Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GlobalSign Web Server Hacked, But Not CA

timothy posted more than 2 years ago | from the goes-the-story-thus-far dept.

Security 35

Trailrunner7 writes "GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack."

cancel ×

35 comments

Sorry! There are no comments related to the filter you selected.

uno (-1)

Anonymous Coward | more than 2 years ago | (#37364394)

first

Correction: (1)

Anonymous Coward | more than 2 years ago | (#37364418)

by the _self claimed_ attacker _supposedly_ responsible for the DigiNotar CA hack**

Re:Correction: (0)

Anonymous Coward | more than 2 years ago | (#37364480)

by the _self claimed_ attacker _supposedly_ responsible for the DigiNotar CA hack**

who signed microsofts calc.exe with a google code signing certifcate issued by diginotar (revoked by now) http://pastebin.com/jhz20PqJ

What Style! What Panache! (1)

Anonymous Coward | more than 2 years ago | (#37364678)

Well then. He certainly sounds like an arrogant prick.

Re:Correction: (0)

Anonymous Coward | more than 2 years ago | (#37366552)

But he didn't sign anything with GlobalSign's certificate yet.

Hint: Not GlobalSign (2)

sudonim2 (2073156) | more than 2 years ago | (#37364444)

Guess who I'm more inclined to believe: an anonymous supossed hacker or a certificate CA?

Re:Hint: Not GlobalSign (1)

Baloroth (2370816) | more than 2 years ago | (#37364470)

Well, since the hacker only seems to have claimed (according to TFA) that he got access to their webserver, how about both?

Re:Hint: Not GlobalSign (0)

Anonymous Coward | more than 2 years ago | (#37364476)

I supposed if the Comodohacker has the goods, he won't hesitate to expose GlobalSign if they are lying.

Re:Hint: Not GlobalSign (1)

shutdown -p now (807394) | more than 2 years ago | (#37364560)

If his intent is to cause damage by spreading panic, then it's quite reasonable for him to wait for some time - let folk scramble to fix the problem with DigiNotar first, then he can drop the next bomb on them.

Both have good reasons to lie (3, Interesting)

nzac (1822298) | more than 2 years ago | (#37364488)

The hacker who wants some credibility.

The company who might get their certificates revoked.
Seriously how hard would you look for the security breach that would destroy the entire company (it appears to be their only product). You can go back later and say you found the breach.

There is far too much money at stake to trust the company.

Hoooraaaaay! (0)

roman_mir (125474) | more than 2 years ago | (#37364474)

So nothing to see here, right? Move right alone. This is double plus excellent news, just wonderful. You all should have a glass of milk with cookies.

Why am I not believing a word anybody who is in any sort of power and wants to stay in power says anymore I wonder? They may even be telling the truth, it doesn't matter.

Re:Hoooraaaaay! (0, Troll)

roman_mir (125474) | more than 2 years ago | (#37364484)

Move right along of-course, though it may be alone too. As always, the inner-grammar nazi strikes too late. And it's not a very strict nazi, he doesn't really bother with correct punctuation much. It's a half nazi half old jew from Odessa - aaaaah, what are you going to do?

Re:Hoooraaaaay! (1)

cffrost (885375) | more than 2 years ago | (#37374734)

- aaaaah, what are you going to do?

Burn more karma, apparently.

Re:Hoooraaaaay! (1)

roman_mir (125474) | more than 2 years ago | (#37374920)

Well, that's pretty stupid moderation.

I'm sorry for disrespecting the Bing! (0)

Anonymous Coward | more than 2 years ago | (#37364516)

Honest!

They found a compromise... (3, Informative)

mysidia (191772) | more than 2 years ago | (#37364552)

The CA/PKI might not have been invaded yet A compromise of a website can lead to an intruder gaining further access, however.

Suffice to say... access to a webserver is a foothold that an intruder can attempt to leverage to gain further access. Depending on how robust the further lines of defenses are, and if any security mistakes were made (such as webservers allowed through firewalls to some internal hosts or credentials the intruder can capture that can lead to access to systems closer to back office or CA functions).

Even a compromise that doesn't result in immediate PKI access may lead to that, through additional successive breaches, and successive social engineering... also known as "Advanced Persistent Threat" (to use the latest lingo for referring to the situation)

Re:They found a compromise... (1)

Anonymous Coward | more than 2 years ago | (#37364802)

Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs." You're making assumptions about their web infrastructure, what was broken into, and what "break into" means.

Re:They found a compromise... (1)

devincook (1929234) | more than 2 years ago | (#37364972)

Well, another thing they could potentially do is replace the public root certs hosted on the web site with their own... Then anyone who goes looking for that CA's root cert on the site will get the malicious one, opening them up to MITM attacks. Secure key distribution can be difficult.

Re:They found a compromise... (1)

mysidia (191772) | more than 2 years ago | (#37365174)

It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, when the customer downloads it using the website.

Anyways, some kind of validation e-mail goes out to the domain's administrative contacts for a domain-validated cert. The last step is the customer clicks on a link in the e-mail, which contains a link to guess what? A page on the CA's website.

So someone who gained illicit access to the website is potentially in a position to snoop on all that traffic, and possibly generate 'false' traffic of that nature some time in the future. Web designers who do some scripting often aren't well versed in software security design -- there's a good chance that scripts on the website have access to backend databases -- possibly sufficient access to create a false customer record or falsify a "domain verification".

Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs."

If someone broke into a car in the parking lot, there might be a chance they could lie in wait for the PKI admin who owns the car to get in, so they can put a gun to their head, and force them to login using the perp's Wifi-enabled laptop, grab the private keys and divulge the passphrase to unlock them.

Re:They found a compromise... (2)

Dewin (989206) | more than 2 years ago | (#37365234)

It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, when the customer downloads it using the website.

It's been awhile, but I do not believe there is any point in the CSR process where the CA ever gets a copy of your private key.

Re:They found a compromise... (0)

Anonymous Coward | more than 2 years ago | (#37365334)

Some CAs will offer to generate a key pair for you, so you don't have to create a CSR - they send you a private key and a certificate. It is not how x509 is supposed to work, but....

[citation needed] Re:They found a compromise... (1)

rtfa-troll (1340807) | more than 2 years ago | (#37366706)

Some CAs will offer to generate a key pair for you, so you don't have to create a CSR - they send you a private key and a certificate. It is not how x509 is supposed to work, but....

Interesting; but without a specific list of what you mean by "some CAs" not very useful. Does anyone have a list?

Re:[citation needed] Re:They found a compromise... (1)

raynet (51803) | more than 2 years ago | (#37366760)

Startssl does this and I recall seeing that feature on couple other CAs too, makes things easier for the random customer as they can just purchase the certificate without hassle with their own IT department. Not that good idea for security though.

Re:They found a compromise... (0)

Anonymous Coward | more than 2 years ago | (#37366640)

If they ask for it, it's either a fraud or they've been compromised more then George Michaels butt on a Saturday.

Re:They found a compromise... (1)

_Shad0w_ (127912) | more than 2 years ago | (#37366540)

If I had to guess I'd say the front end probably places the incoming CSRs somewhere the actual CA infrastructure can get them - possibly a common database in a DMZ - but there'd never any direct communication between the two, they always go via the passive intermediary.

Re:They found a compromise... (1)

Lennie (16154) | more than 2 years ago | (#37364932)

Just an example, it can be used to get the cookies/login-information from all the customers.

Realistically (2)

Pop69 (700500) | more than 2 years ago | (#37364636)

They should be assuming their CA is compromised and acting accordingly.

Any other way of looking at it is stupidity of the highest order

Re:Realistically (0)

Anonymous Coward | more than 2 years ago | (#37365110)

Exactly.

Say you run a server.
Now you got some very suspicious stuff going on, including somebody openly claiming he hacked your server.
So you check everything for a breach, but you find nothing.
Would you still trust your server for even one second?

I have been re-installing my whole system, making everything new, keys, passwords, configurations, auditing everyone again who gets access in any case, adding additional security checks, etc, just out of some suspicious activity in some logs.

But of course their whole business depends on them appearing "trustworthy". So they think that when they say there was a breach, they would lose their reputation.
What they don't realize: By saying "We found nothing." instead of "We can guarantee that there is nothing.", they already lost their trust.
It's too late guys.

On the other hand, I think that hacker better shows some proof of him accessing the system. Because one single statement having the power to wreck a whole company just is deeply wrong, man.
I don't believe either "side". (Actually I don't "believe" at all. I observe, I create theories, and I test if they have useful predictions. Because if there is a "real reality", any scientist knows that we can never know it for sure.)

Not CA (2)

andresambrois (1235832) | more than 2 years ago | (#37364648)

..., But Not CA

For some reason my mind actually read that as "..., But No Cigar". Good Job.

Re:Not CA (1)

Taty'sEyes (2373326) | more than 2 years ago | (#37365138)

..., But Not CA

For some reason my mind actually read that as "..., But No Cigar". Good Job.

I read it as, "..., but not California". SMILE

Or simple copy all newly issued certificates? (0)

Anonymous Coward | more than 2 years ago | (#37365446)

Do that for a year, and you have a copy of all certificates issued by globalsign, no need to hack anything. Unless of course certificate submission doesn't go through their www server.

Re:Or simple copy all newly issued certificates? (1)

tepples (727027) | more than 2 years ago | (#37365606)

You can get a copy of the server's public key and the certificates that verify it by just connecting to the server's public IP address on port 443.

Re:Or simple copy all newly issued certificates? (1)

blowdart (31458) | more than 2 years ago | (#37365634)

And that's meaningless. When you submit a certificate signing request to a CA you are sending the public key of the certificate you want validated. The CA performs their checks, then signs that public key and sends it back to you, where you pair it with your private key that has never left your possession and you have a full certificate.

So copying the certificates wouldn't be a problem, heck that part of the certificate is viewable to any browser.

Re:Or simple copy all newly issued certificates? (1)

TheRaven64 (641858) | more than 2 years ago | (#37366954)

Or you could just go to the web sites in question and they will just give you the public keys without needing any hacking!

More importantly, if you have compromised the web server, then you can upload your own CSR for any of their customers' domains and get a signed certificate back...

Oh, they did their own audit (1)

Legion303 (97901) | more than 2 years ago | (#37367766)

I mean, it's not like they stand to lose their entire business if they were compromised or anything. I'm sure they can be trusted.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>