Monday, September 05, 2011

Government Takeover of Compromised Digital Infrastructure Provider

The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports:

DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.

But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations. The government also is trying to shift over to other companies that act as digital notaries, he said.


As you can see I highlighted two points.

Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?"

Regarding the second, I can't remember a time where a government assumed control of a private company in order to implement digital security measures. (Can anyone recall a similar event at another time?) This could be a wake-up call to governments that one of the foundations of digital security is a commercial arrangement whereby the fall of any of 600 or more certificate authorities puts the entire system in danger.

4 comments:

Anonymous said...

I agree, the government involvement is interesting. It seems part of the review was directed by the Dutch CERT - GovCERT, http://www.govcert.nl/english/organisation - and the government was a significant customer of DigiNotar.

Would there be appropriate 3rd parties to handle the other CA incidents this year at comodo and start com? Who and why?

http://blog.gerv.net/2011/09/diginotar-compromise/

Anonymous said...

It seems quite unlikely that the government takes over entire company operations. It could easily be a misunderstanding on AP's side or on the nameless official AP refers to.

DigiNotar's website does suggests that Govcert is working very closely with the company to investigate -- so there seems at least be a possibility that the 'operations' mentioned is limited to the incident response operations associated.

Mike said...

Even more now :( The MS claim is quite sensational
http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/

secwiz said...

A end-user trusts it's well-used and common systems (such as a browser). A user's trust into this technology continues into the realm of PKI, and in this realm the PKI structure is built upon a set of CA's, where some of these are private or commercial companies. In this DigiNotar-incident I think we clearly see the fundamental problem: Trust on top of capitalism.