In 2011 Dutch web certificate company DigiNotar was compromised completely by an Iranian hacker, and a report released this week details how it was done.
The report, written by security auditors Fox-IT and published by the state last Monday, shows that the hacker managed to get access to Diginotar’s public website, which had already been hacked in 2009. In fact, the defacements from that year were still online when the hack was discovered in August 2011, security.nl reported at the time.
According to Webwereld, Fox-IT’s report reads like a how-to for pwning a badly secured system. The hacker installed a shell on the web server, which must have been easy to do, as the still online defacements showed the way. DigiNotar had a firewall between its public network (which it called the Demilitarised Zone) and its segmented internal network, but it also had a long list of exceptions in the firewall. The certificate servers were also attached to the office network of DigiNotar, so that the hacker could use the standard MS Windows Remote Desktop tool to create false certificates.
Just another day at the office for an experienced black hat hacker.
Techworld reports that the DigiNotar hack was mainly used to attack Gmail users in Iran. DigiNotar declared bankruptcy in September 2011. The company’s certificates were heavily relied upon by the Dutch government, but also by Google.
Web certificates are a means to tell your browser that the website you are visiting real is the website it claims to be. This is useful for online banking and so on.