One year after DigiNotar breach, Fox-IT details extent of compromise

The hacker gained admin access to all critical DigiNotar certificate authority systems despite network segmentation, investigators say

By Lucian Constantin, IDG News Service |  Security

However, the company found evidence that Certificate Revocation Lists (CRL) -- lists of revoked digital certificates -- were automatically issued by some CA servers during the intrusion period. These lists need to be signed, which suggests that the private keys were active and the attacker had the opportunity to abuse them.

All information discovered during the investigation about the attacker, like the IP addresses he used -- some of them corresponding to proxy servers -- were handed over to the Dutch police. The evidence suggests that the hacker was located in Iran and a signature left in a text file points to him being the same attacker who compromised the Comodo certificate authority in March 2011.

Even though there are still some unanswered questions about the steps taken by the hacker once inside the DigiNotar network, some lessons can be learned from this incident, Fox-IT said.

First, it's important to complement prevention measures with detection measures, the company said. "Detection can prevent that critical parts of the infrastructure can be targeted, even in the case of a breach of a specific segment."

Separating the tasks performed by the IT staff is also important. For example, system administrators should not be in charge of setting up and maintaining firewalls or other security components of the infrastructure because they may be inclined to provide a pleasant working environment for users that would conflict with the task of limiting interaction between network segments, Fox-IT said.

Other recommendations enumerated by the company in its report include: separating vital systems as much as possible from untrusted network segments or the Internet; updating all software products on all systems as often as possible; limiting the amount of services that run on systems used for critical processes; hardening all systems by changing the default settings; performing regular penetration tests with different teams; and making sure that systems or networks are monitored and the appropriate employees are notified of any anomalies.

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question