14 DAY TRIAL // Another Dutch CA seems to be in trouble after a recent security audit uncovered a DDoS tool on one of its serves. It's not yet certain if KPN's systems were compromised, but as a precaution, they will stop issuing certificates.
According to Threat Post, it turns out that the tool could have easily been stored on the server for close to four years.
"Although there is no evidence that the production of the certificate is compromised, cannot be completely excluded that this did happen. Therefore, KPN Corporate Market (formerly Getronics) decided the application and issuance of new certificates temporarily discontinued, pending further investigation," revealed their statement (translation).
"This is to ensure that the certificates be issued optimal procedure is safe and reliable. KPN has replaced the web servers. An additional, independent investigation takes place to ensure that KPN complies with the required safeguards, procedures and rules applicable to the issue of Internet safety certificates. Interior Ministry and Logius, agency e-government, are closely involved in the process."
Unfortunately, this might turn out to be even more serious than it was in the DigiNotar case, since KPN is a much larger company.
A Kaspersky Lab malware researcher wonders how the tool could remain undetected for such a long time, especially considering the company's profile. He said that in the future he expects to see a lot of these old threats being discovered.
"What's particularly interesting about KPN's statement is that it could be interpreted as them saying already issued certificates will remain valid (no matter what). KPN is a much bigger certificate authority than Diginotar. Possibly, people could be going into this with the idea of KPN being too big too fall," Roel Schouwenberg said.
Hopefully the tool lay dormant for all these years; otherwise we might be faced with another disaster just like in DigiNotar's case.