Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DigiNotar Goes Bankrupt After Hack

timothy posted more than 2 years ago | from the it's-the-little-things dept.

Businesses 136

twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company." Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

cancel ×

136 comments

Security is expensive (3, Insightful)

erroneus (253617) | more than 2 years ago | (#37454772)

Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.

I think this is simply obvious.

Re:Security is expensive (1)

ge7 (2194648) | more than 2 years ago | (#37454802)

You can't secure everything. Not in the real world and not on the internet either. There's always way to go around security, both in the real world and internet. Laws exist so that people don't do something just because they can.

Re:Security is expensive (2)

Cryacin (657549) | more than 2 years ago | (#37454866)

Yes, but you can perform due diligence. If you're a bank offering secure storage, one would expect a safe that not just anyone can access. This is like putting a giant 6ft steel door on your safe, but having the entry code as 1-2-3-4-5, and known by all staff members - including the janitor.

Re:Security is expensive (1)

Bert64 (520050) | more than 2 years ago | (#37454948)

And with the numbers on the keypad 1-5 being shiny clean, while the remaining numbers are dirty due to never being used...

Re:Security is expensive (1)

Amouth (879122) | more than 2 years ago | (#37455014)

including the janitor.

but how else is he going to empty the trash?

sorry i had this argument with my boss a few months ago - about locking up records and bookkeeping stuff.. they wanted the GM, Me to have the keys and someone suggested giving one to the Janitor so he could empty the trash.. the fact that i had to explain how bad of an idea that is just kills me..

Re:Security is expensive (2)

Opportunist (166417) | more than 2 years ago | (#37455574)

You'd be surprised, you're not alone. Yes, even convenience trumps security in a company.

I have seen the "janitor gets access" quite a few times. Even in high security areas. As soon as it would inconvenience a decision maker, security goes out the window.

Re:Security is expensive (1)

VGPowerlord (621254) | more than 2 years ago | (#37456198)

That's amazing. I've got the same combination on my luggage!

Re:Security is expensive (0)

Anonymous Coward | more than 2 years ago | (#37456688)

Have you ever worked somewhere where security is needed? This attitude prevails everywhere. Security is very inconvenient. I worked at a software company that left database passwords in plaintext on every user's machine, and if the user discovered that password they could manipulate a central payroll database without detection. Nobody cared to fix it when pointed out, so I did the obvious and used the information to edit the database.

Re:Security is expensive (0)

Anonymous Coward | more than 2 years ago | (#37454894)

You can't secure everything.

Yes, perfect security is impossible. But this was quite the opposite - securing next to nothing. Both Foxit (investigator) and ComodoHacker (cracker) confirm that DigiNotar used admin passwords like "AdminP@ssw0rd". That's not even a step up from "12345" - that may be acceptable on a luggage, not on the damn planetary shield.

Re:Security is expensive (2)

neokushan (932374) | more than 2 years ago | (#37454912)

This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.

Re:Security is expensive (1)

Stepnsteph (1326437) | more than 2 years ago | (#37455118)

I agree with Neokushan. In reading about just how bad this attack hit DigiNotar, I'm of the opinion that they fully deserved to go bankrupt. They don't need to ever be in business again.

It's a security company, and they were running no anti-virus solution, had a simple LAN with a single username & simple password, and they didn't keep their web servers up to date. Nobody in their right mind would do that to a company, but for a firm that worked in the security field? CA, no less. That's dangerously negligent.

I'm going to guess that there are a lot of IT people here, and that their heads are close to exploding from the stupidity involved at DigiNotar.

How this could happen I could only guess. No sys admin would ever let this fly. This almost had to be policy from the top, deliberately blocking any money being spent to secure their system.

Somewhere a sys admin is on the floor laughing, both from having been driven insane at the company, and at the relief of their new found freedom.

Re:Security is expensive (1)

betterunixthanunix (980855) | more than 2 years ago | (#37455016)

Then why bother with CAs? Why not just use the law to handle these sorts of things?

Re:Security is expensive (1)

plover (150551) | more than 2 years ago | (#37455366)

Then why bother with CAs? Why not just use the law to handle these sorts of things?

911 operator: How may I assist you? /Me: I need to do some banking over the internet right away, and I don't trust the CAs to securely issue certificates.
911: Sir, all banks use certificates. Just type https:/// [https] and trust your bank. /Me: Can't I just use http:/// [http] and if a bad guy steals my account, you catch him, right?
911: Sir, there aren't enough police to catch every on-line bank hacker if nobody bothered to protect their communications. I also have real emergencies to deal with now, so you'll have to hang up.

Re:Security is expensive (1)

Tanktalus (794810) | more than 2 years ago | (#37456724)

Do you leave your doors unlocked? Why not just leave your doors open and use the law to handle these sorts of things?

Simple: you put up rudimentary security to dissuade opportunists (the vast majority of low-level criminals, in my estimation), and even the more seasoned criminals who look for value for difficulty. If you have more security than value, you'll be skipped. If you have more value than security, you'll be targeted. Eventually.

By limiting police resources to only situations where value is more than security can reasonably provide for, we reduce overall effects of crime.

That said, this is a "who watches the watchers" type of scenario. Who ensures the security firms are themselves secure? It looks like we're going through some sort of Darwinian clean-up of this space. Too bad there will be innocents involved - people fooled by the incorrect certificates.

Re:Security is expensive (1)

plover (150551) | more than 2 years ago | (#37455228)

Businesses have a strong profit motive. The people who run businesses are greedy.

In the case of this security firm, (yes, they were a security firm because selling certificates is participating in the security business,) insecurity has proven to be the ultimate risk to not only profits, but to their investments as well.

I only hope that the employees of other security firms will email copies of news articles like these to their management and investors. "If you don't take security seriously and fund it appropriately, you will go bankrupt."

Re:Security is expensive (1)

erroneus (253617) | more than 2 years ago | (#37455440)

As with the case of the financial crisis, taking large risk is nothing that business is concerned about these days. Shareholders are only interested in short-term gains and micro-second investments and transactions. "Long term goals" has been removed from the dictionary. The SEC has long since had regulations in place to prevent excessive risk-taking... and once those regulations had been pulled back, increased risk taking occurred which led to the crash we all witnessed and have been feeling all this time.

So while we, as "engineering types" seek to reduce and even remove risk, the "money types" see risk as "leverage" to increase their profits.

Re:Security is expensive (0)

Anonymous Coward | more than 2 years ago | (#37455420)

Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.

I think this is simply obvious.

Just as important, security is invisible. People who run businesses don't understand things they can't see, and certainly don't understand spending money on it. Security only becomes visible - and thus important enough to spend money on - when the lack of it causes real-world problems. And by that time, it's often too late.

Re:Security is expensive (1)

xelah (176252) | more than 2 years ago | (#37456008)

Just as important, security is invisible. People who run businesses don't understand things they can't see, and certainly don't understand spending money on it.

Or, possibly, only understand spending money on it. We spent a lot of money on that TEMPEST protected room....doesn't that mean security is dealt with and we can stop worrying about it? It doesn't cost a lot of money to use a better password.

Not really. (1)

khasim (1285) | more than 2 years ago | (#37456876)

Security is expensive

Not really. It does cost more than NO security but not much more. Example, how much does it cost you to have a decent password instead of Password1?

Businesses have a strong profit motive. The people who run businesses are greedy.

Yes and yes. But that isn't the core of the problem. Greedy people can have the best security. They don't want criminals to take their money.

They will sacrifice everything, including security related expenses in order to boost profits in some way.

In some case you are probably correct. In other cases the company/person will increase the security to keep the assets out of the hands of the criminals.

In my experience, the problem with security is Pavlovian.
If you do something insecure, once, and nothing bad happens ...
Particularly if it was just a little bit easier to skip the security. Such as typing in a 5 character dictionary word rather than a 16 character password. It doesn't take much to be "easier".

And as long as nothing bad is happening, people will "learn" that they're "secure" and what they are doing is "right" and anyone who is advocating real security just doesn't understand the situation. That's Pavlovian. The reward is the slightly easier administration.

If management does not understand real security, there aren't many ways to get them to change. They already KNOW they're doing it "right".

Hence all the recent cracks.

Bankrupt? (4, Informative)

Anonymous Coward | more than 2 years ago | (#37454780)

How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.

Re:Bankrupt? (2)

ultraexactzz (546422) | more than 2 years ago | (#37454820)

You sell one product, properly validated certificates, and now you can't sell that product. No income = bankruptcy.

Re:Bankrupt? (3, Insightful)

mcvos (645701) | more than 2 years ago | (#37454864)

Good point. On the one hand, they deserve to go bankrupt for failing at the one thing that justified their existence, but dumping the corpse before it can be properly examined smells iffy.

Note that you don't have to be charged with anything to go bankrupt, though. When all your customers leave, you suddenly have no revenue, but you still have your costs. And since it's obvious to everybody that DigiNotar will go bankrupt anyway, nobody loans them money, they quickly lack the money to pay salaries and other costs, and suddenly they're bankrupt.

Re:Bankrupt? (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37455094)

What I find bewildering(if not exactly surprising) is that Diginotar can seek bankrupcy protection without VASCO being involved.

Diginotar can be expected to have basically zero income, and a bunch of expenses, in the near future; but (from VASCO's 2010 annual report)
"In January 2011, we acquired all of the intellectual property of DigiNotar Holding B.V. and its subsidiaries and acquired 100% of the stock of DigiNotar B.V. and DigiNotar Notariaat B.V. (collectively, “DigiNotar”), each a private company organized and existing in The Netherlands (collectively, “DigiNotar Acquisition”). The acquisition expands the technological breadth of our product line by expanding our abilities to offer PKI technology throughout the product line. We expect the acquisition will enhance our market position in three areas; (1) as a trusted Internet service provider of PKI certificates, which we expect will improve our ability to penetrate government markets (2) as a licensor of PKI-based products to customers for use in their applications, which we believe will enhance our ability to compete in our traditional business and (3) as a provider of our own PKI-secured applications, such as document signing, registration and storage solutions, which we expect will expand opportunities for us on our services platform."

VASCO aren't just poor li'l small-cap investors here, they own Diginotar lock, stock, and barrel. While I don't doubt that Diginotar declaring bankrupcy and sucking in little or no of VASCO's assets is somehow legal, it seems kind of insane that you can own 100% of a company, its technology, and have plans to merge some of its tech with your existing offerings, and still be separate enough that you can just cut them loose and let them sink so long as VASCO appears to have a variety of assets and ongoing income sources, which they do.

I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control; but a 100% owned operational subsidiary over which you exercise organizational control, and whose technology you are (no longer) actively on track to integrated into your products? Any notion of financial separation seems like the thinnest of legal fictions.

Re:Bankrupt? (1)

mcvos (645701) | more than 2 years ago | (#37455222)

That's what limited liability means, I'm afraid. Though with the recent mess in mismanaged corporations, I'd say it sounds reasonable if the limitations to liability were to be reduced somewhat. In other words, people and corporations should be held accountable, and indeed pay, if they cause big problems like these.

Re:Bankrupt? (1)

rjmx (233228) | more than 2 years ago | (#37455412)

Something I've never understood: exactly what benefit does the community gain from allowing limited-liability companies? If someone is free to establish a limited-liability corporation, and it goes broke owing lots of money to others, why should they be allowed to keep their own assets and, if they want, go on to start another such company?

I'm sure there must be a reason we allow this, but for the life of me I can't think of one.

Re:Bankrupt? (0)

Anonymous Coward | more than 2 years ago | (#37455600)

The reason is that since most new businesses fail, no rational actor would choose to start a new business if they had to risk everything to do so.

So limited liability corporations exist as a way to let entrepreneurs try to start a business that's more ambitious than a backyard bake sale without risking their family being homeless because it turns out no one actually wants to their dance club for the deaf that saves money by not having music.

Re:Bankrupt? (0)

Anonymous Coward | more than 2 years ago | (#37455730)

Nobody would found new companies - especially in the area of software development - if you were personally liable for EVERYTHING. With IP laws that anybody can use to destroy those with less money, that'd be suicide.

Re:Bankrupt? (2)

DZign (200479) | more than 2 years ago | (#37455968)

In most countries (afaik but I'm not an accountant/lawyer with international experience) there are restrictions..

Especially the first months/year a company starts, the people who run it can be held personal liable.
So don't think of starting a company, getting loans from a bank, increasing debt by not paying your suppliers, and just declare yourself bankrupt after a few months and get away with it. If your business plan wasn't wel defined and you didn't raise enough initial (own) capital to survive 1 or 2 years, you can be held liable (and prevented of starting a new company for the next years)

Same for the last 6 months or so when a company goes bust, all transactions can be examined and reversed, so ie the owner can't sell assets to himself/friends for a price that is too low.
Had this once at a startup company that was in trouble, an employee that left wanted to buy a laptop from the company that he had used, but the director would not do this as he was afraid to be liable if the curator later decided the laptop had been sold too cheap.

Any why limited-liability companies are allowed - to allow for big companies to form. In a Ltd, investors can only lose the amount money they have invested and not more.
If you wouldn't have this protection, no-one would invest anymore in a company, as the risk would be too big when they were also held personally liable for part of the debts.

Re:Bankrupt? (1)

rjmx (233228) | more than 2 years ago | (#37456244)

Thank you. I figured there had to be a reason.

Interestingly, the "fortune" at the bottom of this page has:

> If you are smart enough to know that you're not smart enough to be an Engineer, then you're in Business.

Re:Bankrupt? (1)

whoever57 (658626) | more than 2 years ago | (#37456390)

exactly what benefit does the community gain from allowing limited-liability companies?

Imagine that you are a small-time investor. You see that a company called Enron seems to be doing well, but as a small investor, you have no idea that there is anything fishy going on. S you buy a few shares of Enron. Suddenly Enron implodes, and you lost your investment. Now, the people that were owed money by Enron (employees, for example) sue you because there is no limited liability. Not only did you lose your investment, but you could lose your house because you invested a small amount in Enron.

In this scenario, how much money would go into the stock market? How much money would be available for companies to raise for capital projects?

Re:Bankrupt? (2)

nedlohs (1335013) | more than 2 years ago | (#37455316)

I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control

That isn't the reason behing limited-liability-corporations. They are vehicles to provide limited libility without regrd to who the shareholders are. Without checking or doing any reasearch I'm going out on a limb and claiming that there are more LLC that are 100% owned by 5 or less pepole than there are owned by more than 5. (Almost every IT person doing consulting jobs incorporates, as do most plumbers, electricians, etc who work for themselves, and so on).

There are costs with those benefits - the entity will have a harder time getting credit and so on than the owner would (in the case in which it's one huge company owning 100% of a small one).

a 100% owned operational subsidiary over which you exercise organizational control, and whose technology you are (no longer) actively on track to integrated into your products? Any notion of financial separation seems like the thinnest of legal fictions.

There are ways to pierce the veil, but usually the i's have been dotted and the t's crossed.

Re:Bankrupt? (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37455492)

I realize that that is how limited liability companies are in fact used(Ambrose Bierce: "Corporation, n. An ingenious device for obtaining individual profit without individual responsibility."), my puzzlement is just with the fact that such usage persists in law...

There is a certain logic to limited liability ventures in situations where you need large numbers of (relatively) small investors with limited control over the venture in order to accomplish some end(and, back when establishing an LLC required an act of Parliament in the UK, and action of analogous gravity in the US, that was basically the situation in which such was done); but I don't understand the logic behind letting sole or very significant owners extract profits while being insulated from losses...

I understand that that is in fact the case(so much so that people seem to have gotten complacent and are now whining that their legally-separate-entities get taxed as legally separate entities, rather than being identical with their owners when the tax man comes; but separate when bankruptcy strikes...), I just can't fathom the level of illogic, or sheer corruption, that would allow such a strange construct to continue...

Re:Bankrupt? (1)

nedlohs (1335013) | more than 2 years ago | (#37455638)

Such a usage persists because without it the risk of running a business would be far too large for most people. But yes the business that do run would go bankrupt less often - the price you pay for that is reducing GDP to 1/10th (completely made up) of what it is now. Most people won't take that trade.

And incorporating doesn't insulate you from losses it limits losses to what you have invested. If some third party is willing to loan a company too much money that's their problem - they knew the deal when they made the loan. (If the government then bails them out then that's what the people get for electing such governments.)

Re:Bankrupt? (3, Interesting)

Kjella (173770) | more than 2 years ago | (#37455084)

You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.

Re:Bankrupt? (1)

xelah (176252) | more than 2 years ago | (#37455386)

A company doesn't have to have no money today to be insolvent. I don't know Holland, but here in the UK your company will be insolvent if it knows it can't pay its bills as they come due, even if they're not due today. Any company will have long term contracts - to pay salaries/redundancy, to pay suppliers, etc. IANAL, but IIRC once insolvent, you have a duty to act in the best interest of your creditors (and not your shareholders) and not to treat any preferentially (pay your friend but not your employees, say). If continuing to trade means that the pot to pay claims from creditors is certain to only get smaller then doing so isn't in your creditors interest. You're also likely to find you'd have to preferentially pay some creditors, too, because some will be in more powerful positions than others.

The definitions, terms and rules will be different in different places, of course, but I doubt there are many well developed legal systems that will let you carry on pointlessly throwing away what cash you have left until you reach zero once bankruptcy is unavoidable.

Alternatives? (1)

strayant (789108) | more than 2 years ago | (#37454784)

So, if certs cannot be trusted, and this brings to the surface the whole concept of "trust", what are we to do? What should we use?

Re:Alternatives? (0)

Anonymous Coward | more than 2 years ago | (#37454870)

Depends on the threat model. For most applications it is sufficient to know that you're talking to the web server without anyone listening in. In that case, DNS based SSL key distribution is an option, especially when you consider that this immediately opens authenticated SSL to the masses. If you have a need to ensure that you're talking to a specific person or business (and not a typo domain with a valid SSL key), then you can combine the CA hierarchy with using multiple CAs or multiple client views to detect rogue certificates. This also works for the simpler model, but this solution is obviously more complex and more expensive, so a two-pronged approach seems useful.

Re:Alternatives? (1)

maxume (22995) | more than 2 years ago | (#37454880)

What are you using certificates to secure?

If you are just shopping, why worry about it?

If you are securing communications that are important to a business or something, you can build your own certificate chain (meaning you can set it up so that hackers would need to break into a safe or whatever, not some internet connected computer), and so on.

Re:Alternatives? (1)

Opportunist (166417) | more than 2 years ago | (#37455622)

As long as your business partner is also a company, this might fly. If you're selling to a lot of computer illiterates (like, say, banks trying to convince their customers to use the internet for banking so they can fire a few more clerks), trying to explain to them what constitutes a trustworthy certificate will probably mean higher expenses than keeping the clerks.

Re:Alternatives? (2)

betterunixthanunix (980855) | more than 2 years ago | (#37454910)

Well, there are these other options:
  • Manual verification -- perhaps banks and retail outlets could hand out fliers with QR Code or Data Matrix encoded copied of their pubilc key fingerprints. This does not solve the problem for small businesses that need to deal with people online (potentially people who cannot receive fliers or business cards), but for local businesses or large corporations it is potentially workable. Key replacement is the biggest problem here (anyone who has tried to manage sshd should be familiar with this issue).
  • Web of trust -- this requires some minimum number of people who care enough to participate, and probably works better for personal certificates than for businesses.
  • Newer ideas like convergence, which is something like a cross between the CA model and the web-of-trust model in that you configure multiple notaries and require a certain number of them to sign a key before it is trusted.

So there you have it, other ideas. The real question is, which of these is most likely to succeed when billions of technically illiterate people try to use it?

Re:Alternatives? (0)

Anonymous Coward | more than 2 years ago | (#37454934)

You can't use the same path to verify someones identity as you used to find out about the identity in the first place.
Say for example that you encounter a man that claims to be a police officer. To verify this you could ask about some kind of paper verifying the mans identity but if he is a criminal that poses as an officer it is very likely that the paper verifying his identity also is falsified.
A much better method would be to call the police station and ask them to verify that the police officer in question actually exists and is at your location.

If you want to verify that a website actually is what it claims to be you might need to call the ISP the website uses and ask them.

Re:Alternatives? (1)

plover (150551) | more than 2 years ago | (#37455418)

You can't use the same path to verify someones identity as you used to find out about the identity in the first place.
Say for example that you encounter a man that claims to be a police officer. To verify this you could ask about some kind of paper verifying the mans identity but if he is a criminal that poses as an officer it is very likely that the paper verifying his identity also is falsified.
A much better method would be to call the police station and ask them to verify that the police officer in question actually exists and is at your location.

If you want to verify that a website actually is what it claims to be you might need to call the ISP the website uses and ask them.

Using Skype, of course.

Re:Alternatives? (1)

Opportunist (166417) | more than 2 years ago | (#37455636)

No, the cell I use to access their website. Duh!

Convergence (1)

eddy (18759) | more than 2 years ago | (#37455468)

Some say Convergence [youtube.com] is the answer [convergence.io] . I haven't been able to make it work, personally, so it's probably not ready for prime-time. Also, I don't like the name.

Comodo (-1, Offtopic)

KiloByte (825081) | more than 2 years ago | (#37454796)

And why exactly Comodo isn't on the same boat? "Too big to fall" works even worse for security as it does for economy.

Re:Comodo (4, Informative)

Spad (470073) | more than 2 years ago | (#37454812)

Mostly because they caught the intrusion (which was at a 3rd party rather than directly part of Comodo) and reported it immediately as well as putting in place measures to try and prevent it from happening again.

DigiNotar didn't notice that they'd been hacked for months and didn't tell anyone for months more and even then they didn't know how badly they'd been hacked or exactly which certs may have been issued to whom.

Re:Comodo (1)

Anonymous Coward | more than 2 years ago | (#37455042)

this. all the issue is not in the breach. that kind of stuff happens.

what should never ever happen is a certification authority, whom live on trust, try to cover the shit up.

Re:Comodo (4, Informative)

heypete (60671) | more than 2 years ago | (#37455066)

That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.

The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.

At least that was my understanding of what happened, based on information I read several months ago.

Re:Comodo (1)

wvmarle (1070040) | more than 2 years ago | (#37455136)

Worse: according to the second linked article DigiNotar knew about the attacks already at 19 July. That's when they started revoking numerous certificates. Yet they did not notify the public. Also it seems they did not take extra countermeasures, and the measures in place were far from what's considered "good practice" for highly secure sites.

Re:Comodo (0)

Anonymous Coward | more than 2 years ago | (#37455332)

It's important to note that DigiNotar did not "go" bankrupt in the way that most people seem to interpret this. They were not sued into oblivion or otherwise in financial trouble. The Dutch government mandated that DigiNotar stop issuing certificates and revoke all existing ones. This essentially means the Dutch corporate entity which is DigiNotar is not able to do business. Rather than cleaning up their act to have the government restriction lifted and trying to repair their damaged reputation DigiNotar decided to declare bankruptcy.

Having done business in NL for 30 years myself I bet that DigiNotar management has already incorporated a new company which will be selling the same/similar products to the very same Dutch government that allowed kept DigiNotar alive.

Good. (1)

Anonymous Coward | more than 2 years ago | (#37454800)

Not that it repairs the fuckup, or that anyone else will learn from it, but at least the incompetent got what was coming to them, just this once.

Re:Good. (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37454908)

Do we have any reason to believe that 'the incompetent' hadn't either already jumped ship, or structured things so that the possible collapse of the scheme would leave them to float gently down on their golden parachutes and on to the next victim?

Low-level incompetents(along with their competent; but low-level peers) tend to go down with the ship; but people with enough power to cause really systemic fuckups are often first to the lifeboats...

In Diginotar's case, the sheer scale of the fuckuppery suggests that it was not a case of "the newb kid on the network team forgot to disable telnet and the receptionist got social engineered..."; but of a company that, as an institution, either couldn't, or couldn't be bothered to, do anything properly.

Re:Good. (0)

Anonymous Coward | more than 2 years ago | (#37455186)

Indeed. The high-level incompetents sold their company to Vasco in January of this year (for many millions). Which makes you wonder what Vasco was thinking: buying a security-oriented company without doing a proper audit?

Re:Good. (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37455264)

Hard to say whether VASCO were just fuckups in that deal, or whether the plan(that just wasn't executed in time) was to buy DigiNotar to gain their Dutch government contracts and position in lots of trusted CA lists, and then just migrate the whole damn shop to a new platform... The only really valuable bits of a generic CA are their position in the trust lists, any captive legacy customers, and the necessary private keys. A totally dysfunctional, but already operating, CA might actually be the cheapest way to get your hands on those, at which point you can just move the keys to your(hopefully not broken) system and carry on. That would be the sympathetic interpretation...

Re:Good. (1)

Opportunist (166417) | more than 2 years ago | (#37456226)

There's a reason for this: These companies are shells. There's no need to make them secure, they're in the name of Canary M. Burns and if the shit hits the fan, the Canary gets to croak while the next shell is created.

Give it a week or two and we'll see a new company take over, that miraculously is somehow connected to the parent of DigiNotar.

Re:Good. (0)

Anonymous Coward | more than 2 years ago | (#37455706)

Exactly what I was thinking. Not that I wish any ill will on them specifically, but maybe companies will realize that if they are providing a security product, then they might take their own security a little more seriously. I mean, sheesh, this would be like a bank security company having its own payroll stolen.

Yes, obviously (0)

Anonymous Coward | more than 2 years ago | (#37454806)

Their only asset, their presence in the browsers' trusted CA lists, has been eliminated. Without that asset, they don't have a product. A company without a product goes bankrupt eventually.

Data breaches are worse for some companies (0)

Anonymous Coward | more than 2 years ago | (#37454826)

"It all goes to show how quickly a data breach can bring down a company."

Well, yes, particularly if what you are selling is security and trust. A CA has two jobs - generate a random private/public key pair, and make sure it is only used to sign legitimate certificates.

The first one anyone can do in two minutes, including the time to download GPG.

Most companies would be damaged by a data breach, but are unlikely to go under so quickly. It's that their only valuable asset - trust - was destroyed.

Re:Data breaches are worse for some companies (1)

Lennie (16154) | more than 2 years ago | (#37456284)

"The first one anyone can do in two minutes, including the time to download GPG."

Well, probably not you. Because GPG is not used for generating certificates.

What else do you expect? (1)

sam0737 (648914) | more than 2 years ago | (#37454848)

With major browsers kicked its CA cert out of the trusted list, the CA by definition and practically could generate no profit...

What else do you expect, huh? Of course it could only get closed!

Re:What else do you expect? (1)

maweki (999634) | more than 2 years ago | (#37454944)

Yeah, nobody should be surprised by this. They sell trust and if they no longer have any trust to sell, they go bankrupt. It's not like you could import trust for a dime a dozen from China.

Re:What else do you expect? (1)

KiloByte (825081) | more than 2 years ago | (#37455034)

It's not like you could import trust for a dime a dozen from China.

If you pull the right strings, CNNIC will gladly cross-sign your root key. It will cost you more than 10/12 cents, though.

Re:What else do you expect? (1)

Lennie (16154) | more than 2 years ago | (#37456296)

Only if they create a new root, most browsers completely blocked the CA even as a sub-CA.

Re:What else do you expect? (1)

Amouth (879122) | more than 2 years ago | (#37455044)

also with their CA pulled - anyone with a cert from them (legit) could go after them to foot the bill for a cert on a competitor.. I bet that's the main reason for filing bankruptcy, so they don't have to pay customers back.

i do love how the "parent" company says losses will be high.. they are going to write off/avoid the brunt of the "losses" when they file bankruptcy for the sub company.

Re:What else do you expect? (1)

wvmarle (1070040) | more than 2 years ago | (#37455144)

Close down yes. Bankrupt, not so fast. If they can't survive even weeks without income and have no choice to go bust leaving behind large debt (as is suggested in the article) their business was not financially sound at all. Which in turn may explain why they did not take the safety measures they should have taken.

Can't be allowed to happen (-1)

Anonymous Coward | more than 2 years ago | (#37454860)

This can't be allowed to happen. The company needs to be propped up financially by a government.

If companies like this go bankrupt from revealing security breaches, it hugely increases the chance that other companies will cover up security breaches instead of revealing them.

Then who can you trust?

Re:Can't be allowed to happen (0)

Anonymous Coward | more than 2 years ago | (#37454956)

The primary reason for kicking Diginotar out of the trusted CA lists was that Diginotar had tried to cover up the breach. This destroyed the trust in their ability to handle security issues reliably and in a trustworthy manner. If anything, the loss of Diginotar's standing and the inevitable bankruptcy that followed are a warning to other companies to be professional about security breaches. The hacking of Diginotar was detected without help from Diginotar, and the fallout from future CA hacks can and will be detected the same way. Any CA trying to cover up a breach will go down the same path as Diginotar.

Re:Can't be allowed to happen (1)

plover (150551) | more than 2 years ago | (#37455692)

Any CA trying to cover up a breach will go down the same path as Diginotar.

What makes you so certain that a CA who publicly acknowledged a breach would not also immediately die in a meltdown? There is no evidence that honestly in a similar situation would save a CA.

If Digital Signature Trust Co.* were to publicly announce "We discovered just this morning that we have been breached, and while we can't give complete details because of the ongoing investigation, we found the hackers forged Google certificates," the public reaction would be almost identical to that of DigiNotar. If I were a customer, the chances would be high that I'd be shopping elsewhere for new certs to replace the ones that I could no longer trust. If I weren't a customer, there are obviously more reputable places to buy a cert. The incident itself is enough to cause me to lose trust, and that's really the only thing they're able to sell. I predict they'd go bankrupt as well, it might just take a few months longer.

Perhaps hiding the breach for the extra months was a strategy to give the executive rats time to flee the sinking ship. If so, we can only hope their behavior catches up to their personal reputations.

* As far as I know Digital Signature Trust Co. is a healthy and secure firm, and is rightly trusted by companies and browsers worldwide. I am using their name only as an example because I like the way it sounds.

Re:Can't be allowed to happen (0)

Anonymous Coward | more than 2 years ago | (#37456358)

Fundamental misunderstanding of the trust relation. If you're the customer who buys a certificate from a CA, then your trust isn't based on them not getting hacked. Instead it's based on their ability to provide a certificate that will not cause browsers to warn of an untrusted certificate. There's no reason for you to shop elsewhere, even if you don't trust them to be a good CA, unless you expect that their root certificate will become untrusted. Of course there's a relation, but it's not immediate. The users trust that the browser or OS makers choose only trustworthy CAs for inclusion in the trusted CA list. The browser and OS makers have now shown that they don't take security breach cover-ups lightly, by kicking out Diginotar's root certificate and even banning Diginotar certificates that have been signed by other root CAs. Cases in which a CA has been more cooperative have not resulted in quite as damning trust-withdrawal. If a CA can convince browser makers that it will better itself, then all is well from a business perspective. Being deceptive on the other hand...

Re:Can't be allowed to happen (1)

MadMaverick9 (1470565) | more than 2 years ago | (#37456044)

Then who can you trust?

on the internet? ... nobody.

Re:Can't be allowed to happen (1)

Opportunist (166417) | more than 2 years ago | (#37456270)

Then it ain't time for government bailout but for government finally issuing some 'hang-em-at-their-balls" laws for CEOs that try to hush up security breaches. The current ones are a weak joke, the fines aren't even remotely anywhere near the damage if it gets leaked somehow. And last time I checked, the fines should be a multiple of the damage of the leakage, or the formula "benefit vs. risk*fine" falls flat on its face and hushing up is the sensible thing to do.

teach 'em a lesson (2, Informative)

burris (122191) | more than 2 years ago | (#37454916)

Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.

Re:teach 'em a lesson (0)

Anonymous Coward | more than 2 years ago | (#37454990)

I disagree. If they HAD gone public AT ONCE (rather than months later!), there wouldn't have been anywhere near this big a shitstorm, and they might not have been kicked out from the major browsers.

Re:teach 'em a lesson (1)

Anonymous Coward | more than 2 years ago | (#37455074)

Exactly, Comodo stepped up, announced the problems the had, and kept folks informed of changes they made as a result of their breach. They are still in business, and may actually be seen as more trustworthy as a result.

Re:teach 'em a lesson (1)

Like2Byte (542992) | more than 2 years ago | (#37455096)

I think you missed the parent's point (or joke) and I think he was being ironic. I believe he meant that all CA's will learn from this is that the company should never, ever reveal that they've had a data breach.

Of course he's joking. Any company that tried to keep secret that their certs server was hacked in any way, shape or form would be subject to extortion and other legal liabilities.

Re:teach 'em a lesson (1)

burris (122191) | more than 2 years ago | (#37455698)

Yes I agree with you all, covering it up made things worse for DigiNotar, but that doesn't mean the execs in charge of some of the CA's won't take away the lesson of keeping mum.

Re:teach 'em a lesson (0)

Anonymous Coward | more than 2 years ago | (#37455702)

Everyone got the joke, the point was it's not their honesty that's being punished, it's their lack of honesty in burying the truth as long as they did. The only options are either a) come out in the open from day one and hope that honesty is the best policy or b) deny everything forever and hope nobody ever finds out the truth (the longer you get away with it the worse the pain will be when it does eventually come out). Option a involves eating a lot of crow but at least it's the option that gives you a shot at staying in business.

Re:teach 'em a lesson (1)

Opportunist (166417) | more than 2 years ago | (#37456364)

That would be a pretty dumb thing to learn from this. I don't think very highly of managers, but that would even be stupid for the average BA degree holder.

Something like this WILL get out sooner or later. Either the hacker gloats or one of your techies will blab. You have exactly zero chance to hush something like this up in the long run. Sure, a manager could think in the usual quarter-report nearsightedness (did I mention that I consider them having the long term memory of gold fish?), but after THIS fallout, I guess they might get to learn a thing from it. We're not talking about your bonus payment lacking a million. We're talking about you being the guy that sent his company into bankruptcy.

Re:teach 'em a lesson (0)

Anonymous Coward | more than 2 years ago | (#37455256)

DigiNotar is Dutch, but its parent company, Vasco, is located in Chicago. Lots of states have laws on the books that compel companies to disclosure information security breaches and I'm wondering if Illinois laws weren't broken by Vasco when DigiNotar failed to disclose the severity of the breach.

My state, Oklahoma, has this paragraph under the "Security Breach Notification Act" statute:

24-163. Duty to disclose breach.
B. An individual or entity must disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.

Since DigiNotar is Dutch, there's obvious jurisdictional questions on enforcement, but certainly US based CA's could be investigated by states they operate in, or even placed under Federal regulatory oversight if they don't get their shit straightened out.

Re:teach 'em a lesson (1)

WWWWolf (2428) | more than 2 years ago | (#37455816)

Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.

The problem is, the shady people who get the certificates end up actually using them, usually in the open Internet. The moment some third party notices any signs of impersonation, they go "now just wait a fucking second!" and there'll be some explaining to do.

Bad Analogy Time: In ye olde days, thieves just wrote memoirs along the lines of "60 years ago, I busted myself into the most secure bank vault at the time and they still have no idea where the money went". In a digital-currency world, the thieves have to go out there and spend the stolen money. Which has the bank's supposedly unforgeable digital signature on it. Which makes people go to the bank and ask inconvenient questions about their security, while the manager has to say that "look, this may look pretty bad, but our security is top notch, I assure you".

Re:teach 'em a lesson (2)

Opportunist (166417) | more than 2 years ago | (#37456316)

Quite the opposite: If you're a CA, don't even try to hush it up since it WILL get out and then any semblance of trust (which is your ONLY asset as a CA) is destroyed.

Look at Comodo for how to do it right. Yes, they fucked up too, and they will get some heat for that, but they're nowhere near being kicked out of the trusted CAs list of any browser.

If you notice a breach, you can actually react properly and easily fix it by NOT covering up but by coming forwards with it. The expense to recover from a breach is minimal. What do you have to do? Essentially, revoke your CAs as invalid, create a new root key pair and issue new CAs to all your licensees. The expense for that is very close to zero. Sure, some trust will be lost in your certs, but you're nowhere near the complete elimination of any kind of trust DigiNotar is in for now.

Misplaced paranoia. (4, Interesting)

the_raptor (652941) | more than 2 years ago | (#37454936)

My favourite part of the article:

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

TEMPEST http://en.wikipedia.org/wiki/TEMPEST [wikipedia.org] is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.

However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.

It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.

Re:Misplaced paranoia. (1)

betterunixthanunix (980855) | more than 2 years ago | (#37454996)

For example the US government could supposedly read CRT monitors from a fair distance away.

That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen, and Ross Andersen's book describes how less than $1000 of equipment is enough to pick up stray emissions from a VGA cable and reconstruct the image from a neighboring building.

Re:Misplaced paranoia. (1)

wvmarle (1070040) | more than 2 years ago | (#37455190)

I'd guess a simple and effective counter measure against that is to have say a hundred monitors present in the same room as the one you try to secure, and have them just showing a screen saver or so. Some that move, others that are mostly static, whatever. Good luck filtering the signal of one monitor out of that!

Re:Misplaced paranoia. (2)

fbjon (692006) | more than 2 years ago | (#37455238)

That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen.

I do this every day using organically grown Eyeball technology, in fact.

Re:Misplaced paranoia. (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37455140)

It is especially ironic that they were using (pitifully weak) password authentication, when they are a wholly-owned subsidiary of a 2-factor authentication vendor...

I can only assume that having good authentication is hard, boring, and forces people to remember stuff, while getting to open the Big Serious Door and walk into your (probably sold by the vendor as "military grade") TEMPEST datacenter, with all the blinkenlights, involved no ongoing effort after the initial install and gave everyone involved the feeling of being big boys now...

Re:Misplaced paranoia. (1)

cptdondo (59460) | more than 2 years ago | (#37455504)

I thought a part of TEMPEST was that the machine could not be connected to a LAN except to other TEMPEST machines... ISTR that our tempest machines had removable drives that were stored separately in a safe and only inserted when the machine was booted. No LAN connection was allowed at all outside the room.

Re:Misplaced paranoia. (1)

Opportunist (166417) | more than 2 years ago | (#37456404)

Want to bet that some ISO 27k auditor wanted the Tempest-proof environment and didn't care about the single user/pass access?

And here I wonder why security auditors have such a bad name...

Password strength (0)

Anonymous Coward | more than 2 years ago | (#37454940)

Amusing that they comment about weak passwords being used on a windows domain...
Once you have the ability to crack the passwords, ie the hashes, it doesnt matter how strong or weak they are since you can simply use the hashes without cracking them.

Pay your IT like shit (0)

Anonymous Coward | more than 2 years ago | (#37455100)

This is what happens when you pay IT like shit and/or hire under-skilled workers. This is very common, because there is no respect for IT. People ask what I do for a living, and they here anything about a computer, and they think they are capable of doing the same. No other profession is downplayed as much as server administration.

Re:Pay your IT like shit (1)

Opportunist (166417) | more than 2 years ago | (#37456536)

Try IT security. You'd be amazed what kind of prestidigitators peddle in my profession. They come in, pull off a "demonstration" with a lot of smokes and mirrors and wow people into buying their crap. I've come to a lot of companies who showed me their latest and greatest security systems with unhidden pride, only to throw a tantrum when they get to see it shatter.

It's really disheartening. Anyone who has ever managed to get nmap to produce some output other than the help page considers himself a security professional today. And what's worse, these idiots get hired. Because their managers know even less about security and they are cheap. There are also very few certificates that are generally accepted. And getting a CISA or CISM is usually overkill.

Deserved, but the real problem stays (2)

AtomicJake (795218) | more than 2 years ago | (#37455142)

DigiNotar got what it deserved.

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

The whole CA system in broken. I would rather like to trust only CAs that have earned the trust. E.g. CAs that have been validated by my bank for online payments (but not for my email).

Re:Deserved, but the real problem stays (2)

icebraining (1313345) | more than 2 years ago | (#37455252)

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

Re:Deserved, but the real problem stays (1)

AtomicJake (795218) | more than 2 years ago | (#37456184)

However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).

That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.

Well, it can only happen to CAs, which do not know security (and since we have hundreds of them in our browsers, it is very likely that there are others that are as bad as DigiNotar). However, reducing the number of CAs is not a solution, as this will just elevate the risk for a each security breach at a CA. The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

And it is a BIG problem, that each CA can issue a cert, even for Web sites that already have a cert from another CA (as it happened for gmail in the DigiNotar case).

Re:Deserved, but the real problem stays (2)

gnasher719 (869701) | more than 2 years ago | (#37456740)

The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).

You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all. And of course the victim of a hack will not be in contact with the bank's website, because the whole point is to redirect victims to a hacker's website, which can pretend to be the bank's website because they have a genuine fake certificate.

Let's say I call an incompetent CA and say "Hi, my name is Joe Google, I need a certificate for my website www.google.com" and the incompetent CA sells me a certificate for $9.99. Nothing that Google can do about this, and in no way Google's fault.

Re:Deserved, but the real problem stays (1)

ToasterMonkey (467067) | more than 2 years ago | (#37456636)

At the same time we have too many trusted CAs I've heard others claim.

Hogwash

Big CAs can use multiple intermediate keys to spread the risk. Browser and OS vendors are the first link in the chain of trust, they have more than enough sway to demand levels of risk acceptable to them. You are the next link, complain to your browser / OS vendor and raise a stink. They'll demand stronger audits or contracts. Money talks folks.

There's nothing wrong with a chain of trust, or you wouldn't be trusting anything else you receive at retail, software or otherwise. The Internet just needs to grow the fuck up.

Self regulate or be regulated, plain and simple.

Re:Deserved, but the real problem stays (1)

magamiako1 (1026318) | more than 2 years ago | (#37455270)

A good way to do this would be to come up with a reputation-based system that filters down.

For example, CAs would need a higher reputation than that of sites and services.

This model won't work with the existing CA business model, however.

Already Bankrupt in Effect (0)

Anonymous Coward | more than 2 years ago | (#37455174)

Because of the way the intrusion was handled, responsible people had to remove DigiNotar from their certificates entirely, rather than just a few suspect certificates. Therefore, they were bankrupt in effect long before they were bankrupt in fact.

Idiots (3, Interesting)

Arancaytar (966377) | more than 2 years ago | (#37455910)

We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.

It all goes to show... just what, now? (0)

Anonymous Coward | more than 2 years ago | (#37456756)

It all goes to show how quickly a data breach can bring down a company.

Especially if you're a company whose sole raison d'etre is to promise everyone you won't have a data breach!

A taco stand probably needs to worry far less.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...