Unpatched server led to GlobalSign breach

Unpatched server led to GlobalSign breach

Summary: GlobalSign failed to update one of its web servers, which allowed a hacker to access it, and led to the company ceasing operations for more than a week.

SHARE:

GlobalSign was left red-faced after one of its web server was hacked last year. It turns out it was due to a piece of open-source software not being updated, a senior GlobalSign executive told sister site ZDNet UK.

The company ceased issuing certificates, and shut down its operations. GlobalSign said it keeps SSL-certificate issuing infrastructure "separate" from its website --- a common practice --- and reiterated that its operations was secure.

GlobalSign's own website, the site's certificate, and some other public-facing documents were compromised during the hack, but no other servers were breached.

The SSL-website certificate issuing giant tore down and rebuilt its systems after the web server was accessed by a hacker going by the name 'Comodohacker'.

It resumed issuing website certificates a week later and said it has "learned much" from the incident.
An external audit showed that GlobalSign's operations were safe and secure, but its website certificate was taken and could have been used to impersonate the company's website.

GlobalSign's root certificate is disconnected from the Web, and cannot be accessed without a series of stringent security checks. ZDNet UK reports: "a person must retrieve the machine [holding GlobalSign's root certificate] from a locked box, insert a number of smart cards, and type in multiple PINs and access codes."

It came only weeks after DigiNotar, a Dutch certificate authority, which issued SSL certificates for the Dutch government amongst others, was compromised and subsequently went bankrupt. Over 500 certificates were thought to have been stolen. The Dutch government said it could "not [at the time] guarantee the security" of its online services.

Another Dutch issuer, KPN, suspended its operations after a security breach was discovered in November.

Related:

Topics: Browser, Security, Servers, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Update update update

    Go cry about stability all you want, but if your site is taken down, that's not very stable, and 100% worse than anything else that don't crash it or wipe data. Run updated versions whenever security bugs are patched in your software! You really don't want documented security holes on critical systems. If updates *really* is a stability issue for you, use testing systems that you try them on first, then roll them out FAST when they're confirmed to work. Also, shouldn't you probably switch software completely if you often have update issues? I think that's probably a better solution than waiting with updates.

    Also: Don't worry about running open source. Worry about keeping everything updated. Keep track of everything you run, I've heard of some cases where an open source program was used, *and nobody knew it was there*, so it wasn't updated for years. THAT'S the danger, not the license. Got software (or Excel sheets, that seems common too) for tracking proprietary software licenses? Consider tracking your open source software with it too, including dates for when it's been updated. Then you know when you're running old versions.
    Natanael_L