Government Takeover of Compromised Digital Infrastructure Provider
The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports:
DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.
But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations. The government also is trying to shift over to other companies that act as digital notaries, he said.
As you can see I highlighted two points.
Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?"
Regarding the second, I can't remember a time where a government assumed control of a private company in order to implement digital security measures. (Can anyone recall a similar event at another time?) This could be a wake-up call to governments that one of the foundations of digital security is a commercial arrangement whereby the fall of any of 600 or more certificate authorities puts the entire system in danger.
Tweet
DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.
But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations. The government also is trying to shift over to other companies that act as digital notaries, he said.
As you can see I highlighted two points.
Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?"
Regarding the second, I can't remember a time where a government assumed control of a private company in order to implement digital security measures. (Can anyone recall a similar event at another time?) This could be a wake-up call to governments that one of the foundations of digital security is a commercial arrangement whereby the fall of any of 600 or more certificate authorities puts the entire system in danger.
Tweet
Comments
Would there be appropriate 3rd parties to handle the other CA incidents this year at comodo and start com? Who and why?
http://blog.gerv.net/2011/09/diginotar-compromise/
DigiNotar's website does suggests that Govcert is working very closely with the company to investigate -- so there seems at least be a possibility that the 'operations' mentioned is limited to the incident response operations associated.
http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/