Three years after Diginotar closed, hackers still trying to use its digital certificates

Nearly three years after now-defunct Dutch digital certificate authority Diginotar was compromised, would-be hackers are still trying to use its digital certificates to sneak malware onto outdated and insecure systems, according to a Symantec security expert.

In a high-profile hack in August 2011, root certificate authority (CA) firm Diginotar was compromised; a certificate designed for the Google.com domain was stolen, allowing hackers to fraudulently represent the validity of even malware-containing Web sites as being a legitimate Google site. Among other things, the certificate was used to compromise the security of hundreds of thousands of Iranian internet users.

This single incident compromised the entire reliability of Diginotar's certificate authority business and, a month later, the company was forced to shut its doors after major browser makers updated their certificate revocation lists (CRLs) so that certificates issued by Diginotar would no longer be recognised as acceptable proof of online identity.

Yet hackers still try their best, lacing malicious Web sites with malware and signing the sites with the now-unusable digital certificate in an attempt to catch out unwitting users of old systems, according to Symantec senior principal systems engineer Nick Savvides.

"We continue, even to this day, to find that fraudulent certificates are used by attackers who are hoping the users are using old browsers and old operating systems that haven't been updated to have the root certificate authority removed. The whole system relies not only on the technology on our side, but on the ability of the client to verify the information that's presented to them."

The successful breach was a significant coup for hackers that have long run a multi-fronted campaign against root certificate authorities such as Diginotar and other breached CAs like Komodo and GlobalSign. They are a sobering reminder for surviving companies like Symantec, whose own CA operation is one of the world's busiest and includes a Melbourne-based facility where Savvides and some 80 others work around the clock to ensure the integrity of the certificates they issue.

The staff at the Melbourne facility, which CSO Australia visited this week in a rare opportunity to see the inner workings of the global CA business, go through extensive training in detecting attempts by hackers to use everything from social-engineering attempts to falsified documents to access or steal the legitimate digital certificates that form the basis of the Internet's global public key infrastructure ubiquitous SSL security.

Attempts to bypass security checks are often easy to detect – the facility has received everything from forged UK driving licenses with the word 'Kingdom' spelt 'K-I-M-G-D-O-M' to documents with incorrect business identification numbers and falsified stamps allegedly from notaries in India.

Phone-based customer service operators regularly receive calls from people trying to sweet-talk their way through Symantec's multi-factorial authentication system – and they're persistent: one person, Savvides recalled, rang the company five days in a row trying to get a different customer service representative each time.

With an operational scope that covers 33 countries around the Asia-Pacific region, every quarter the Melbourne facility investigates over 10,000 organisations and companies, secures over 40,000 new Web servers, and validates over 5000 merchants and developers. It also validates nearly 2000 users of Gatekeeper, the Australian government-run PKI infrastructure used to manage secure access to online government services.

"Because we have a multi layered approach to security, people try to attack us through the network, attack us, attack our applications," he said. "At one point it was one of the most highly attacked networks globally. However, the hackers have moved on to try to attack people and process instead of the technology."

With some 14 billion transactions authorised daily using Symantec-issued digital certificates, there has never been so much at stake – particularly with mobile devices further increasing volumes at a breakneck pace.

"Not long ago we were saying 4.5 billion queries per day was enormous, but the explosion of mobile has driven that to 14 billion in just 18 months," Savvides said. Symantec had pioneered the use of new techniques such as elliptical curve cryptography (ECC), as the largest CAs work to add additional protection that differentiates them from lower-end CAs often created to handle shorter-term certificates.

"This is a trust model and you have to trust people," he continued. "Diginotar could no longer trade because people didn't trust them any more. It was a really major thing to happen to PKI, and as a result the industry has worked to tighten everything up. The bar has been raised as an industry, as a whole."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersdigital certificatesDigiNotarmalware

More about CSOGlobalSignGoogleSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place