Security Breach in CA Networks -Comodo, DigiNotar, GlobalSign neiman marcus cc, dump site for credit cards

Since March, 2011 more and more Cyber attacks are surfacing across the globe with damaging consequences both for the companies that faced the attacks and for the customers whose details were stolen. One such attack was on Sony’s PlayStation Network that resulted into breach of personal details of nearly 70 Million customers.
Some of the other cyber attacks of 2011 are RSA, Lockheed Martin, Gmail accounts of U.S. politicians, CitiGroup, IMF, etc.
Considering that the above attacks are particularly high profile and are more or less detached from our day to day activities, finally joining the list of above high profile hacks are security breach of networks of Comodo CA, DigiNotar CA and GlobalSign CA.
Attacks that were carried out in almost all of the above cases relied on the most basic of attack vectors that comprised of a combination of Phishing attacks for compromising username/password along with SQL injection, XSS (Cross Site Scripting) and penetration of network by exploiting known vulnerabilities.
The CA hacks were more or less on the same lines when we talk of attack vectors, but after the successful hack, the hacker managed to create fake certificates for sites such as ,,, etc. giving hacker(s) the capability of sniffing into traffic of thousands of users through man-in-the-middle attacks. This breach led to bankruptcy of DigiNotar.
Investigations carried out in most of the hacks points to the fact the almost all companies: a) Failed to regularly maintain all their servers, applications, network equipments with latest updates; b) Failed to carry out regular code review of the web applications on their web servers; c) Failed in Due Care and Due Diligence activities.
Over the last six months, there have been instances of breach in security of networks of many Certifying Authorities. Comodo, DigiNotar, DigiSign & StartCom are some of those CAs. Hacker(s) have been reported of exploiting common vulnerabilities within poorly maintained servers & firewalls. The hacker(s) have also been reported to have used advanced attack methods to penetrate the HSM (Hardware Security Manager) with only one single open port. Through this document, I intend to highlight the fact about the need for regular maintenance of network equipments, servers as well as need for regular monitoring and awareness to the fact that even proprietary software/hardware such as HSM is not out of reach of determined hackers.
Finding out network information of Certifying Authorities is particularly easy because most of their actives are more or less online. Gaining access to Certifying Authorities networks may be considered harder because, they, in most cases will have fortified networks with latest in hardware as well as software security measures in place. Physical access to such networks is not needed because, again as advised earlier, most of the activities are online and the information systems would be more or less interconnected.
Comodo is a well known company in the web security arena whereby it provides services and solutions that cater for creating online trust. SSL Certificates, Code Signing Certificates, Email security certificates, etc. are some of the products provided by Comodo.
On March 23rd, Comodo revealed that they have suffered a cyber attack which has resulted into a breach of their network. The disclosure came about 8 days after the actual hack (15th March, 2011) was carried out.
The hacker who has claimed responsibility of the attack is ComodoHacker, through his pastebin account.
According to Comodo, one of their RA in South Africa ( suffered an attack that resulted into the breach of the account of that particular RA on 15th March, 2011. The RA account was then used to fraudulently issue 9 certificates across 7 different domains. Some of these domains were,, ,,,
Comodo claims that there was neither a breach in security of their main CA infrastructure nor their HSM or private keys. Other RAs haven’t been compromised either.
ComodoHacker claims that he managed to gain complete access to the RA network and reverse engineered the DLL (TrustDll.dll) that took care of signing of certification requests. As it seems, the DLL file was coded into C# and the code has been uploaded onto the hackers PasteBin account.
Username and passwords were hardcoded into the DLL file which led the hacker straight to the APIs used for signing of certificates. The hacker generated his own CSR (Certificate Signing Requests) and signed them through the use of the signing APIs he already had access to and managed to fabricate fake certificates for the above mentioned CAs.
Further, the hacker claims that after gaining access to the network of GlobalTrust and has uploaded one database table onto his pastebin account. The hacker also claims that he had access to the RDP of GlobalTrust server for two full days with complete administrator access. He also mentions that he was able to wipe two complete backups of the CA data from LG based backup systems.
Combining information from both Comodo CA and the hacker, it comes to light that:
No forensic investigation report has been released from Comodo as of now.
Having access to fake certificates can enable anyone to carry out successful man-in-the-middle attacks and passwords and other important data can be sniffed effectively nullifying all the protection provided by SSL Certificates.
The things that we may learn out of this attack are:
Comodo is still operational as it claims that its main CA network wasn’t breached.
DigiNotar, a subsidiary of Vasco, based in Netherlands hosts multiple Certifying Authorities ranging from CA for SSL certificates to Government accredited certificates, etc.
It came to light on August 29th, 2011 that there was a certificate lurking in the open web space for *, which indicated that effectively all the sub-domains of Google, to the likes of,,, a total of 26 were affected by this fake certificate.
The attacker, who goes by the pseudonym comodohacker, took the responsibility of the attack and claimed that he had access to a total of 500+ fake certificates. He had managed to extract certificates for,, Microsoft updates, etc.
According to the hacker, there was a series of sophisticated hacks that he used to get into the network of DigiNotar atleast 4-5 layers deep wherein the equipments didn’t have any direct connection to the internet whatsoever.
According to the investigation company, Fox-IT which investigated the hack attack on DigiNotar, there were many network loopholes present, namely:
Startling facts are disclosed here and they point to the fact that despite being a company linked with a high profile parent, the logical security was at a complete lapse.
Effectively, having access to these certificates and diverting users’ traffic to hosts that would be hosting sites with these fake certificates, successful man-in-the-middle attacks can be carried out. Only having fake certificates doesn’t have that great an impact, but the mere lapse in security cannot be sidelined and a note should be taken that hacking attempts of this sort are lurking in the wild and effective countermeasures should be in place to nullify such attacks.
The things that we may learn out of this attack are:
DigiNotar has filed for bankruptcy as on September 20th, 2011.
ComodoHacker, the hacker behind Comodo and DigiNotar hacks, claims through his PasteBin account that he has access to GlobalSign network as well and he soon shall start creating fake SSL certificates but, hasn’t declared anything further in this regards.
GlobalSign, after a brief investigation, reported that no major hack has been discovered beyond the fact that one of their Webserver had been hacked and they have taken necessary precautionary measures to prevent reoccurrence of such attacks.
The webserver, according to GlobalSign, was a standalone server without any capabilities linked with issuing of certificates.
ComodoHacker hasn’t released any further information as yet.
The things that we may learn out of this standalone webserver hack:
Comodo Hacker PasteBin Account –
Trend Micro Blog –
The Register – and
Networking4All –
DigiNotar Investigation Public Report –
GNS Magazine –
Comodo –
Business Insider –
neiman marcus cc dump site for credit cards