The DigiNotar attack in 2011 set itself apart because it was an attack on the cybersecurity industry itself. Most attacks are on a single company. But this one shook trust in cybersecurity tools and how users decide whom to trust online. After covering this industry for years, I’ve seen firsthand how cyber attacks don’t happen in a vacuum. Instead, attacks create a spider web, with some attacks inspiring others in style. Meanwhile, others take vulnerabilities found in a previous attack and take them to a new level.
To me, this one was even more unique because it attacked our trust. So I decided to delve more into this attack. How did an incident like this affect the industry and users going forward?
DigiNotar Took Advantage of Poor Training
To fully understand the impact, I needed to start by finding out exactly what happened.
DigiNotar, a certificate authority (CA), became vulnerable in the summer of 2011. They didn’t follow basic cybersecurity processes, including patching web servers and following password protocol.
It’s shocking that these issues happened at a company whose job was ensuring other companies were following security protocols. But it can be hard to control the actions of a single staff member or a handful of employees, especially when they’re remote.
So many issues start from a single misstep by an employee. Companies can avoid them with more regular training or better processes. The best tech in the world can’t make up for creating a culture of cybersecurity. You’re safer if every person, from the CEO to the administrative assistants, feels responsible for it.
Over 500 Rogue Certificates Issued
Because of this DigiNotar vulnerability, a cybercriminal accessed the network on July 10, 2011, and began issuing rogue SSL certificates. These certificates mean that the website was verified by a third party to use secure encryption. In essence, they mean users can trust the site. (If a site has encrypted communication, then the URL begins with https. Sites with extended validation, which requires more testing, receive a green bar on the URL.)
Yes, technically the attack was against DigiNotar, a cybersecurity organization that was the main provider of digital security to the Dutch government domains. DigiNotar being a CA meant it was responsible for verifying encryption and issuing certificates. Put simply, CAs determine which websites are considered trusted. But after the attack, the criminals used the access to issue over 500 fraudulent digital certificates for some of the most-visited websites online — Google, Mozilla and Skype. So the victims included each person who accessed a site with a certificate.
The Problem With Code Signing
The process of issuing a certificate is called code signing. It involves verifying the author’s identity and validating executables and scripts. The DigiNotar attackers got around that process and created certificates for themselves and others to carry out other cyberattacks on specific sites.
When they issued the rogue certificates, the site was no longer secure. However, users and the company didn’t know that at first. Attackers were then able to intercept secure information sent through the company’s website. DigiNotar did discover the issue itself and attempt to correct it. But it was too late.
A few weeks later, a user in Iran realized something was wrong and posted it on a Gmail forum. Slate reported that over the next few months, Google found that 298,140 unique internet protocol addresses attempted to access Google websites that were not secure, with 95% of the addresses coming from Iran. Because of the impact of the attack, DigiNotar went bankrupt in late September 2011.
Fixing the Structure of the Internet
The attack itself was damaging, especially to DigiNotar and affected users in Iran. But the most notable parts of the attack are the changes that came from the event. At the time, I assumed that it only affected people accessing the internet in Iran. But in reality, the attack highlighted the widespread issues with the process.
Global leaders realized that the current method for certificates was not secure. It was putting too much power into CAs like DigiNotar.
The result: the Certificate Authority Security Council (CASC) of PKI Consortium set requirements for CAs to issue certificates in December 2016. Prior to this, there was not a set of processes for CAs to follow. The new rules were based on three features: stronger protection for private keys, certificate revocation and improved time-stamping for code signatures. To create oversight for following these new rules, Microsoft began enforcing these guidelines in February 2017.
Lessons Learned From DigiNotar
In addition to more reasons to create a culture of cybersecurity training and responsibility, DigiNotar highlighted the need for oversight and standards. To earn and keep users’ trust, organizations responsible for cybersecurity must follow agreed processes. When a company such as DigiNotar loses public trust, it’s not just trust in that company. It affects all companies that help keep data and infrastructure safe.
Even though it’s been 10 years since the attacks, today’s internet providers still follow many of the changes and rules put in place to prevent another. It set the groundwork for best practices and standards, which led me to my next question: Could a similar attack happen today?
The answer is yes. But it’s less likely because of the changes that occurred after DigiNotar. And even more importantly, hopefully, the changes that organizations made and stuck with after it have laid the foundation for more oversight. Organizations that are entrusted to prevent attacks have a big job and must live up to it. Those in the industry as a whole must hold each other accountable. That is simply the only way that we will gain and keep consumers’ trust — by working together.