DigiNotar Hacker Says He Has GlobalSign Database Backups, Other Data

ID THREATPOST:966CB589DEE0DB1F24107B07C6864965
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:33:50


GlobalSign investigationAs GlobalSign continues the investigation into the claimed compromise of its CA infrastructure, the attacker who says he breached DigiNotar and Comodo said in another message on Pastebin Wednesday that not only did he hack GlobalSign, but he has the private key used to sign the certificate for the company’s own domain as well as backups of its databases.

The attacker, who is known as Comodohacker since his compromise of Comodo’s CA infrastructure in March, said that his attack on GlobalSign will be revealed soon, as will his compromises of three other certificate authorities that he says he has breached. His message seems to be in response to media reports and emailed comments and questions he is getting as he continues to reveal more details of the attacks.

“You only heards Comodo (successfully issued 9 certs for me -thanks by
the way-), DigiNotar (successfully generated 500+ code signing and SSL
certs for me -thanks again-), StartCOM (got connection to HSM, was
generating for twitter, google, etc. CEO was lucky enough, but I have
ALL emails, database backups, customer data which I’ll publish all via
cryptome in near future), GlobalSign (I have access to their entire
server, got DB backups, their linux / tar gzipped and downloaded, I even
have private key of their OWN globalsign.com domain,” the latest message said.

GlobalSign, one of the older CAs in the industry, said on Tuesday that it is investigating the claim by Comodohacker that he compromised the company’s CA infrastructure. The company has suspended the issuance of SSL certificates and also has hired Fox-IT, the Dutch security firm that performed the post-breach analysis of DigiNotar’s network, to help determine whether a similar breach occurred at GlobalSign. Company officials said that the hiring of Fox-IT was just a precautionary measure.

The compromise of DigiNotar, which came to light in late August, has had a huge ripple effect throughout the Internet, as browser vendors such as Mozilla and Microsoft have scrambled to address the attack by revoking trust for DigiNotar’s certificates and pushing out updates to protect users from attackers using fraudulent certificates. The attack also has underscored comments from some security researchers such as Moxie Marlinspike who for years have been warning about the inherent weaknesses of the CA system and the dangers that placing trust in so many entities can pose to users.