The company that unknowingly issued fraudulent SSL certificates following a hack has gone out of business
Dutch certificate authority DigiNotar, which used to provide certificates for the Dutch government before it was hacked earlier this year, has been forced into bankruptcy.
In a statement released today, DigiNotar’s parent company Vasco announced that the court had appointed a bankruptcy trustee, who will work under the supervision of the Judge and be responsible for the administration and liquidation of DigiNotar.
“Although we are saddened by this action and the circumstances that necessitated it, we would like to remind our customers and investors that the incident at DigiNotar has no impact on Vasco’s core authentication technology,” said T. Kendall Hunt, Vasco’s Chairman and CEO. “The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business.
“In addition, we plan to cooperate with the Trustee and the Judge to the fullest extent reasonably practicable to bring the affairs of DigiNotar to an appropriate conclusion for its employees and customers. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar. ”
More than 500 stolen certificates
News of the DigiNotar attack emerged on 30 August, when it was found that a fraudulent Google certificate, reportedly issued by DigiNotar, had been doing the rounds since 10 July. This meant that, for nearly two months, hackers had been able to set up fake versions of Google websites that appeared genuine to Google users and their web browsers.
It was later revealed that the compromise had also affected certificates in the names of the CIA, MI6, Google, Facebook, Twitter, Microsoft, Skype, Mozilla, Yahoo, Tor, WordPress, Mossad, AOL and LogMeIn, and DigiNotar had been removed from many of the browser brands’ lists of trusted authorities.
The number of certificates stolen from DigitNotar is said to be more than 500, and they may include intermediate signing certificates. These allow authority to be assigned to intermediaries to sign and validate certificates on DigiNotar’s behalf. When properly administered, SSL certificates are the only proof that you are talking to the organisation you are supposed to be talking to on the Internet, and that and no-one is listening in.
Comodohacker fights personal cyber-war
The hacker, meawhile, who calls himself ‘Comodohacker’, has revealed himself to be a 21-year-old Iranian patriot fighting a personal cyber-war on the West to expose anti-government activists in his country. In an email interview with the New York Times, the hacker said he was a software engineering student in Tehran.
“My country should have control over Google, Skype, Yahoo, etc.,” he told the newspaper. “I’m breaking all encryption algorithms and giving power to my country to control all of them.”
The certificates stolen from DigiNotar are believed to have made it possible to intercept communications of up to 300,000 Iranian Gmail users. Comodohacker said that he chose DigiNotar because Dutch peacekeepers failed to prevent the massacre of muslims in Srebenica in 1995 and because of the frequent outbursts of anti-muslim criticism by Dutch legislator Geert Wilders.
Cliff Bown, Vasco’s Executive Vice President and CFO said the company is working to quantify the damages caused by the hacker’s intrusion into DigiNotar’s system and will provide an estimate of the range of losses as soon as possible.