Three years after Diginotar closed, hackers still trying to use its digital certificates

Nearly three years after now-defunct Dutch digital certificate authority Diginotar was compromised, would-be hackers are still trying to use its digital certificates to sneak malware onto outdated and insecure systems, according to a Symantec security expert.

In a high-profile hack in August 2011, root certificate authority (CA) firm Diginotar was compromised; a certificate designed for the domain was stolen, allowing hackers to fraudulently represent the validity of even malware-containing Web sites as being a legitimate Google site. Among other things, the certificate was used to compromise the security of hundreds of thousands of Iranian internet users.

This single incident compromised the entire reliability of Diginotar's certificate authority business and, a month later, the company was forced to shut its doors after major browser makers updated their certificate revocation lists (CRLs) so that certificates issued by Diginotar would no longer be recognised as acceptable proof of online identity.

Yet hackers still try their best, lacing malicious Web sites with malware and signing the sites with the now-unusable digital certificate in an attempt to catch out unwitting users of old systems, according to Symantec senior principal systems engineer Nick Savvides.

"We continue, even to this day, to find that fraudulent certificates are used by attackers who are hoping the users are using old browsers and old operating systems that haven't been updated to have the root certificate authority removed. The whole system relies not only on the technology on our side, but on the ability of the client to verify the information that's presented to them."

The successful breach was a significant coup for hackers that have long run a multi-fronted campaign against root certificate authorities such as Diginotar and other breached CAs like Komodo and GlobalSign. They are a sobering reminder for surviving companies like Symantec, whose own CA operation is one of the world's busiest and includes a Melbourne-based facility where Savvides and some 80 others work around the clock to ensure the integrity of the certificates they issue.

The staff at the Melbourne facility, which CSO Australia visited this week in a rare opportunity to see the inner workings of the global CA business, go through extensive training in detecting attempts by hackers to use everything from social-engineering attempts to falsified documents to access or steal the legitimate digital certificates that form the basis of the Internet's global public key infrastructure ubiquitous SSL security.

Attempts to bypass security checks are often easy to detect – the facility has received everything from forged UK driving licenses with the word 'Kingdom' spelt 'K-I-M-G-D-O-M' to documents with incorrect business identification numbers and falsified stamps allegedly from notaries in India.

Phone-based customer service operators regularly receive calls from people trying to sweet-talk their way through Symantec's multi-factorial authentication system – and they're persistent: one person, Savvides recalled, rang the company five days in a row trying to get a different customer service representative each time.

With an operational scope that covers 33 countries around the Asia-Pacific region, every quarter the Melbourne facility investigates over 10,000 organisations and companies, secures over 40,000 new Web servers, and validates over 5000 merchants and developers. It also validates nearly 2000 users of Gatekeeper, the Australian government-run PKI infrastructure used to manage secure access to online government services.

"Because we have a multi layered approach to security, people try to attack us through the network, attack us, attack our applications," he said. "At one point it was one of the most highly attacked networks globally. However, the hackers have moved on to try to attack people and process instead of the technology."

With some 14 billion transactions authorised daily using Symantec-issued digital certificates, there has never been so much at stake – particularly with mobile devices further increasing volumes at a breakneck pace.

"Not long ago we were saying 4.5 billion queries per day was enormous, but the explosion of mobile has driven that to 14 billion in just 18 months," Savvides said. Symantec had pioneered the use of new techniques such as elliptical curve cryptography (ECC), as the largest CAs work to add additional protection that differentiates them from lower-end CAs often created to handle shorter-term certificates.

"This is a trust model and you have to trust people," he continued. "Diginotar could no longer trade because people didn't trust them any more. It was a really major thing to happen to PKI, and as a result the industry has worked to tighten everything up. The bar has been raised as an industry, as a whole."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags DigiNotarmalwaredigital certificates

Show Comments