Fox-IT rapport Black Tulip over DigiNotar

Rapport Fox-IT Black Tulip, Bijlage bij Kamerstukken II 26 643, nr. 256

In navolging van IT 507, IT 731  Eindelijk, op 1 november 2012 is het zover en ligt het rapport van Fox-IT genaamd: "Black Tulip" klaar. Het rapport bevat het onderzoek over de inbreuk in DigiNotar (Certificaat Autoriteit). Het onderzoek spitst zich toe op vraag hoe het mogelijk is geweest dat er valse certificaten, voor onder andere google.nl, namens Diginotar zijn uitgegeven. Voor het overzicht volgt hier de inhoudsopgave en management summary.

Table of Contents
Management summary
Investigative summary
Table of Contents
1 Introduction
2 Incident response investigation
3 State of affairs
4 Investigation of web server log files
5 Investigation of firewall log files
6 Investigation of CA servers
7 System access and tools
8 Remaining investigation
9 Summary of findings
10 MITM attack
11 Lessons learned
12 Potential follow-up investigation
13 Terminology

Management summary
DigiNotar B.V. was founded as a privately-owned notarial collaboration in 1998. DigiNotar provided digital certificate services as a Trusted Third Party and hosted a number of Certificate Authorities (CAs). The certificates issued by DigiNotar were trusted worldwide to secure digital communication on the basis of a Public Key Infrastructure (PKI). The services that DigiNotar provided included issuing Secure Sockets Layer (SSL) certificates to secure websites, issuing accredited qualified certificates that could be used as the legal equivalent of a handwritten signature and issuing PKIoverheid certificates for various Dutch eGovernment purposes. In June and July of 2011 DigiNotar suffered a breach, which resulted in rogue certificates being issued that were subsequently abused in a large scale attack in August of 2011. Following the detection of the breach on July 19 of 2011, DigiNotar took several measures to control the incident, including the revocation of known rogue certificates and the hiring of a third party specialized in IT security to investigate the intrusion. At the end of July 2011, DigiNotar was under the impression that the intrusion of its network and services had been contained. On August 28, 2011, the content of a rogue wildcard certificate for the google.com domain was posted publicly, which had been issued by DigiNotar but which had not yet been revoked. For weeks the rogue certificate had been abused in a large scale
Man-In-The-Middle (MITM) attack on approximately 300,000 users that were almost exclusively located in the Islamic Republic of Iran. Traffic that was intended for Google subdomains is likely to have been intercepted or redirected during the MITM-attack, potentially exposing the contents of the intercepted traffic as well as the Google credentials of the affected users.

On August 30, 2011, Fox-IT was asked to investigate the breach at DigiNotar. In the ensuing investigation traces were recovered that indicated that the outer limits of DigiNotar's network were first breached on June 17, 2011. The network that was used by DigiNotar was segmented and the Secure-net network segment that contained all the CA servers could not directly be reached from the Internet. By tunneling connections through other compromised systems in DigiNotar's network, the intruder gained access to the Secure-net network segment on July 1, 2011. The first attempts to create rogue certificates were made on July 2 and the first rogue certificate was successfully issued on July 10, 2011.

The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had been
compromised by the intruder. The log files were generally stored on the same servers that had been
compromised and evidence was found that they had been tampered with. Consequently, while these log
files could be used to make inconclusive observations regarding unauthorized actions that took place, the
absence of suspicious entries could not be used to conclude that no unauthorized actions took place.
Serial numbers for certificates that did not match the official records of DigiNotar were recovered on
multiple CA servers, including the Qualified-CA server which was used to issue both accredited qualified
and government certificates, indicating that these servers may have been used to issue additional and
currently unknown rogue certificates.

A fingerprint that was left by the intruder was recovered on a Certificate Authority server, which was also identified after the breach of the Certificate Service Provider Comodo in March of 2011. Over the course of the intrusion at DigiNotar, the intruder used multiple systems as proxies in order to obscure his true identity. However, several traces were recovered during the investigation by Fox-IT that independently point to a perpetrator located in the Islamic Republic of Iran. A complete list of all the IP-addresses that were identified during the investigation that are suspected to have been abused by the intruder were handed over to the Dutch police (KLPD).

The intruder at DigiNotar appears to have had the specific intention of abusing certificates that had been issued by a trusted party in order to spy on a large number of users in the Islamic Republic of Iran. The intrusion at DigiNotar and the ensuing MITM-attack resulted in an erosion of trust of the general public in the existing Public Key Infrastructure, which is central to its operation. Given the impact of a breach at a Certificate Authority on the Public Key Infrastructure as a whole, ensuring the security of every Certificate Authority is paramount to the trust in a Public Key Infrastructure and its role in providing security for a diverse range of activities on the Internet. While the approach to protecting the potential targets from this type of intrusion does not differ significantly from other threats, the range of scenarios that need to be taken into account is rapidly expanding.