A leading security certificate authority, GlobalSign, has announced it will stop issuing new certificates pending an investigation into security threats. The action comes following an earlier announcement that a hacker or group of hackers had compromised several issuers of certificates.
The hacker, who calls himself Ichsun and who is known as the Comodo Hacker for a March security break-in to that company, has posted messages about other security breaches on Pastebin, a site where programmers can store and share pieces of source code or configuration text. Comodo Hacker claims responsibility for an online break-in in July to the Dutch certificate authority, DigiNotar.
More Severe Than Expected
DigiNotar fraudulent certificates had been issued to Google, the CIA, Facebook, Microsoft, Twitter, WordPress, and Israel's intelligence agency, Mossad. The hacker Monday named four other high-profile certificate authorities that he claimed also had been breached, with GlobalSign listed as No. 4. GlobalSign is considered to be the fifth-largest issuer of online security certificates.
"GlobalSign takes this claim very seriously and is currently investigating," the company said in a statement. GlobalSign has brought in Fox-IT, a Dutch cybersecurity firm, to assist the company with the investigation.
Last week, following reports of fraudulent secure sockets layer (SSL) certificates from DigiNotar, the Dutch government took control of that certificate authority and employed Fox-IT to begin an investigation.
On Monday, Fox-IT said in a preliminary report that the breach at DigiNotar was more severe than had been originally expected. Stolen certificates, it said, could have been used for some time to spy on visitors to popular sites, as DigiNotar was compromised for more than a month.
The DigiNotar breach follows the March break-in to Comodo, whose slogan is "creating trust online" and which provides authentication for individuals, businesses, and websites, including SSL certificates. Comodo Hacker apparently found that a dynamic-link library file, or DLL, used in the submission of certificate signing requests, or CSRs, enabled him to issue fake CSRs that appeared to have been submitted by Comodo.
'Experience of 1,000 Hackers'
Comodo Hacker has said he was Iranian, although he claimed no connection with a group called the Iranian Cyber Army.
"I'm not a group," he said in one posting, but instead is a "single hacker with experience of 1,000 hackers."
Security blogger Chester Wisniewski, a senior security adviser at Sophos Canada, asked on his blog why, if the Comodo Hacker is an individual not aligned with the regime in Iran, he would "issue certificates for these specific websites all related to secure communication methods often used by dissidents to organize protests and share news with the world"?
Earlier this week, a Fox-IT preliminary report indicated that virtually all the attacks on DigiNotar originated in Iran, and there has been suspicion that this was part of an effort by that country's government to spy on Iranian dissidents who communicate through the Internet. Fake online security certificates can be used to intercept and read encrypted web traffic, such as emails, banking and log-ins.
Wisniewski praised GlobalSign's action, noting that the claims by Comodo Hacker of other break-ins could be false.
"Yet," he wrote, "they could be true, and rather than put the greater Internet community at risk, GlobalSign is foregoing some revenue out of an abundance of caution."