Kudos to KPN
Blogmaster Note: This was originally posted on November 8, 2011 to the ComputerWork UK Security Spotlight blog.
Disclosure is a sign of healthy regard for security threats
This weekend, the certificate authority (CA) associated with the Dutch telecommunications company KPN stopped issuing SSL certificates because they detected a break-in on one of their public-facing web servers. Jeremy Kirk’s IDG story, “Dutch SSL authority KPN stops issuing certificates after hack” gives a number of details.
KPN has alerted the Dutch government, for whom they issue certificates, and with whom they are analysing the attack. The Dutch government issued a statement (which can be found here, in Dutch), but the news story provides more background.
The summary is that KPN’s security auditors found evidence that it might have been “prepared for a Distributed Denial of Service attack.” I don’t know if that means that it was set up to participate in a DDoS attack, or to be vulnerable to one, but there is as yet no evidence that the back-end servers that issue certificates were attacked.
While on first blush this might sound alarming, it’s also good news. We are facing the global problem of CAs being hacked, sometimes as part of campaigns by oppressive nation states.
Attackers will always have the advantage over defenders. All Internet-facing organisations must have as part of their plans the reality that not only might they be hacked someday, but the likelihood that they will eventually be hacked. Just as it is inevitable that if you drive long enough you will end up in an accident, if you run an Internet server long enough you will be hacked.
The measure of an organisation is not so much that they have a security problem, but how they handle it. In the DigiNotar incident of this past summer, much of the justifiable outrage was over the lack of notification.
It is therefore courageous of KPN to stand down their operations while they investigate further. Announcing that you’ve been hacked is always embarrassing, but it is the right thing to do. Customers and colleagues need to know because an attack on an authority can have far-ranging consequences. While KPN have given few details, it’s perhaps understandable, given that they’re just a bit busy right now.
I wish them luck in their analysis and hope that there was no serious breach. I also thank them for their forthrightness and bravery in letting the world know about the issue.