KPN Uncovers SSL Security Breach

KPN has become the latest company to halt its SSL certificate operations following the discovery of a security breach – in this case, an intrusion that took place four years ago and remained undetected.

On Friday, KPN said it would temporarily stop issuing certificates while it carries out an investigation, the results of which are expected early this week.

Certificate suspicion

False SSL certificates could be used to trick a user into revealing sensitive data via a website that appears to be secure.

The Dutch company said it discovered the breach during an investigation carried out in light of other security troubles that have affected SSL certificate issuers in recent months.

“During an investigation into the SSL web server, evidence was detected that could indicate an incident four years ago,” KPN said in a statement.

The intruders appeared to have intended to make use of the server to launch distributed denial of service (DDoS) attacks against other organisations, KPN said.

“Although there is no evidence that certificate production was compromised, it cannot be completely excluded that this may have happened,” KPN stated.

The company said it has replaced the affected web servers and has brought in independent investigators who are looking into the matter, with the oversight of the Dutch government.

Recent breaches

The incident follows security breaches at several SSL certificate authorities (CA) this year, including DigiNotar, another Dutch firm, which resulted in the issuance of at least 500 false certificates for websites such as Gmail, Skype, Adobe, the CIA, MI6, Facebook, Twitter, Tor, WordPress, Mossad, AOL and LogMeIn.

Many web browser makers removed DigiNotar from their lists of trusted authorities and the company itself filed for bankruptcy in September as a result of the attack.

Ironically, KPN said at the time that it had seen a boost in its own certificates business as a result of the DigiNotar attack.