Rogue Google SSL Certificate Found in the Wild

[jamescv7]

Attackers behind CA hack also targeted Tor

The development team behind anonymisation network Tor is reporting that twelve certificates for the domain *.torproject.org were generated during the attack on Dutch SSL certification authority DigiNotar. Six certificates for the project's domain were illegally issued on July 18 and six more on 20 July – despite the fact the DigiNotar detected the intrusion on 19 July and claims to have revoked all of the fraudulent certificates.

Read More

 

[HeffeD]

It's looking worse and worse for DigiNotar.

So it comes out that it wasn't just that the hacked certificate didn't go unnoticed for 40 days. They just didn't report it... This has of course put them in serious hot water with the authorities as this sort of thing is supposed to be reported. And to make matters worse, they knew that 200 certificates were out there, but they didn't even know which ones...

Mozilla was about to release another patch to make exemptions for the certificates that DigiNotar had issued to the Dutch government at the governments request, but after doing an audit on DigiNotars performance, the government said never-mind...
DigiNotar Removal Follow Up at Mozilla Security Blog

I can smell several people out of jobs, and possibly a CA going under... I don't see how they can possibly continue doing business after being blacklisted by all the popular browser manufacturers and the Dutch government.

 

[HeffeD]

Another interesting article:
DigiNotar Compromise

They've finally been able to release information about the rogue certificates. 247 certificates issued for 23 domains...

These are the domains.
*.10million.org
*.balatarin.com
*.google.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.skype.com
*.torproject.org
*.walla.co.il
*.wordpress.com
addons.mozilla.org
azadegi.com
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
login.yahoo.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
www.cia.gov
www.facebook.com
www.sis.gov.uk

Edit: And note than none of these people were notified that there was an issue with bogus certificates that affected them...

 

[Jack]

And it gets better :
Dutch CA banished for life from Chrome, Firefox - link
Director of Firefox Engineering Johnathan Nightingale wrote : “We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products. We understand that other browser vendors are making similar changes.”

 

[Deleted member 178]

for retaliation, Diginotar will nuke Iran with hallucinogen Mushrooms

 

[Jack]

DigiNotar Certificates Used to Spy Iranians


Large scale virtual espionage was reveled in a recent post on the TrendLabs blog, which seems to be the true reasons for the fake certificates.

Rumors were circulating all over the web about Iranian involvement in the matter, but now, Trend Micro claims they have discovered more than 40 different ISP networks, the users of which were spied-on using the DigiNotar certificates.

The security solutions company claims they have hard evidence of the man-in-the-middle attacks which seem to have taken place mostly in Iran.

The evidence is based on the feedback data obtained through their Trend Micro Smart Protection Network, which analyzes a large number of parameters with the purpose of protecting users against future threats.

The domain called validation.diginotar.nl is the one used by internet browsers to check the validity of SSL certificates issued by the Dutch Certification Authority.

The fact which most clearly indicates that these users were targeted by these man-in-the-middle attacks is that the above mentioned domain was loaded mostly by Dutch and Iranian citizens during the chaos period at DigiNotar.

This should not have happened, as only internet users from the Netherlands and a few other countries usualy load the domain.

The chances of someone from Iran to access the web address are fairly small, the large increase of page loads proving the point.

Read more

 

[HeffeD]

TrendMicro has proof the aim of these rogue certificates is to spy on Iranian internet users. Including those using anti-censorship software from California. (Is Tor based in California)

Diginotar: Iranians - The Real Target

Hmmmm... Who other than the Iranian government is going to want to spy on Iranian internet users?

Oh, and the list of bogus certificates issued is rising in number. Over 500 I believe...

Edit: Whoops, Jack beat me to it.

 

[Jack]

Hmmmm... Who other than the Iranian government is going to want to spy on Iranian internet users?

Yes, I also suspect the Iranian government , most likely looking for people who are against the 'regime'..the Iranian hackers thing is most likely a way for them to cover their tracks in front of the world.

 

[Jack]

Operation Black Tulip: Fox-IT's report on the DigiNotar breach​

Fox-IT, the security auditors hired to investigate the compromise of DigiNotar, the digital certificate authority that signed fraudulent certificates for Google, the CIA and others, released their preliminary findings this afternoon.

It's at least as bad as many of us thought. DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public.

Fox-IT's report shows that the initial compromise appears to have occurred on June 17th, 2011. On the 19th DigiNotar noticed the incident, but doesn't appear to have done anything about it.

The first rogue certificate (as far as we know), *.google.com, was issued on July 10th, 2011. All of the other 530 rogue certificates were issued between July 10th and 20th.

There are several very disturbing conclusions about security at DigiNotar and the investigation isn't even complete yet:

1. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.
2. The administrator password was simple and could be easily brute forced.
3. Much of the malware and tools used in the attack would have been easily detected by anti-virus, had it been present.
4. The software on public-facing servers was out of date and unpatched.
5. They had no centralized nor secure logging.
6. There was no effective separation of critical components.

The attacker left behind a message in one of the scripts used to generate the rogue certificates, arguably tying this attack to the earlier attack against Comodo back in March of this year.

The message reads in part:

"THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS
MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE"

Fox-IT analyzed the lookups against DigiNotar's OCSP servers (which browsers check to see if a certificate has been revoked) and determined that during the active attack period more than 99% of queries originated in Iran.



Read more...

You can download the full Fox-IT report from here. [PDF]

 

[HeffeD]

The same entity behind the Comodo reseller attack is also claiming credit for the DigiNotar attack.

Striking Back... - Pastebin.com
Claimed DigiNotar hacker: I have access to four more CAs • The Register

What this 'person' fails to mention is why he (as one person) wants to spy on Iranian internet users if his goal is to get back at other nations for 'wrongs' they have committed.

 

[Jack]

The same entity behind the Comodo reseller attack is also claiming credit for the DigiNotar attack.

Striking Back... - Pastebin.com
Claimed DigiNotar hacker: I have access to four more CAs • The Register

What this 'person' fails to mention is why he (as one person) wants to spy on Iranian internet users if his goal is to get back at other nations for 'wrongs' they have committed.

GlobalSign has stopped issuing SSL certificates in response to Iranian hacker.You can read more about this here.
I find it suspicious that this 'hacker' has only started talking after the "Fox-IT" and TrendMicro reports.
BTW the number 2 conclusion in the Fox-IT report is just to much!!

The administrator password was simple and could be easily brute forced.

 

[Jack]

And Microsoft it's taking also some measures :

Microsoft Updates Windows To Block Rogue Certificates

Microsoft has issued an update to Windows today to mark certain DigiNotar root certificates as untrusted.
The update is KB2607712 and innocuously titled ("Update for Windows 7 for x64-based Systems"). After applying it, the Windows Certificates control's Untrusted Publishers tab includes 5 DigiNotar root certificates:

All of the certificates are also marked as revoked.

Read more

 

[Deleted member 178]

good move from macrosoft

 

[Jack]

ComodoHacker Denies That the Iranian Government Is Funding Him

The first victim of ComodoHacker's hits on certificate authorities claims he is more certain than ever that the Iranian government is sponsoring the infamous cybercriminal.

According to ComputerWorld, the CEO of Comodo, the CA which fell victim to the attacks early this year, has come forward with further accusations.

"We believe these are politically motivated, state driven/funded attacks," Melih Abdulhayoglu said at the time of the hit on his company.

After more recent events, the chief executive maintained his beliefs on the matter.

"We believe this is state-sponsored. It seems that they need these certificates, as we stated in March, they will not stop attacking," he stated.

Previous evidence shows clearly that the rogue certificates were used against people in Iran, but the shocking fact is that the government might be the one that funded the whole operation.

The authorities control the ISPs from within the country's borders so they would have no problems in compromising DNS servers in order to spread spyware.

ComodoHacker claims that he works alone and that the attacks were launched to revenge the death of 8000 Muslims, but the fact that 300,000 Iranians were spied on using the means offered by the hacker, makes it is very plausible that the hacks were ordered by state officials who are obsessed with controlling the masses through any means necessary.

Read more