Spy agencies hit by CA hack; Iran suspected

Fraudulent SSL certificates from DigiNotar breach soars to 531 and affects intelligence agencies such as CIA and Mossad, notes report. Another says Dutch government looking into possible Iranian involvement.

The ramifications from Dutch certificate authority (CA) DigiNotar's security breach in July continues to unfold, with the number of stolen digital certificates exceeding 500--including those of intelligence services and social networking sites, one report noted.

Technology news site ComputerWorld reported Sunday that the latest tally of compromised digital certificates stood at 531. Mozilla Foundation developer Gervase Markham, who is part of a team working to modify its Firefox browser to block sites signed with the fraudulent certificates, was cited as saying that among the affected domains were those for intelligence services CIA, MI6 and Mossad as well as Yahoo, Skype, Facebook, Twitter, Microsoft and its Windows Update service.

The report added that criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking that they are visiting a legitimate site when in fact their communications are being secretly intercepted.

DigiNotar announced last week its network had been hacked in July. According to an Aug. 30 statement issued by Vasco Data Security International, of which DigiNotar is a wholly-owned subsidiary, the Dutch CA discovered an intrusion in its infrastructure on Jul. 19, 2011. This resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com, it stated.

Following the intrusion, an external security audit concluded that all fraudulently issued certificates were revoked. However, it was notified by the Dutch government organization Govcert recently that at least one compromised certificate had not been revoked. DigiNotar subsequently revoked the certificate, the statement noted.

"The attack was targeted solely at DigiNotar's Certificate Authority infrastructure for issuing SSL (secure sockets layer) and EVSSL (extended validation SSL) certificates. No other certificate types were issued or compromised," Vasco stated. DigiNotar also stressed that the vast majority of its business, including its Dutch government business PKIOverheid, was "completely unaffected" by the attack.

Director of Firefox Engineering Johnathan Nightingale noted in a blog post last Friday that this is no longer the case. He pointed out that the Dutch government has audited DigiNotar's performance and has rescinded its initial assessment that the PKIOverheid-issued certificates were not compromised.

"We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products," he said. "We understand that other browser vendors are making similar changes."

Nightingale acknowledged that the complete revocation of trust is a decision that Mozilla treats with "careful consideration, and employs as a last resort". DigiNotar's failure to notify Mozilla, the unknown scope of the breach as well as the fact the attacks are not "theoretical" were considered as the three top reasons for the browser maker's decision to revoke DigiNotar's certificates, he said.

"We have no confidence that the problem has been contained. Furthermore, DigiNotar's failure to notify leaves us deeply concerned about our ability to protect our users from future breaches," the director added.

This lack of confidence is in contrast with a similar incident with Comodo earlier this year, he noted. Then, Mozilla had worked closely with the CA to block a set of mis-issued certificates that were detected, contained and reported to the browser maker immediately, he added.

Iran involvement being investigated
Reuters also reported on Sunday that the Dutch government is investigating whether Iran may have been involved in hacking Dutch state Web sites after the digital certificates were stolen. Dutch Interior Ministry spokesman Vincent van Steen confirmed a report by Dutch news agency ANP, saying the cabinet was looking into whether the Iranian government played a part in the intrusion.

These government Web sites may no longer be safe after the DigiNotar incident, the Interior Ministry said in a statement.

Internet security experts interviewed by Reuters said it was possible the hacking originated from Iran and involved state support.

Ross Anderson, professor in security engineering at Cambridge University, for one, said the "cui bono test" suggests Iranian state involvement but noted the government "will try to blame some hacker group" if not remain silent on the matter.

"To use the forged certificate to do a man-in-the-middle attack on [Google's Gmail], you need to be in a position to be the man in the middle, which means you usually have to be an Internet service provider (ISP) or in a position to compel an ISP to do your bidding. That means proximity to government," Anderson explained.

The attack on Comodo was also said to be linked to Iran.