GlobalSign confirms external server hack

An SSL certificate issued by GlobalSign may have been compromised, the company has confirmed.

GlobalSign has confirmed that a server was breached in a hack attack, and that its own SSL certificate may have been exposed.

GlobalSign said on Tuesday that the SSL certificate and key for www.globalsign.com may have been exposed after a hack on an external server in September. However, the company said that after investigating the breach it has found no evidence of rogue certificates being issued following the hack. It stressed that the server involved was separate to its certificate issuance and internal systems.

"Every security company has thousands of doors to keep shut, and a hacker only has to find one," GlobalSign business development director Steve Roylance told ZDNet UK.

GlobalSign said it had found evidence of a breach on a server in North America following claims by an individual known as 'Comodohacker' to have hacked the company. Following the discovery, the key and SSL certificate for GlobalSign were revoked, and GlobalSign issued no new certificates between 6 and 15 September, the company said.

Every security company has thousands of doors to keep shut, and a hacker only has to find one.

– Steve Roylance, GlobalSign

Roylance told ZDNet UK that a number of hacks over the last year on certificate authorities did not mean that a new online trust model was needed. He added that there was no evidence that any hacker had tried to pose as GlobalSign itself.

Companies use digital certificates as a cryptographic online trust technology. A stolen digital certificate can allow someone, for example, to set up a website posing as an organisation and fool people into interacting with the site, with the aim of gaining sensitive financial information or passwords. The bogus site will appear to be real to search engines.

The certificate authority GlobalSign has a number of large organisations as customers, including the BBC, BT, Fujitsu Siemens, the NHS, Toshiba and Vodafone.

Service disruption

The service disruption had some impact on customers that had to renew certificates within the nine-day time-frame, Roylance said. GlobalSign certificates last between one and five years, and the company reminds customers 30 days before certificates are set to expire that they should be renewed.

"We may have lost one or two customers," said Roylance. "Some people left it to the last minute to renew certificates and had to go somewhere else."

During the nine-day service disruption, GlobalSign contracted security company Fox-IT to analyse the impact of the hack. GlobalSign also hired Cyber Security Japan to oversee a rebuild of its certificate issuance infrastructure, on the assumption that its core network had been breached.

Following the Fox-IT investigation, GlobalSign found that the external server hack may have compromised the globalsign.com SSL certificate and key, plus public-facing HTML and PDF files. GlobalSign locked down the server and rebuilt it with a new hard disk and hardened system image.

GlobalSign took security steps such as implementing additional intrusion detection services and hardened access to issuance systems, according to its report.

The hack came to light after Comodohacker claimed to have breached GlobalSign in a document posted on Pastebin.

Comodohacker also claimed responsibility for the hack on DigiNotar, which eventually led to the Dutch government completely revoking trust in DigiNotar. The DigiNotar hack compromised Iranian citizens' electronic communications.