Jul 11, 2012 5:51:39 AM
DigiNotar---What Went Wrong?

Why PKI Procedures are so important to your business

Most people who are familiar with Public Key Infrastructure have been aware of the unfortunate events that happened to the Dutch Public CA DigiNotar. As a both a Dutch native and a PKI specialist, I took a particular interest in this event. At the time this occurred back in September 2011, I happened to be in The Netherlands, and was fortunate enough to be able to see and read things first hand.

DigiNotar was the first public CA that went bankrupt because of being hacked. This is extremely significant to the PKI world, as it demonstrates how essential PKI security and following procedures are to simply keeping a company in business. Moreover, DigiNotar’s bankruptcy might have been able to be prevented, if they had simply done what I feel to be one of the most important aspects of IT Security: Following procedures perfectly, each and every time.

Here is a brief timeline of the events published in the interim report (“Operation Black Tulip”) by Fox-IT:

  • 06-Jun-2011
Possibly first exploration by the attacker(s)
  • 17-Jun-2011
Servers in the DMZ in control of the attacker(s)
  • 19-Jun-2011
Incident detected by DigiNotar by daily audit procedure
  • 02-Jul-2011
First attempt creating a rogue certificate
  • 10-Jul-2011
The first succeeded rogue certificate (*.Google.com)
  • 20-Jul-2011
Last known succeeded rogue certificate was created
  • 22-Jul-2011
Last outbound traffic to attacker(s) IP (not confirmed)
  • 22-Jul-2011
Start investigation by IT-security firm (not confirmed)
  • 27-Jul-2011
Delivery of security report of IT-security firm
  • 27-Jul-2011
First rogue *.google.com OCSP request
  • 28-Jul-2011
First seen that rogue certificates were verified from Iran
  • 04-Aug-2011
Start massive activity of *.google.com on OCSP responder
  • 27-Aug-2011
First mention of *.google.com certificate in blog
  • 29-Aug-2011
GOVCERT.NL is notified by CERT-BUND (Germany)
  • 29-Aug-2011
The *.google.com certificate is revoked
  • 30-Aug-2011
Start investigation by Fox-IT
  • 30-Aug-2011
Incident response sensor active
  • 01-Sep-2011
  • 20-Sep-2011

 

OCSP based on white list. DigiNotar files for bankruptcy

The Past and Present of Public CA Operations.

When public CAs were first introduced, their daily operations were very different than the way they are done now. For example, it used to take several days to get an SSL certificate, whereas today it only takes a few minutes. Modern society’s demands for speed and efficiency have forced IT companies to find faster and better ways of meeting their customers' needs. While growth may be exciting for any business owner, sometimes the need for speed tempts owners to ignore warnings and procedures to get a job done faster. As the company’s reputation grows and their competition grows fiercer, it also becomes more and more challenging to keep a strong outward appearance to the community, as imperfections could potentially cause a loss in business and money for the company. Thus, as in the case of DigiNotar, many business owners panic when something like hacking hits their company hard. The temptation to “cut corners” skyrockets, especially when it comes to following procedures. Admitting a problem occurred, like hacking, could result in losing a valued customer and lots of money, and is not a risk many owners want to take. But in the world of security, risk rarely equals reward, and following proper procedures, however painstaking, could make all the difference between keeping your company in long-term business, or being forced to follow bankruptcy.

Procedures, Procedures, Procedures.

When I talk to customers about PKI, I spend most of my time discussing proper procedures rather than focusing on the technical aspects. Often times they are surprised by this, and may even react in a dismissive way. While the customer may only want to discuss PKI security as it relates to their networks, I encourage them to also take proper time to look at the physical side of IT security, which is also so important. This even includes a public relations aspect, such as how to manage and announce unfortunate events such as a network shutdown or security breach.

Subjects I discuss include:

  • Access to the PKI room
  • Creating a Certificate Policy (CP) and Certificate Practice Statement (CPS), (Legal issues)
  • End user (person, device) validation process
  • Building your PKI Team (PKI roles)
  • What to do when you are being attacked or hacked (Public Relations)

These procedures apply to not just to internal private CAs, but also public ones.

We’ve all heard of “Murphy’s Law,” meaning, “everything that can go wrong, will go wrong." This is an excellent reminder to anyone using PKI, as you should always assume the worst case scenario when you are tempted to overlook or bend procedures, however ridiculous they may seem. The one time that you run to the bathroom and decide to prop open the door to the PKI room rather than lock it up, will be the one time that someone runs into the room and hacks into your system.

We’ve been hacked. What do we do now?

The answer is: Follow procedures! Companies like VeriSign, Entrust, Comodo or CyberTrust, to name a few, have procedures in place to protect their PKI. Comodo got hacked by the same hacker(s) as DigiNotar. So why did DigiNotar go bankrupt when they were hacked, and the other companies didn’t?

The answer is very simple. They did not follow PKI procedures and meet security requirements. As soon as DigiNotar discovered that someone hacked their systems they should have made a public announcement about the hacking, but they didn’t. Instead, they kept it quiet and tried to cover it up, which only made the situation larger and worse.

When you suspect an attack or hack on your PKI, the first thing you should do is make a public (or an internal, when you have a private PKI) announcement. While admitting an attack may be a blow to your reputation or ego, it might be the one thing that saves your business in the end. Not only are people able to be alert and guard themselves against further attack, their awareness is also heightened, and they are more likely to report suspicious activity which might help the company find and stop the attacker.

In addition to not making an announcement, Diginotar also made the mistake of allowing misuse and unauthorized access to the private key, causing a security compromise. If you become aware that your system has been compromised, there are procedures that you should follow immediately, before further, more extensive damage has been done.

Security is sensible.

Diginotar’s unfortunate fate reminds us of just how important having a PKI and using it correctly is to a company’s success. With proper measures in place, and by following procedures to the letter, a business can avoid tragic events that can lead them to loss, and ultimately, bankruptcy. Never be afraid to ask questions or overindulge your business with policies and procedures. If you need PKI help, CSS consultants, such as myself, are always happy to help secure your business, as well as your confidence.