Latest news
As Jacob Appelbaum of the Tor project shared the full list of the rogue certificates, it became clear that fraudulent certificates for domains of a number of intelligence agencies from around the world were also issued during the CA's compromise - including the CIA, MI6 and Mossad.
Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, Wordpress and many others.
He received the list from sources in the Dutch Government, which has retracted its statement about trusting DigiNotar's PKIoverheid CA branch, announced to its citizens that it cannot guarantee the security of its own websites, and taken over DigiNotar's operations and immediately organized audits of its infrastructure.
"The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison," points out Appelbaum. "The attackers also issued certificates in the names of other certificate authorities such as 'VeriSign Root CA' and 'Thawte Root CA' as we witnessed with ComodoGate, although we cannot determine whether they succeeded in creating any intermediate CA certs."
"That's really saying something about the amount of damage a single compromised CA might inflict with poor security practices and regular internet luck," he concludes. In a previous post, he compared the current state of the Certificate Authority system to a house of cards doused with petrol, waiting for a light.
And while there is a difference of opinion between security experts who speculate about the entity behind the attack, there seems to be an almost universal consensus about the fact that DigiNotar will be closed for business forever after this.
Kaspersky Lab's Roel Schouwenberg notes that "with some 500 authorities out there globally it's hard to believe DigiNotar is the only compromised CA out there."
That's a chilling thought that probably many an expert has had since the extent of the incident has been revealed. Hopefully, it just might jumpstart the search for a fitting alternative to the CA trust system.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
