DigiNotar Web Certificate Alerts

IMMEDIATE ACTION: update Web browsers in your areas to the most current version available (09/11).

Thanks in advance for your prompt action to help ensure the confidentiality, integrity, and availability of Cal Poly information.

• Apple- Steps to Delete, Revoke DigiNotar Certificates (screenshots)
• Microsoft Security Advisory: Download file to prevent fraudulent digital certificates
• Mozilla Foundation Security Advisory 2011-34
• Update Google Chrome with latest security updates
• Microsoft flips 'kill switch' on all DigNotar certificates (Computerworld article)

Security professionals are encouraged to read the intermediate report with summary of findings about the DigiNotar Web certificate problems.

In particular the intermediate findings report shows how deeply DigiNotar was penetrated, and how little attention the technical staff apparently paid to logs. The external consultants, Fox IT, who conducted the investigation into this incident, have published their findings.  The findings show issues that contributed to the breach, which include out of date anti-virus software, unpatched software, poor log management, weak passwords and a network which did not have sensitive systems segregated from others. 

What Information Technology Services is Doing:

• The Campus Microsoft Patch Server (WSUS) is updated and automated distribution of the Internet Explorer patch is in progress.

• Workstation Program images (Apple, Windows) have been updated with the most current Web browsers and DigiNotar certificates removed.

• As further Web browser updates are available, these will be promptly distributed

SANS reports:

• The number of certificates issued as a result of a security breach at Dutch certificate authority DigiNotar is growing; the latest official estimate has the figure at 531.

• The breach had prompted Mozilla to take measures so "that all DigiNotar certificates will be untrusted by Mozilla products," which includes the Firefox browser.

• The most recent version of Google's Chrome browser also places DigiNotar certificates on a permanent block list.

• The sites for which fraudulent certificates were issued include MI6, the CIA, Microsoft, Facebook and Twitter.

• Microsoft said that the forged certificate cannot be used to force malware through Windows Update.