How Hackers Killed a Company – The Death of DigiNotar

Share Your Thoughts: Facebooktwitterlinkedin

How Hackers Killed a Company – The Death of DigiNotar


Internet Security

 Analysis by Al Kirkpatrick, CISO

“The keepers of the Internet have become acutely concerned about their ability to protect the most sensitive personal information such as account logons and credit card numbers.” Quote from “Hackers Shake Web to the Core – Security at Top Levels Questioned – By Byron Acohido, USA TODAY – September 28, 2011


Reference update 10/4/2011:

10/4/2011 10:20:00 AM
VASCO expects up to $4.8 mil in losses from DigiNotar bankruptcy

If you happened to see the front page of USA TODAY on September 28, 2011 you were greeted with the above headline.   Okay, we all agree that Armageddon likened headlines often exaggerate reality, so I decided to provide some plain-English background and my take on this issue from an “in-the-trenches” perspective.

To understand the incident that prompted the headline, one must first understand one of the foundational concepts of Internet-based commerce.

Problem:  When a user opens up an Internet web-page, they must have some sort of trust that the web-page is really published by the person or organization that the web site claims to be published by.   In plain English – when you are viewing a web site with a banner that displays AMAZON.COM – one would assume that Amazon, the internet commerce people, published that web site.

Now, unless you’ve been taking a Rip Van Winkle nap for ten years or so, you probably know that the bad guys have found a myriad of ways to pretend to be someone they aren’t.   So, hopefully you also know to look for that cool little padlock symbol at the bottom of your browser screen whenever you are transacting something confidential back and forth over the Internet.

What you may not have realized (and probably never wanted to need to) is all that goes on behind the scenes with respect to that padlock.   Sparing the nerdy details, that padlock uses a trusted third party (of which there are only a relative handful – – with those carefully regulated by the Internet regulation folks) to verify that the system you are communicating with matches the system in their records and then encrypts further communications between you and that system.

It would be, therefore, natural to assume that these third parties have Internet security as good as anywhere – – and until recently this has been a reasonable assumption.   On the other hand, remember my tenet number one:  there hasn’t been a computer system made that can’t be hacked given enough motivation, time and resources.

So, it has come to pass that Dutch firm DigiNotar, one of the certificate authorities got hacked with significant negative consequences to their internet commerce-based customers  (many of them widely recognized).

The total impact of the incident will take years to estimate, but following are a few post-incident results showing the significant negative consequences:

  • DigiNotar, purchased last year by computer security giant VASCO for approximately $13 million is now bankrupt and disbanded.
  • VASCO’s stock is down 35%
  • DigiNotar’s customers temporarily lost their ability to conduct Internet commerce and, however unfairly, are now associated with unsecure e-commerce.
    Last – but certainly not least;
  • Every world-wide Internet browser (Internet Explorer, Chrome, Firefox, Safari, etc.) must update itself so that it does not recognize a DigiNotar certificate as valid.   For some this will be automatic with no end-user intervention and for others, at minimum the end-user (that’s you and me) must ensure that the browser patches are up-to-date.

So, the obvious question arises –“If you can’t trust the central source for Internet commerce trust, what do you do?”   The answer is honest, but not pretty…

There’s no going back to the days before Internet commerce, so survivors will plan for the worst for if/when it happens.   You can bet that the Certificate Authorities are doubling their efforts to keep the bad guys out, but I believe that  it’s just a matter of time before this happens again.   There are strategies that e-commerce companies can use to reduce the risk, but most are not ideal or inexpensive.   I’ll address some of them in future blogs.

Meanwhile, and as Firestorm begs you to consider time and again:

Do all you can reasonably do to protect against the worst – but that’s not enough;  You MUST do a great job of anticipating what the worst may be and come up with some seriously creative strategies for dealing with it.   Don’t believe it yet?   I suggest you chat with DigiNotar’s previous customers and employees.


Share Your Thoughts: Facebooktwitterlinkedin