In a message on his Pastebin account, Comodohacker claimed he had access to GlobalSign
(WEB HOST INDUSTRY REVIEW) – Months after GlobalSign temporarily stopped issuing SSL certificates, the security provider has released the details of its investigation which found no rogue certificates were issued or customer data exposed during the September incident.
Between September 6 and 15, GlobalSign stopped issuing certificates as a precaution after a hacker claimed to have access to its system. While the hacker did not provide evidence of this claim, the same hacker let DigiNotar certificates into the wild, causing much alarm among certificate authorities. While some called GlobalSign’s move drastic, others believed it was reassuring that a company would be cautious and investigate fully before putting its customers at risk.
At the time, the WHIR reached out to GlobalSign, though it said it would not comment until the incident report was ready.
The report, released Tuesday, found that a peripheral web server that was not part of the certificate issuance infrastructure, that was hosting a public facing web property was breached. GlobalSign says that publicly available HTML pages, publicly available PDFs, the SSL certificate and key issued to www.globalsign.com could have been exposed. It determined that the SSL certificate and key for www.globalsign.com were compromised and revoked them. The breached web server was immediately locked down and subsequently rebuilt with a new disk and hardened system image, according to the report.
“As one of the longest operating certification authorities, the worldwide GlobalSign team is aware of the impact to customers and partners of halting Certificate issuance for any period of time,” GlobalSign said in a statement. “The executive team apologizes sincerely for the inconvenience caused when undertaking such an important decision. However the organization stands by the decision and maintain that the ultimate duty of care for GlobalSign, like all responsible CAs, is to avoid issuance of rogue certificates. We are truly thankful for the positive reaction to our chosen response to the incident, including the press covering this and other incidents, our peers, and ultimately from our valued customers and partners.”
During the service disruption, GlobalSign contracted Fox-IT to provide third-party analysis of the GlobalSign infrastructure (the same firm that was hired by the Dutch government to investigate the DigiNotar incident). Fox-IT will provide ongoing security consultancy to GlobalSign as well. GlobalSign also contracted Cyber Security Japan to oversee the rebuild of a new certificate issuance on the now disproved basis that the previous infrastructure had been breached.
GlobalSign rebuilt its certificate infrastructure with new hardware and hardened images for all services and additional intrusion detection services were deployed to certificate related services. In addition, enhanced internal controls were placed around logical access to issuance systems and the operational environment for Internet facing systems was hardened further.
“It is our view that this attack is one phase of an advanced persistent threat against all security solution providers,” GlobalSign said in a statement. “Because the threat landscape has evolved, GlobalSign believes greater controls are necessary across the industry and echoes the calls covered in WebTrust 2.0 and the recent updates to the Mozilla Root CA acceptance program.”
In September, Mozilla outlined several security measures that participants of its root program must comply with in light of the DigiNotar breach. GlobalSign addressed these requirements in the report including the claim that it maintains an offline root and has since 1996.
GlobalSign urges other CAs and security providers align to self-regulate to ensure that infrastructure is designed and managed to be resilient to attack, in the event of an attack, appropriate measures are put in place to mitigate the impact and incident responses are open and transparent to allow relying parties the visibility into ther risks they may be exposed to.
About Nicole Henderson
Nicole Henderson writes full-time for the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto, and has been writing for the WHIR since September 2010. You can find her on Twitter @NicoleHenderson.
No related posts.
