://deck.ly/~Xh57Y

& also related, "Symantec this week introduced what it calls the Symantec Certificate Intelligence Center"

Symantec this week introduced what it calls the Symantec Certificate Intelligence Center, a cloud-based service that works with an on-premises software component to keep track of SSL server certificates used by an organization.
"Every SSL certificate comes with a shelf life, as they expire in one, two or three years," says Amar Doshi, Symantec senior manager, product management. Symantec Certificate Intelligence Center lets IT managers track both public Web-facing and internally-used certificates in order to act before these certificates expire. The service is similar to one offered by competitor Venafi, he says.

In addition, Symantec's cloud-based service, working in conjunction with the on-premises component, which is available based on Red Hat Linux or VMware-based virtual appliance, can scan to detect so-called "rogue certificates," Doshi says.
Click to expand...

http://www.computerworld.com/s/arti..._based_service_seeks_out_rogue_certificates_?

Read more about this service, download datasheets, etc at link - note: I have no affiliation with Symantec and I am not endorsing this service

Log in or Sign up

Hackers acquire Google certificate, could hijack Gmail accounts

fsr Registered Member

fsr Registered Member

BoerenkoolMetWorst Registered Member

GammaRay Registered Member

JRViejo Super Moderator

CloneRanger Registered Member

Hungry Man Registered Member

dw426 Registered Member

fsr Registered Member

FanJ Updates Team

ronjor Global Moderator

FanJ Updates Team

Hungry Man Registered Member

fsr Registered Member

fsr Registered Member

fsr Registered Member

elapsed Registered Member

FanJ Updates Team

FanJ Updates Team

fsr Registered Member

fsr Registered Member

FanJ Updates Team

FanJ Updates Team

gerardwil Registered Member

fsr Registered Member

Log in or Sign up

Hackers acquire Google certificate, could hijack Gmail accounts

fsr Registered Member

fsr Registered Member

BoerenkoolMetWorst Registered Member

GammaRay Registered Member

JRViejo Super Moderator

CloneRanger Registered Member

Hungry Man Registered Member

dw426 Registered Member

fsr Registered Member

FanJ Updates Team

ronjor Global Moderator

FanJ Updates Team

Hungry Man Registered Member

fsr Registered Member

fsr Registered Member

fsr Registered Member

elapsed Registered Member

FanJ Updates Team

FanJ Updates Team

fsr Registered Member

fsr Registered Member

FanJ Updates Team

FanJ Updates Team

gerardwil Registered Member

fsr Registered Member

Useful Searches