Executive Summary

Since March, 2011 more and more Cyber attacks are surfacing across the globe with damaging consequences both for the companies that faced the attacks and for the customers whose details were stolen. One such attack was on Sony’s PlayStation Network that resulted into breach of personal details of nearly 70 Million customers.

Some of the other cyber attacks of 2011 are RSA, Lockheed Martin, Gmail accounts of U.S. politicians, CitiGroup, IMF, etc.

Considering that the above attacks are particularly high profile and are more or less detached from our day to day activities, finally joining the list of above high profile hacks are security breach of networks of Comodo CA, DigiNotar CA and GlobalSign CA.

Attacks that were carried out in almost all of the above cases relied on the most basic of attack vectors that comprised of a combination of Phishing attacks for compromising username/password along with SQL injection, XSS (Cross Site Scripting) and penetration of network by exploiting known vulnerabilities.

The CA hacks were more or less on the same lines when we talk of attack vectors, but after the successful hack, the hacker managed to create fake certificates for sites such as www.google.com, mail.yahoo.com, login.live.com, etc. giving hacker(s) the capability of sniffing into traffic of thousands of users through man-in-the-middle attacks. This breach led to bankruptcy of DigiNotar.

Investigations carried out in most of the hacks points to the fact the almost all companies: a) Failed to regularly maintain all their servers, applications, network equipments with latest updates; b) Failed to carry out regular code review of the web applications on their web servers; c) Failed in Due Care and Due Diligence activities.

Overview

Over the last six months, there have been instances of breach in security of networks of many Certifying Authorities. Comodo, DigiNotar, DigiSign & StartCom are some of those CAs. Hacker(s) have been reported of exploiting common vulnerabilities within poorly maintained servers & firewalls. The hacker(s) have also been reported to have used advanced attack methods to penetrate the HSM (Hardware Security Manager) with only one single open port. Through this document, I intend to highlight the fact about the need for regular maintenance of network equipments, servers as well as need for regular monitoring and awareness to the fact that even proprietary software/hardware such as HSM is not out of reach of determined hackers.

Finding out network information of Certifying Authorities is particularly easy because most of their actives are more or less online. Gaining access to Certifying Authorities networks may be considered harder because, they, in most cases will have fortified networks with latest in hardware as well as software security measures in place. Physical access to such networks is not needed because, again as advised earlier, most of the activities are online and the information systems would be more or less interconnected.

Comodo

Comodo is a well known company in the web security arena whereby it provides services and solutions that cater for creating online trust. SSL Certificates, Code Signing Certificates, Email security certificates, etc. are some of the products provided by Comodo.

On March 23^rd, Comodo revealed that they have suffered a cyber attack which has resulted into a breach of their network. The disclosure came about 8 days after the actual hack (15^th March, 2011) was carried out.

The hacker who has claimed responsibility of the attack is ComodoHacker, through his pastebin account.

Comodo Verdict on the Attack

According to Comodo, one of their RA in South Africa (InstantSSL.it) suffered an attack that resulted into the breach of the account of that particular RA on 15^th March, 2011. The RA account was then used to fraudulently issue 9 certificates across 7 different domains. Some of these domains were mail.google.com, login.yahoo.com, www.google.com, login.live.com, addons.mozilla.org, login.skype.com.

Comodo claims that there was neither a breach in security of their main CA infrastructure nor their HSM or private keys. Other RAs haven’t been compromised either.

Hackers Standpoint

ComodoHacker claims that he managed to gain complete access to the RA network and reverse engineered the DLL (TrustDll.dll) that took care of signing of certification requests. As it seems, the DLL file was coded into C# and the code has been uploaded onto the hackers PasteBin account.

Username and passwords were hardcoded into the DLL file which led the hacker straight to the APIs used for signing of certificates. The hacker generated his own CSR (Certificate Signing Requests) and signed them through the use of the signing APIs he already had access to and managed to fabricate fake certificates for the above mentioned CAs.

Further, the hacker claims that after gaining access to the network of GlobalTrust and has uploaded one database table onto his pastebin account. The hacker also claims that he had access to the RDP of GlobalTrust server for two full days with complete administrator access. He also mentions that he was able to wipe two complete backups of the CA data from LG based backup systems.

Attack Surface

Combining information from both Comodo CA and the hacker, it comes to light that:

• Partner network was hacked into.
• RDP access was open for EVERYONE which definitely is not a good practice.
• Username/Passwords were hard coded into DLL files.
• Language which can be easily decompiled i.e. C# was used to create something as important as DLL files.

No forensic investigation report has been released from Comodo as of now.

Damage

Having access to fake certificates can enable anyone to carry out successful man-in-the-middle attacks and passwords and other important data can be sniffed effectively nullifying all the protection provided by SSL Certificates.

What can we learn?

The things that we may learn out of this attack are:

• Partners should be made aware about the need for security in their own networks.
• Code review of our important sites.
• Remote Desktop Connections should be either disabled of limited to a few specific IPs only.

Where does Comodo Stand?

Comodo is still operational as it claims that its main CA network wasn’t breached.

DigiNotar, a subsidiary of Vasco, based in Netherlands hosts multiple Certifying Authorities ranging from CA for SSL certificates to Government accredited certificates, etc.

It came to light on August 29^th, 2011 that there was a certificate lurking in the open web space for *.google.com, which indicated that effectively all the sub-domains of Google, to the likes of mail.google.com, docs.google.com, code.google.com, a total of 26 were affected by this fake certificate.

The attacker, who goes by the pseudonym comodohacker, took the responsibility of the attack and claimed that he had access to a total of 500+ fake certificates. He had managed to extract certificates for google.com, Mozilla.com, Microsoft updates, etc.

Attack Surface

According to the hacker, there was a series of sophisticated hacks that he used to get into the network of DigiNotar atleast 4-5 layers deep wherein the equipments didn’t have any direct connection to the internet whatsoever.

According to the investigation company, Fox-IT which investigated the hack attack on DigiNotar, there were many network loopholes present, namely:

• No anti-virus software on many servers.
• Anti-virus definitions were not up-to-date.
• All CA servers were part of a single domain which effectively meant that a single domain administrator account compromise opened the door to all servers.
• Famous tools such as Cain-n-Able were used to carry out attack along with some specialized scripts.
• Servers were not patched appropriately and many were missing updates completely.
• Intrusion Prevention System was in place but was not able to block the attacks.
• Password used for administrator account was not strong enough and could have been guessed through brute-force attack.
• No central logging mechanism and no proper review mechanism in place.

Startling facts are disclosed here and they point to the fact that despite being a company linked with a high profile parent, the logical security was at a complete lapse.

Damage

Effectively, having access to these certificates and diverting users’ traffic to hosts that would be hosting sites with these fake certificates, successful man-in-the-middle attacks can be carried out. Only having fake certificates doesn’t have that great an impact, but the mere lapse in security cannot be sidelined and a note should be taken that hacking attempts of this sort are lurking in the wild and effective countermeasures should be in place to nullify such attacks.

What can we learn?

The things that we may learn out of this attack are:

• Need for regular review of traffic hitting the perimeter of the network through firewall log analysis.
• Need for regular review of Windows system logs through event viewer.
• Need for application of windows patches without any delay whatsoever.
• Regular maintenance (updates, logging, auditing) of security equipments for atleast the perimeter network.
• Complete segregation of network at least virtually if not possible physically.

Where does DigiNotar Stand?

DigiNotar has filed for bankruptcy as on September 20^th, 2011.

GlobalSign

ComodoHacker, the hacker behind Comodo and DigiNotar hacks, claims through his PasteBin account that he has access to GlobalSign network as well and he soon shall start creating fake SSL certificates but, hasn’t declared anything further in this regards.

GlobalSign, after a brief investigation, reported that no major hack has been discovered beyond the fact that one of their Webserver had been hacked and they have taken necessary precautionary measures to prevent reoccurrence of such attacks.

The webserver, according to GlobalSign, was a standalone server without any capabilities linked with issuing of certificates.

ComodoHacker hasn’t released any further information as yet.

What can we learn?

The things that we may learn out of this standalone webserver hack:

• Code review of applications residing onto the webserver.
• Security of the webserver itself needs to be reviewed and server needs to be hardened.
• Regular maintenance (updates, logging, auditing) of security equipments for atleast the perimeter network.
• Complete segregation of network at least virtually if not possible physically to limit the attack surface.

References

Comodo Hacker PasteBin Account - http://pastebin.com/u/ComodoHacker

Trend Micro Blog - http://blog.trendmicro.com/diginotar-iranians-the-real-target/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed:+Anti-MalwareBlog+%28Trend+Micro+Malware+Blog

The Register - http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/ and http://www.theregister.co.uk/2011/09/20/diginotar_bankrupt/

Networking4All - http://www.networking4all.com/en/ssl+certificates/ssl+news/time-line+for+the+diginotar+hack/

DigiNotar Investigation Public Report - http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf

GNS Magazine - http://www.gsnmagazine.com/node/22773?c=cyber_security

Comodo - http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Business Insider - http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6#email-marketing-firm-epsilon-was-hacked-to-obtain-emails-for-spear-phishing-campaigns-1