<<< NEWS FROM THE LAB - Tuesday, August 30, 2011 >>> ARCHIVES | SEARCH DigiNotar Hacked by Black.Spook and Iranian Hackers Posted by Mikko @ 09:05 GMT DigiNotar is a Dutch Certificate Authority. They sell SSL certificates.







Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.



What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.



But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.



We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It's likely the Government of Iran is using these techniques to monitor local dissidents.



Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Such as DigiNotar.



How was DigiNotar breached? We don't know yet.



But here's something we just discovered.



This is a screenshot of the page online right now at https://www.diginotar.nl/Portals/0/Extrance.txt:







DigiNotar's portal has been hacked. Somebody claiming to be an Iranian Hacker has gained access.



This would look like a smoking gun. Obviously this has to be connected somehow to the rogue certificate.



But if you keep looking, you'll find this page from https://www.diginotar.nl/Portals/0/owned.txt:







Another Iranian hacker group?



If you keep digging deeper, you'll find that although these web defacements are still live right now, they are not new. Much worse: they were done years ago.



Here's another one, done in May 2009 by Turkish hackers at https://www.diginotar.nl/Portals/0/fat.txt:







In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope.







P.S. The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here's his blog post from May 2010 (via Google Translate).







P.P.S. More on problems with SSL as a whole in one of our previous blog posts.



P.P.P.S. DigiNotar's public statement on the breach is out now. It raises more questions than answers. DigiNotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while DigiNotar revoked the other rogue certificates, they missed the one issued to Google. Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?



Updated to add: As September 5th, here's the list of known domains that the attacker managed to create fake certificates for:



*.*.com

*.*.org

*.10million.org

*.android.com

*.aol.com

*.azadegi.com

*.balatarin.com

*.comodo.com

*.digicert.com

*.globalsign.com

*.google.com

*.JanamFadayeRahbar.com

*.logmein.com

*.microsoft.com

*.mossad.gov.il

*.mozilla.org

*.RamzShekaneBozorg.com

*.SahebeDonyayeDigital.com

*.skype.com

*.startssl.com

*.thawte.com

*.torproject.org

*.walla.co.il

*.windowsupdate.com

*.wordpress.com

addons.mozilla.org

azadegi.com

friends.walla.co.il

login.live.com

login.yahoo.com

my.screenname.aol.com

secure.logmein.com

twitter.com

wordpress.com

www.10million.org

www.balatarin.com

www.cia.gov

www.cybertrust.com

www.Equifax.com

www.facebook.com

www.globalsign.com

www.google.com

www.hamdami.com

www.mossad.gov.il

www.sis.gov.uk

www.update.microsoft.com



In addition, the attacker created rogue certificates for these names:



Comodo Root CA

CyberTrust Root CA

DigiCert Root CA

DigiCert Root CA

Equifax Root CA

Equifax Root CA

GlobalSign Root CA

Thawte Root CA

VeriSign Root CA









