On Tuesday, certificate authority GlobalSign released a statement with the results of an investigation by Dutch security firm Fox-IT launched following claims that their servers for issuing SSL certificates had been breached.
The claims were made in September by Iranian-based ComodoHacker, who had previously claimed responsibility for an attack on DigiNotar that resulted in hundreds of fake SSL certificates being issued, with many high profile companies compromised. A subsequent analysis by Fox IT found substantial evidence of system-wide intrusions that ultimately resulted in the embattled Dutch firm DigiNotar filing for bankruptcy and ceasing operations. At the time, in addition to suggesting it had also breached GlobalSign servers, the attacker claimed to have access to two more certificate authorities
The investigation into GlobalSign found that an external web server had indeed been breached, but the sole use of this machine to host the public website and not for issuing SSL certificates. The company confirmed that public facing HTML documents and PDF files were exposed, as well as the SSL certificate for globalsign.com and the corresponding key. Both were revoked immediately in order to minimise any further impact.
No evidence was found suggesting any rogue certificates had been issued, nor was any customer data exposed. The company reassured that absolutely no registration or issuing systems for SSL, or any other aspect of its Certificate Authority software or hardware in relation to issuance of certificates had been compromised. GlobalSign's root Certificate keys and associated hardware remained unaffected by the intrusion.
The affected web server located in North America was locked down, and then thoroughly rebuilt using new hard disks and a "hardened" system image. The company has since done the same thing to its entire CA infrastructure as well as building additional Intrusion Detection Services (IDS), which they immediately deployed in order to offer increased protection against any further attacks.