Four certificate authorities breached, hacker claims

The hacker who stole certificates from Dutch company DigiNotar claims he has breached four other certificate authorities (CAs).

The claims follow an attack on DigiNotar which resulted in the issuance of 531 fraudulent certificates, including wildcards for *google.com and *torproject.org.

The hacker, who identified as Ichsun, warned that countries alleged to have committed crimes against muslims would be targeted.

“I just wanted to let the world know that anything you do will have consequences; anything your country did in the past, you have to pay for.”

He made reference to the Dutch Government's alleged role in the Srebrenica Massacre.

Ichsun said the attack involved zero-day bugs and sophistcated hacking skills.

But according to a forensic report (pdf) on the DigiNotar breach, security at the CA was lax.

It reported that servers lacked anti-virus protections and were hosting known malware and tools that separated critical components were either malfunctioning or not installed.

Public-facing software were unpatched, it said, and secure central network logging did not exist.

Ichsun was linked to the Comodo hack, according to the report and statements issued under the hacker's pastebin account which claimed responsibility for the attacks.

Microsoft updated its Certificate Trust List (CTL) hosted on Windows Update to remove DigiNotar meaning attacks since 29 August targeting Internet Explorer users on Windows Vista and later platforms will likely fail.

"We should note that systems having previously encountered DigiNotar certificates may have cached DigiNotar as a trusted root CA," said Jonathan Ness of MSRC Engineering.

"This cached list is updated client-side every seven days. Therefore, the last date on which any attack targeting Internet Explorer users on Windows Vista and later platforms might possibly be successful is 5 September.

“We are currently preparing an update for Windows XP and Windows Server 2003 platforms which will add DigiNotar to our Untrusted Certificate Store. This update will be available soon.”

Ness said attackers would not be able to use a fraudulent Windows Update certificate to install malware via the Windows Update servers, because the Windows Update client will only install binary payloads signed by the root certificate issued by Microsoft.