You are here:
GlobalSign Press Release
Security Incident Report
Toronto, ON - December 13 2011 - Following recent events which have affected GlobalSign and the industry as a whole, we would like to take this opportunity to inform you that our investigations are now complete.
You can find our full response below. You can download a PDF version here.
We didn't find any evidence of
• Rogue Certificates issued.
• Customer data exposed.
• Compromised GlobalSign Root Certificate keys and associated Hardware
Security Modules (HSM).
• Compromised GlobalSign Certificate Authority (CA) infrastructure.
• Compromised GlobalSign Issuing Authorities and associated HSMs.
• Compromised GlobalSign Registration Authority (RA) services.
What did happen
• Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public
facing web property was breached.
• What could have been exposed? Publicly available HTML pages, publicly available PDFs,
the SSL Certificate and key issued to www.globalsign.com.
• SSL Certificate and key for www.globalsign.com were deemed compromised and revoked.
Impact to Customers
GlobalSign adopted a high threat response to the claims that unfortunately resulted in 9 days of service disruption, specifically:
• New Certificate issuance temporarily halted between 6th and 15th September.
• During outage:
– GlobalSign contracted Fox-IT to provide third party analysis of the GlobalSign
infrastructure. Fox-IT were also retained by the Dutch Government as part of the
ongoing Comodohacker criminal investigation.
– GlobalSign contracted Cyber Security Japan to oversee the rebuild of a newly hardened
Certificate issuance infrastructure, on the now disproven assumption that previous
infrastructure had been breached.
Timeline
This timeline covers events from 5th September to 15th September 2011
• The self-titled attacker "Comodohacker" has been assumed to be a credible threat to
security providers, in particular Certificate Authorities, since the attack made by the
Comodohacker on a Comodo RA Partner resulted in the issuance of rogue Certificates by
Comodo in March 2011.
• The self-titled attacker "Comodohacker" has been assumed to be a credible threat to
security providers, in particular Certificate Authorities, since the attack made by the
Comodohacker on a Comodo RA Partner resulted in the issuance of rogue Certificates by
Comodo in March 2011.
• A post was made on 5th September by the Comodohacker via the Pastebin service
claiming responsibility for the DigiNotar hack.
• The same post also stated that several other CAs had been compromised, including a
reference to GlobalSign.
• GlobalSign deemed the threat credible and immediately began a thorough network
analysis, assuming a highly sophisticated attack had been executed on, or was in process
against, multiple Certificate Authorities.
• On 6th September, even though the non-specific Comodohacker claims were yet to be
substantiated, GlobalSign deemed the most responsible reaction was to halt issuance of
new Certificates in order to:
– Accelerate the investigation.
– Protect against issuance of rogue Certificates should the claims be true.
• On 9th September, the investigative team found evidence of a breach to the web server
hosting the www.globalsign.com website. The breached web server (located in a hosting
facility in North America) was a peripheral web server located externally (both logically and
geographically seperate) from the GlobalSign Certificate issuance infrastructure.
GlobalSign immediately assumed the contents of the web server were compromised,
including:
– All public facing HTML files.
– All public facing documents and PDF files.
– The www.globalsign.com SSL Certificate key.
• The www.globalsign.com domain is used only for the externally facing North American web
sites and runs no web applications capable of requesting or issuing Certificates nor does it
hold any customer data.
• The SSL Certificate for www.globalsign.com was revoked.
• The breached web server was immediately locked down and subsequently rebuilt with a
new disk and hardened system image.
• In parallel additional security precautions were taken, including:
– GlobalSign Certificate infrastructure was rebuilt with new hardware and hardened
images for all services.
– Additional IDS (Intrusion Detection Services) were deployed to certificate related
services.
– Enhanced internal controls have been placed around logical access to issuance
systems.
– Operational environment for Internet facing systems has been hardened further.
• On September 15th services were brought back online. All customer account passwords
were reset as part of bringing the service back online.
Controls - mitigating against future attacks
GlobalSign, with the help of Fox-IT, found no evidence that the GlobalSign Certificate issuance infrastructure was compromised. However, GlobalSign has implemented additional controls around infrastructure, customer data protection and access to all systems. It is our view that this attack is one phase of an advanced persistent threat against all security solution providers. Because the threat landscape has evolved, GlobalSign believes greater controls are necessary across the industry and echos the calls covered in WebTrust 2.0 and the recent updates to the Mozilla Root CA acceptance program. In response to such requirements, GlobalSign specifically confirms:
• GlobalSign maintains an offline root, and has done since 1996.
– An offline root means that the GlobalSign Root Certificate key material is not connected
to any network of any type. Root key material is physically (geographically) separate
from any networked systems and is only ever exercised in controlled, and physically
sealed offline ceremonies.
• GlobalSign has never directly issued end entity Certificates using the Root Certificate,
instead only ever issuing off Subordinate Certificates (also referred to as the Issuing
Authority). In the event of a compromise this would not require the revocation of the entire
PKI but only the compromised Subordinate Certificate.
• Fox-IT has been contracted to provide ongoing security consultancy.
• All issuance and Internet facing infrastructure is now monitored 24/7 through a managed
IDS service.
Additionally, GlobalSign wishes to restate to customers and partners that physically geographic and logical separation is maintained between critical infrastructure applications, including web servers, order processing applications, CRM, RA applications, Certificate issuance applications and Root Certificates.
GlobalSign Executive Team Response
As one of the longest operating Certification Authorities, the worldwide GlobalSign team is aware of the impact to customers and partners of halting Certificate issuance for any period of time. The executive team apologizes sincerely for the inconvenience caused when undertaking such an important decision. However the organization stands by the decision and maintain that the ultimate duty of care for GlobalSign, like all responsible CAs, is to avoid issuance of rogue Certificates.
We are truly thankful for the positive reaction to our chosen response to the incident, including the press covering this and other incidents, our peers, and ultimately from our valued customers and partners.
GlobalSign has learned much from this incident. More than ever, we appreciate that the threat has evolved, and we are committed to ensuring no such outages occur again from future claims or attacks. In the period since the claims, we have invested significantly in additional security measures and monitoring and suggest other CAs and security providers align to self-regulate to ensure that:
1. Infrastructure is designed and managed in such a way that it is resilient to attack.
2. In the event of a successful attack, swift and appropriate measures are put into place to
mitigate the impact.
3. Incident responses are open and transparent allowing Relying Parties the visibility into
the risks they may be exposed to.
As an active participant in the CA/B Forum, GlobalSign is a strong supporter of the industry's continued definition and adoption of:
• Transparent incident response and issuance practices.
• Continuous auditing of network and security infrastructure.
• Standards for operational and vetting practices.
• Technology and processes for speedy response to such security incidents.
• Formal collaboration between global authorities and security providers.
Such efforts include the CA/B Forum’s minimum guidelines, Mozilla’s CA security controls and any future industry initiatives that serve in the best interest of PKI and Internet security in general.
Finally, we also support ongoing co-operation between the security providers, CAs and the various global authorities in sharing threat information promptly and accurately.
Ongoing Authority Involvement
• Many international authorities maintain detailed profiles of the Comodohacker and other
actors, and continue to build a more accurate picture with evidence gathered and
volunteered by many industry members.
• GlobalSign, like other security providers, continues to share threat information and
collaborate closely with all appropriate authorities.
Definitions
As defined in the CA/B Forum Baseline Guidelines - www.cabforum.org
Issuing CA: In relation to a particular Certificate, the CA that issued the Certificate. This could be either a Root CA or a Subordinate CA.
Registration Authority (RA): Any Legal Entity that is responsible for identification and authentication of subjects of Certificates, but is not a CA, and hence does not sign or issue Certificates. An RA may assist in the certificate application process or revocation process or both. When “RA” is used as an adjective to describe a role or function, it does not necessarily imply a separate body, but can be part of the CA.
Relying Party: Any natural person or Legal Entity that relies on a Valid Certificate. An Application Software Supplier is not considered a Relying Party when software distributed by such Supplier merely displays information relating to a Certificate.
Root CA: The top level Certification Authority whose Root Certificate is distributed by Application Software Suppliers and that issues Subordinate CA Certificates.
Root Certificate: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.
Subordinate CA: A Certification Authority whose Certificate is signed by the Root CA, or another Subordinate CA.
You can download a PDF version of the above report here.
About GlobalSign
Established in 1996 and as a WebTrust accredited public certificate authority, GlobalSign offers publicly trusted SSL Certificates, EV SSL, Managed SSL Services, S/MIME email security and Code Signing for use on all platforms including mobile devices. Its Trusted Root solution uses the widely embedded GlobalSign Root CA certificates to provide immediate PKI trust for Microsoft Certificate Services and internal PKI, eliminating the costs of using untrusted Root Certificates. Its partnership with Adobe to provide Certified Document Services (CDS) enables secure digitally signed PDF documents, certified transcripts and e-invoices. These core Digital Certificate solutions allow its thousands of authenticated customers to conduct secure online transactions, data transfer, distribution of tamper-proof code, and protection of online identities for secure email and access control. The company has a history of innovation within the online security industry and has offices in the US, UK, Belgium, Japan, and China.
GMO Internet Group
GMO Internet Group is a leading force in the Internet industry offering one of the most comprehensive ranges of Internet services worldwide. The group is the top provider of domain registration, web hosting, ecommerce, and payment processing solutions in Japan and operates a host of other Internet services including global online security services, search engine marketing and online securities trading. At the center of the group is GMO Internet, Inc. (TSE: 9449) headquartered in Tokyo, Japan. Please visit www.gmo.jp/en for further details.
For further details please contact:
Steve Waite
GlobalSign
+1 416-749-9898
press@globalsign.com
Media Contacts:
- Please email the Press Department at press@globalsign.com or call 416-749-9898 for media inquiries
