TurkTrust re-emphasises that there was not a security breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.scmagazineuk.com/turktrust-re-emphasises-that-there-was-not-a-security-breach/article/275195/

Turkish certificate authority (CA) TurkTrust has denied that there was
any attack, "malevolence, fraud or any other crime factor" on it
resulting in the issuing of fraudulent certificates.

In an updated statement from its website, TurkTrust said that since
the incident was announced last week, "a lot of national and
international people and organisations including press companies
admired the way the case was treated and further supported and
contributed for a correct understanding of the case".

However it said that there had been incorrect reporting and discussion
on the incident and it will continue to manage the case openly and
transparently with a responsibility not only to the Turkish public,
but also to all internet users.

“Our company keeps on working with the target of being a reputable
Turkish company that develops technology in world standards and
produces value added services,” it said.

In a previous statement, TurkTrust said: “As of now, it is certain
that there is no security breach on TurkTrust systems. There is also
not a bit of evidence that the certificate was used maliciously.”

The problems began when two faulty SSL certificates were issued in
August 2011 during a software migration. These were detected in late
December, leading to browser vendors Microsoft, Mozilla and Google
revoking trust in those certificates. TurkTrust revoked the
certificate once it was made available of its status.

It said: “This seems to be a very plausible scenario explaining how
the faulty certificate was being generated. This and all other
available data strongly suggests that google.com cert was not issued
for dishonest purposes or has not been used for such a purpose.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.