Operation Black Tulip: Fox-IT’s report on the DigiNotar breach

Creative Commons photo of black tulip courtesy of Photography_Gal's Flickr photostreamFox-IT, the security auditors hired to investigate the compromise of DigiNotar, the digital certificate authority that signed fraudulent certificates for Google, the CIA and others, released their preliminary findings this afternoon.

It’s at least as bad as many of us thought. DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public.

Fox-IT’s report shows that the initial compromise appears to have occurred on June 17th, 2011. On the 19th DigiNotar noticed the incident, but doesn’t appear to have done anything about it.

July 2011 calendarThe first rogue certificate (as far as we know), *.google.com, was issued on July 10th, 2011. All of the other 530 rogue certificates were issued between July 10th and 20th.

There are several very disturbing conclusions about security at DigiNotar and the investigation isn’t even complete yet:

  1. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.

  2. The administrator password was simple and could be easily brute forced.
  3. Much of the malware and tools used in the attack would have been easily detected by anti-virus, had it been present.
  4. The software on public-facing servers was out of date and unpatched.
  5. They had no centralized nor secure logging.
  6. There was no effective separation of critical components.

The attacker left behind a message in one of the scripts used to generate the rogue certificates, arguably tying this attack to the earlier attack against Comodo back in March of this year.

The message reads in part:

“THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS
MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE”

Flag of IranFox-IT analyzed the lookups against DigiNotar’s OCSP servers (which browsers check to see if a certificate has been revoked) and determined that during the active attack period more than 99% of queries originated in Iran.


Video showing origin of OCSP queries against DigiNotar’s servers courtesy of Fox-IT.

This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian internet users.

Many of the other requests not originating from Iran appear to have originated via Tor exit nodes or other proxies used by Iranians to avoid censorship.

This indicates that the method used to perform the man-in-the-middle attacks with these certificates likely depended on DNS poisoning at the ISPs.

While some folks are complaining that too much fuss is being made over this attack, it is far more important than many other stories that the security press have been obsessed with over the last two years.

This incident demonstrates in a real way the fragility of the SSL/TLS certificate trust model in use on the net today.

ConvergenceI hope adoption of replacement technologies like Moxie Marlinspike’s Convergence take off in a meaningful way to provide us with more confidence in the security of our communications.

We now know not to trust certificates issued by DigiNotar, but how many of the 600+ other certificate authorities have similar security holes and may already be compromised?

Creative Commons photograph of a black tulip courtesy of Photography_Gal’s Flickr photostream.