GlobalSign, a certificate authority (CA) based out of Belgium temporarily stopped issuing certificates. This action was taken in response to a message on Pastebin, in which the anonymous poster claimed the responsibility for the recent DigiNotar breach and singled out GlobalSign as another CA that he or she compromised.
According to GlobalSign’s press release, the company is investigating the report and “decided to temporarily cease issuance of all Certificates” until it assesses the claim that its security was breached.
An ISC reader shared a response that GlobalSign provided to his company regarding this matter. In that message, the company explained that it paused the issuance of certificates to allow the systems to undergo a forensic audit while they are off-line. The company reportedly downplayed the risk of the existing active certificates being at risk, referring to its security practices that involve keeping the root CA off-line. Yet, with the intermediate CAs being on-line, the risk is there in a way that is similar to the DigiNotar scenario: An attacker may be able to use intermediate CAs to issue false certificates. This could also allow an attacker to spoof certs that have already been issued.
Note, however, that we have yet to see evidence of GlobalSign being compromised. The Pastebin notice might prove to be unauthentic or otherwise false. It’s not uncommon for malicious hackers to put forth claims of conquest that later turned out to be unsubstantiated… just for LOLs.
A good point on things is made by Len Lavens on his blog:
While Globalsign is doing the investigation in a way that is best for the whole sector and stops the downgrade of trust in all certificates (as happened to the banks) by investigating first and bringing out reports afterwards. This way it will put a stop to the rumors and also possible ending the access the hacker eventually had to some infrastructure somewhere.
Several sources tell me that some other CA’s are trying to create Fear and Uncertainity with emails and calls to them
This is only acceptable if it would be clear that Globalsign has been owned like the other known victims. But in this case the hacker himself says that he wasn’t capable to produce certificates, he only has a cache and some database of some linux server.
You may steal a machine to print money but if you can’t print money on it, the fact that you didn’t produce money means that you have failed and that – if this is the case – the damage could be minimal – and the psychological operation of the hack may have been returned against him.
Here’s the official comment of GlobalSign up until now:
September 6 2011: On Sep 5th 2011 the individual/group previously confirmed to have hacked several Comodo resellers, claimed responsibility for the recent DigiNotar hack. In his message posted on Pastebin, he also referred to having access to 4 further high profile Certificate Authorities, and named GlobalSign as one of the 4.
GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.
We apologize for any inconvenience.
September 7 2011: Today, GlobalSign has officially announced the appointment of Fox-IT to assist with investigations into the claimed breach. Fox-IT is the Dutch cybersecurity experts hired to investigate the compromise of the Dutch CA DigiNotar and therefore already have a wealth of current knowledge and experience of the hacker.
September 7 2011: 5pm GMT: Update. The appointment of Fox-IT is a precautionary measure as we continue to assess the Comodohacker’s claims.
Update September 9 : We will start bringing services back online on Monday. We have already stated that we deem this to be an industry wide threat due to the mention of multiple CAs. We are adopting a high threat approach to bringing services back online and we are working with a number of organisations to audit the process of bringing the services back online. We apologise again for the delay.
We would like to take the opportunity to explain that the GlobalSign CA root was created offline, and always has been offline. Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues.