Certificate Authority Uncovers Old Breach

Remember the Netherlands-based certificate authority DigiNotar that was hacked and then went out of business? Well, now the largest CA in the Netherlands, KPN/Getronics, also has been breached and, for now, has suspended issuing digital certificates.

KPN announced this week that it has suspended issuing certificates after discovering the breach of a PKI-related Web server with a distributed denial-of-service tool that apparently had been sitting on the server for at least four years.

The company said existing certificates are valid, but that the firm is having the potential breach investigated and halted issuing certificates as a precaution. "Although there is no evidence that the production of the certificate is compromised, it can not be completely excluded that this did happen," according to a Google translation of the statement. "Therefore, KPN Corporate Market (formerly Getronics) decided the application and issuance of new certificates temporarily discontinued, pending further investigation. This is to ensure that the certificates be issued optimal procedure is safe and reliable. KPN has replaced the web servers."

Interestingly, KPN recently said it had picked up some of DigiNotar's old customers after that firm went out of business. DigiNotar filed for bankruptcy, and its parent company, VASCO, exited the CA business altogether.

Meanwhile, last week Malaysia-based CA reseller Digicert revoked some of its own digital certificates for security reasons, and Mozilla and Microsoft began blocking them.

With the string of CA breaches and the apparent targeting of CAs by Duqu, it's a bad time to be a CA. Dave Marcus, director of security research and communications for McAfee, says the string of CAs getting attacked has major implications. "This is turning into a big deal," he says. "[Attackers] are going after CAs as an industry."

Marcus says this new trend in attacks goes after an entire trust model. "It's not just the website aspect. It's part of the OS ... and the signing of drivers and files. People don't realize what a big deal this potentially is."

And there will be more, security experts predict.

"One of the questions that should also be answered is how a DDoS tool went undetected for four years. However, as companies are ramping up internal security I fully expect to see more 'old breaches' like this one uncovered," Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, said in blog post on Friday.

"What's particularly interesting about KPN's statement is that it could be interpreted as them saying already issued certificates will remain valid (no matter what). KPN is a much bigger certificate authority than Diginotar. Possibly, people could be going into this with the idea of KPN being too big too fall."

A compromised CA and the bad guys issuing phony digital certificates isn't something organizations can easily defend against, either. "It's not an 'update your DAT' issue or 'make sure your firewall is configured a certain way' issue," McAfee's Marcus says. "So much of the remediation lies outside the hands of the end user and the security company."

It also poses potential problems for whitelisting, he says. "Driver-signing is a big portion of that," Marcus says. What if a whitelisted software driver actually has a rogue certificate, he says. "There are big questions that have to be asked here."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.