Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

GlobalSign Acknowledges System Breach

GlobalSign Acknowledges Breach of Web Server – Investigation Continues

GlobalSign, one of the longest established Certification Authorities (CA), acknowledged late Friday that it found evidence of a breach to a web server hosting its Web site.

GlobalSign Acknowledges Breach of Web Server – Investigation Continues

GlobalSign, one of the longest established Certification Authorities (CA), acknowledged late Friday that it found evidence of a breach to a web server hosting its Web site.

“The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” a statement read. “At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.”

The announcement follows claims from an individual identifying himself as “Comodohacker”, a 21-year old hacker acting as an individual, saying he had compromised systems at GlobalSign. “I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain, hahahaa,” he wrote.

GlobalSign on Tuesday temporarily ceased issuance of all digital certificates following an initial claim that the hacker responsible for the recent compromise of Dutch Certificate Authority DigiNotar, had access to four other Certificate Authorities, naming GlobalSign as one of them.

On Wednesday, GlobalSign said that it had hired Fox-IT, the Dutch cybersecurity team tasked with investigating the DigiNotar hack. Fox-IT has been deeply involved in the investigation of the compromise of DigiNotar, and may have knowledge and experience in understanding the tactics used if, in fact, the claims are true and the individual is the same hacker. Based on ComodoHacker’s earlier claims and today’s discoveries, it’s apparent that this is the same attacker.

On Thursday, GlobalSign said it deems the claims from the hacker to represent an industry wide attack. The company mentioned that the GlobalSign CA root was created offline, and always has been offline.

“Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues,” the company posted in a statement. In response to several inquiries, the company added some clarification on Friday afternoon: “We have received several requests to explain terminology used by CAs, particularly what is meant by the GlobalSign root being offline. By ‘offline’ we mean that the Root CA Certificate is not connected to any network of any type. Root Key Material is physically (geographically) separate from any networked systems and is only ever exercised in controlled, and physically sealed offline ceremonies,” a statement said.

“All forensics are being shared with the authorities and other CAs to assist with their own investigations into other potentially related attacks,” the company wrote along with the acknowledgement of the breach.

Earlier in the week, GlobalSign said it would bring its certificate services back online on Monday, but it’s unclear if this is still the case.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).