back to article Inside 'Operation Black Tulip': DigiNotar hack analysed

The Google webmail of as many as 300,000 Iranians may have been intercepted using fraudulently issued security certificates made after a hack against Dutch certificate authority outfit DigiNotar, according to the preliminary findings of an official report into the megahack. Fox-IT, the security consultancy hired to examine the …

COMMENTS

This topic is closed for new posts.
  1. LPF
    WTF?

    The question that needs to be asked ...

    Is have those iranian gmail users been notified that their account may have been comrpomised, and have they been made to change pass words?

    1. L1feless

      There is no passwords hacked

      IF what I am reading is correct there are no passwords being hacked here. The issue is unfortunately much much worse. The hacker is able to act as a middle man and with a legit SSL cert appear can easily act as a middle man and look completely legit. Changing your password won't make a difference. It's sad that such organizations are able to pick up exactly where they left off. The only real solution I can think of is to use a tool like convergence (I think that's the name) where the cert your using will be validated against a cert organization of you choosing and not by the site itself. Even then I am not sure this would completely solve this type of attack.

    2. Anonymous Coward
      Meh

      google know ..... everything

      From the report on Diginotar's website.

      "The list of IP-addresses will be handed over to Google. Google can inform their users that during this period their e-mail might have been intercepted."

  2. Anonymous Coward
    FAIL

    future impact

    "Vasco does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans,"

    apart from the fact nobody trusts the company to either be secure or disclose breaches in a timely manner

    1. adnim

      Not public knowledge

      Unless the Beeb or Sky fill the news channels with this, ignorance will ensure continued trust of systems the average user does not understand. How deep is the hole? depends on whether you take the red or blue pill. But which pill do the media offer up to you?

      Trust, I would love to share it with you, but how can I trust you when I fear to trust myself as my much of my knowledge is based on the information I receive from those with an agenda that may well be incompatible with mine?

      Honesty, integrity and truth are indeed absolutes but they can be severely distorted, hidden or presented in a contradictory light by little more than greed.

      1. amanfromMars 1 Silver badge

        Chinese Chequers ...... Three Cheers, ..... Hip, Hip, Huawei

        Quite so, adnim, and that is ITs Magic Circle to Square with Enigmatic Solutions Trailing and Trialing Leading Questions with Beta ProgramMING. .... SMARTer Virtually Routed Roots for BIOS.

    2. Robert Carnegie Silver badge

      Nope, because

      instead of incorporating DigiNotar in their business subsequently, they are now having everybody from DigiNotar shot. Thus the good name of Vasco is protected. If that -is- a good name: I wouldn't know, really.

      It's like when HP bought Palm - well, not the best example...

  3. Pen-y-gors

    call me Mr Dim but...

    How is it that any-old-CA can issue a cert for a particular domain if a) some other CA has issued one or b) the requester doesn't control the domain? If I went to a domain registrar and tried to register google.com I'd be told that it was already registered. How come something similar doesn't happen with SSL certs? Surely building in some form of link to the domain registration shouldn't be too tricky? i.e. if someone wants to register an ssl for google.com then there has to be some form of authorisation from the google.com domain holder?

    1. Anonymous Coward
      Boffin

      Not dim at all...

      The check that stops you asking for a Google certificate is a manual one not automatic. The hackers were able to get admin access to the servers issuing certificates. So they just issued them, by-passing the manual check.

      There is nothing the browser can do (e.g. checking the root authority of the new Google cert against the root authority of the previous Google cert) because changing CA is a reasonable thing for site owners to want to do.

    2. syserr0r
      Paris Hilton

      Pen-y-gors: Not normally as bad as it seems...

      There normally are systems in place to prevent exactly what you described (when we last renewed our certificates we had to, among other things, prove that the domain we wanted the certificates for belonged to us) but this is on the front end for customers.

      Technically there is nothing to stop any CA issuing certificates for any old domain, it is only their policy and procedure (and the programming of the ordering system) that stops it happening. Once you have hacked into the back-end of a CA with access to sign certificates 'manually' (i.e. not as a customer) you can do what you want.

      Also, DNSSEC 'solves' this problem by putting the SSL certificate in the DNS (if you control the DNS you control the domain. Even if you can make new valid certificates you can't put them into the DNS without control of the domain [or compromising the DNS provider ;])

      Paris just because...

      1. BristolBachelor Gold badge
        Coat

        Compromising the DNS

        "...you can't put them into the DNS without control of the domain [or compromising the DNS provider ;])"

        Of course if this certificate was cut for man-in-the-middle attacks, it means that they already compromised the DNS provider to point blah.google.com to their man-in-the-middle server. But I assume that you already knew that, and hence the 'solves' and the ;]

    3. BristolBachelor Gold badge

      Cert checking

      a) So if the browser is talking to blah.google.com and receives a certificate issued by a CA, how does it know if any other servers in google.com have certificates from a different CA?

      b) The certificate is created by doing some maths using the private key of the CA, the name of the CA, the servers name and the public key to talk to the server. The maths doesn't know or care anything who the server says it is or if it should. Once you have access to the algorithm and the private key of the CA, you can cut any keys you want.

  4. Dodgy Geezer Silver badge
    Mushroom

    And so now...

    ...Israeli security services have enough data to go through to keep them happy for a few years.

    So cyberwar is well and truly joined - only the enemy is not the one we thought it would be....

  5. Anonymous Coward
    Joke

    Only Iranians?

    "The Google webmail of as many as 300,000 Iranians may have been intercepted using fraudulently issued security certificates ..."

    Meanwhile who knows how many Americans (& others) have had their webmail intercepted because the wonderous security services of the US have their fingers in all the pies?

  6. amanfromMars 1 Silver badge

    Street Talking to AI Walking is the Magic Mental Key to Program into Reality

    Have you considered that DigiNotar has outed and facilitates accommodation and quarantine of right dodgy and decidedly designedly left of centre DODGI Cyber Security Space certificates ?

    For Real SMART IntelAIgents in Great Game Plays. .... dDutch Bilderberg Renderings ...... Global BroadBandCasts.

    Spooks in Clogs .... Now there's a Paradox and AI Parallel Dimension Hosting Portal.

    Now that is a Stirling Virtual Machine of Magical Source Intellectual Property.

    For Bigger Beta Picture Windows Wizards attending to the Bewitched at their Pleasure, Delivering Treasures.

    And why not quite possibly also Private and Pirate Azure Cloud Phormations.

    Sorry to be so plainly cryptic but present needs must in order to gain initiative response to Life in LOVE Worlds.

    And that question to Microsoft, AI/MIVD.

  7. TheKeffster
    WTF?

    Does not expect?

    "Vasco does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans,"

    The arrogance from these people continues to astound me.

    But surely I am not the only one thinking that if I where in the market for a SSL product, this is now the very last company I would approach?

    1. Anonymous Coward
      Anonymous Coward

      Someone needs to go after Vasco for undue-diligence

      If there were systemic problems prior to their purchase, then their due diligence, actually lack-there-of, tells me that they don't know what they're doing then, and probably don't know what they're supposed to be doing now.

  8. Z80
    Headmaster

    Began, Shirley?

    "...6 June – a month before hackers begun publishing..."

    "...DigiNotar only begun revoking rogue certificates on 19 July..."

  9. Anonymous Coward
    FAIL

    According to a Dutch newspaper...

    DigiNotar basically had it coming. Early results of an ongoing investigation apparently showed that they were working with outdated software on their servers and that several office PCs weren't running any form of anti virus software what so ever.

    Assuming all of that is true I can't really consider it a surprise that eventually stuff went wrong.

    Which makes me wonder how well a government (Dutch government in this case) actually screens and checks companies before doing business with them.

    1. amanfromMars 1 Silver badge
      Holmes

      Special IntelAIgent Services are Naturally Slow ... for IT is No Simpleton's Task ....

      .... and neither is AIDeveloped Vetting of Better Certain Winners in a Sea of Deep Oceans teeming with All Manner of Sad and Sorry, Mad and Bad Smartassed Losers ...... just Phishing.

      "Which makes me wonder how well a government (Dutch government in this case) actually screens and checks companies before doing business with them." ... ShelLuser Posted Tuesday 6th September 2011 16:31 GMT

      Well enough and long enough for any really smart novel venture checking out their facilities for necessary abilities and future growth development potential to ponder on the need for novel smart ventures to set up Global Communications Head Quarters in other Intellectual Property Areas in Foreign Jurisdictions....... although knowing the Dutch as they are, will that be best treated as just a fleeting thought to be considered unnecessary, as it will be covered by subsequent satellite operations and field missions.

  10. roomey
    Joke

    letters and/or digits

    DigiNotar? Diginothankyou

  11. Anonymous Coward
    Megaphone

    I wanna know the BOFH's take on this

    "Vasco does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans,"

    Revenue at the moment. Zero (other than the suicidally incompetent)

    Revenue in the future. Zero. (other than the suicidally incompetent.)

    I could write press releases/be an 'analyst' see ?

  12. Anonymous Coward
    Devil

    Vasco

    Vasco makes the secure tokens used by World of Warcraft (RSA SecurID clones). Made in China, so they were probably already hacked, but whatever.

  13. jaycee331

    But who did it....

    Quite a few press items on this seem to gently imply this being Iran spying on Iran.

    As much as I'd like to believe that, given tensions between the West and Iran, and the hypothesis that Stuxnet originated in the US, I can't help but wonder if there is some clever mis-direction going on!

    1. Ilgaz

      Whenever a story mentions Iran or China

      I can't stop myself from ignoring these stories like cold war stuff. Next we will hear Iranians eat their babies etc.

      It is also impossible for tech media to do on scene, with actual reporters talking to both sides reporting. Nobody can explain the expense required while the story is right there, at Reuters feed.

      I am not saying Iran or China doesn't play evil games, it is just we don't really hear the whole story. For example, you read how evil Chinese firewall and wiretapping is and yet you don't hear who has such technology to cope with petabytes of data realtime.

  14. Ilgaz

    Script kiddies declare war to countries?

    These new breed of script kiddies makes me wonder. They are either stupid, ignorant or they are acting like some lamer while they are supported/protected by a government.

    Not every country is civilized like Holland nor company is clean like Comodo. Some countries and companies have tendency to carry these online issues to offline, real World and they don't really have any kind of limit or any "human" feelings.

    You know, what happened to that bot army owner after governments figured he actually has a super computer under his command. Found dead, for mysterious reasons.

    1. Destroy All Monsters Silver badge
      Holmes

      Post Your Own Message

      These are not script kiddies installing r57.php via Joomla driveby.

      These are the kind of people I dread to find on my servers and this only because they wanted me to.

      And who was that bot herder who died? Wouldn't surprise me; these circles are shady and not filled with nice people. I remember the story of the german carder dude who suicided out of the blue in a public park. Hagbard was it?

      1. Ilgaz

        If he is elite...

        I have seen him chat to F-Secure boss via a centralised service like twitter. Hyponen has some amazing ethics of course but what about the other parties? Only a script kiddie who looks for popularity would act that way or, he (or the team) is a complete pro who manages to convince people that these are random lame attacks.

        About that dead botnet guy, of course he is one we know:

        it.slashdot.org/article.pl?sid=05/07/25/1745212

        I try to convince people that they are actually dealing with mafia once they get into such schemes without luck. Of course, it could be some old fashion mob murder but it is particularly interesting that he was murdered after a story appeared talking about top500 class supercomputer under his hand actually doing nothing like spamming or phishing. If a botnet doesn't do the usual spam,phish,dos attacks and it is in size of millions, it is the time to panic.

    2. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like