How Hackers Killed a Company – The Death of DigiNotar

Posted on September 29, 2011 by AlKirkpatrick

How Hackers Killed a Company – The Death of DigiNotar

Internet Security

IT Security Expert Al Kirkpatrick, FirestormAnalysis by Al Kirkpatrick, CISO

“The keepers of the Internet have become acutely concerned about their ability to protect the most sensitive personal information such as account logons and credit card numbers.” Quote from “Hackers Shake Web to the Core – Security at Top Levels Questioned – By Byron Acohido, USA TODAY – September 28, 2011

 

Reference update 10/4/2011:

10/4/2011 10:20:00 AM
VASCO expects up to $4.8 mil in losses from DigiNotar bankruptcy
PRNewswire

If you happened to see the front page of USA TODAY on September 28, 2011 you were greeted with the above headline.   Okay, we all agree that Armageddon likened headlines often exaggerate reality, so I decided to provide some plain-English background and my take on this issue from an “in-the-trenches” perspective.

To understand the incident that prompted the headline, one must first understand one of the foundational concepts of Internet-based commerce.

Problem:  When a user opens up an Internet web-page, they must have some sort of trust that the web-page is really published by the person or organization that the web site claims to be published by.   In plain English – when you are viewing a web site with a banner that displays AMAZON.COM – one would assume that Amazon, the internet commerce people, published that web site.

Now, unless you’ve been taking a Rip Van Winkle nap for ten years or so, you probably know that the bad guys have found a myriad of ways to pretend to be someone they aren’t.   So, hopefully you also know to look for that cool little padlock symbol at the bottom of your browser screen whenever you are transacting something confidential back and forth over the Internet.

What you may not have realized (and probably never wanted to need to) is all that goes on behind the scenes with respect to that padlock.   Sparing the nerdy details, that padlock uses a trusted third party (of which there are only a relative handful – - with those carefully regulated by the Internet regulation folks) to verify that the system you are communicating with matches the system in their records and then encrypts further communications between you and that system.

It would be, therefore, natural to assume that these third parties have Internet security as good as anywhere – - and until recently this has been a reasonable assumption.   On the other hand, remember my tenet number one:  there hasn’t been a computer system made that can’t be hacked given enough motivation, time and resources.

So, it has come to pass that Dutch firm DigiNotar, one of the certificate authorities got hacked with significant negative consequences to their internet commerce-based customers  (many of them widely recognized).

The total impact of the incident will take years to estimate, but following are a few post-incident results showing the significant negative consequences:

  • DigiNotar, purchased last year by computer security giant VASCO for approximately $13 million is now bankrupt and disbanded.
  • VASCO’s stock is down 35%
  • DigiNotar’s customers temporarily lost their ability to conduct Internet commerce and, however unfairly, are now associated with unsecure e-commerce.
    Last – but certainly not least;
  • Every world-wide Internet browser (Internet Explorer, Chrome, Firefox, Safari, etc.) must update itself so that it does not recognize a DigiNotar certificate as valid.   For some this will be automatic with no end-user intervention and for others, at minimum the end-user (that’s you and me) must ensure that the browser patches are up-to-date.

So, the obvious question arises –“If you can’t trust the central source for Internet commerce trust, what do you do?”   The answer is honest, but not pretty…

There’s no going back to the days before Internet commerce, so survivors will plan for the worst for if/when it happens.   You can bet that the Certificate Authorities are doubling their efforts to keep the bad guys out, but I believe that  it’s just a matter of time before this happens again.   There are strategies that e-commerce companies can use to reduce the risk, but most are not ideal or inexpensive.   I’ll address some of them in future blogs.

Meanwhile, and as Firestorm begs you to consider time and again:

Do all you can reasonably do to protect against the worst – but that’s not enough;  You MUST do a great job of anticipating what the worst may be and come up with some seriously creative strategies for dealing with it.   Don’t believe it yet?   I suggest you chat with DigiNotar’s previous customers and employees.

 

Share and Enjoy:
  • Print
  • StumbleUpon
  • Facebook
  • Twitter
  • Google Bookmarks
  • email
  • Digg
  • Google Buzz
  • LinkedIn
  • MSN Reporter
  • Reddit
  • RSS
  • Suggest to Techmeme via Twitter
  • Yahoo! Buzz

About AlKirkpatrick

Al Kirkpatrick, CISO is the Author of The Kirkpatrick Report for Firestorm Solutions. As a Chief Information Risk and Security Officer for multiple global corporations, Al travels the world and reports on risk and security observations of interest to our global community. Al brings over twenty five years of business and technology experience to the Firestorm team. Throughout his career, Al has compiled an exemplary track record addressing risk management challenges across a wide range of industries. His comprehensive understanding of the benefits, challenges and strategic considerations for governance, risk and compliance programs has helped companies avoid catastrophic costs while eliminating unproductive risk management investment. Before joining Firestorm, Al was the Chief Information Risk Officer for The First American Corporation, an $8 billion, Fortune-250, multi-national title insurance, real estate and financial services corporation. He has extensive international proficiency in the Americas, Europe, India and Asia-Pacific. Al held CISO positions at two large, technologically advanced corporations. He has also held various technology management positions, including the management of fossil and nuclear power plant information systems for the nation’s largest investor-owned utility company. And he rides a mean camel.
This entry was posted in Al Kirkpatrick Articles, Business Continuity, Data Security, Firestorm Expert Council, Security, The Kirkpatrick Report and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to How Hackers Killed a Company – The Death of DigiNotar

  1. Ray Cassidy says:
    September 30, 2011 at 2:47 pm

    Quite a daunting challenge you throw out there Al. I wasn’t aware of DigiNotar previously, nor of their demise. I have started work with a new client and I was somewhat taken aback that he has his whole business IT infrastructure defended by the free version of the most common AV giveaway! It used to be a pretty hectic site before a period of neglect allowed it to sink out of site. They are also linked up with the payment processors risk assessment set up. It does seem to be a very weak link to just have a free version level of security.

    If you had one single TRUST tip for smaller less resourced setups like my own and my clients; what would it be?

    A very helpful article I shall point it out to my associates.
    Ray