SophosLabs: Following the widely-publicised disgrace of Dutch digital certificate issuer DigiNotar, a person calling himself ComodoHacker claimed that he’d breached four other Certificate Authorities (CAs), too.
Only one of these CAs was named: GlobalSign, the world’s fifth-biggest issuer of digital certificates.
In my opinion, GlobalSign would have been justified in ignoring this claim altogether.
It comes across as a stream of made-up, self-serving puffery, including bluster like this:
You see? I’m so smart, sharp, dangerous, powerful, etc. huh?
May I also start a web hacking course for Anonymous and Lulzsec and friends of them, Rootkit development for Stuxnet developers, 0-day vuln. assessment in Windows and Linux environment for Stuxnet developers and other hackers too. huh? What do you think?
WOOOOORLLLLDDD! Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!
But GlobalSign decided, like Shakespeare’s Falstaff, that the better part of valour is discretion.
The company suspended its certificate-issuing business to investigate whether ComodoHacker’s unlikely claims might have a whiff of truth. GlobalSign even retained Fox-IT, the consultants called in to investigate the DigiNotar disaster, for some objective outside help.
The good news is that everything at GlobalSign to do with certificate signing appears to be in good shape, and the company will resume business-as-usual this week.
The bad news, of course, is that the company had a week’s business outage as a result.
Ironically, even after GlobalSign had given itself the all-clear in respect of certificate signing, it reported an apparently-inconsequential breach against its web server.
Any sort of breach is bad news, of course, but I’m willing to overlook GlobalSign’s web server issues entirely. I suspect that many companies wouldn’t have turned off part of their business voluntarily, and called in outside help, to investigate allegations of the sort made by ComodoHacker.
In fact, in most of Asia Pacific, where there are no data breach notification requirements at all, you might not hear from a company even if it knew it had suffered a Sony-sized leak of your data, let alone if it had spotted someone fiddling with its web server.
Hats off to GlobalSign in this matter.