Unpatched server led to GlobalSign breach

GlobalSign failed to update one of its web servers, which allowed a hacker to access it, and led to the company ceasing operations for more than a week.
Written by Zack Whittaker, Contributor

GlobalSign was left red-faced after one of its web server was hacked last year. It turns out it was due to a piece of open-source software not being updated, a senior GlobalSign executive told sister site ZDNet UK.

The company ceased issuing certificates, and shut down its operations. GlobalSign said it keeps SSL-certificate issuing infrastructure "separate" from its website --- a common practice --- and reiterated that its operations was secure.

GlobalSign's own website, the site's certificate, and some other public-facing documents were compromised during the hack, but no other servers were breached.

The SSL-website certificate issuing giant tore down and rebuilt its systems after the web server was accessed by a hacker going by the name 'Comodohacker'.

It resumed issuing website certificates a week later and said it has "learned much" from the incident.
An external audit showed that GlobalSign's operations were safe and secure, but its website certificate was taken and could have been used to impersonate the company's website.

GlobalSign's root certificate is disconnected from the Web, and cannot be accessed without a series of stringent security checks. ZDNet UK reports: "a person must retrieve the machine [holding GlobalSign's root certificate] from a locked box, insert a number of smart cards, and type in multiple PINs and access codes."

It came only weeks after DigiNotar, a Dutch certificate authority, which issued SSL certificates for the Dutch government amongst others, was compromised and subsequently went bankrupt. Over 500 certificates were thought to have been stolen. The Dutch government said it could "not [at the time] guarantee the security" of its online services.

Another Dutch issuer, KPN, suspended its operations after a security breach was discovered in November.


Editorial standards