Lone hacker owns the Comodo certificate compromise
Posted on 28 March 2011.
Last week's revelation that a Comodo affiliate Registration Authority has been compromised and that nine rogue SSL certificates have been issued for popular domains such as Gmail, Google Search, Yahoo, Skype and Mozilla Add-ons, has reverberated across the Internet.

Questions have been raised on whether the entire online certificate system is deeply flawed and speculations about the source of the attack have been voiced. According to Comodo, details of the attack seem to point to a state-sponsored effort.

"The attack came from several IP addresses, but mainly from Iran. The attacker was well prepared and knew in advance what he was to try to achieve," Comodo explained. "It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups."

Also, the fact that the perpetrator has focused on the communication infrastructure and can only make use of the certificates if it has control of the DNS infrastructure makes Comodo's researchers believe it was likely a state-driven attack.

But on Saturday, a message posted by the alleged "Comodo Hacker" on Pastebin.com has added more fuel to the speculations. By his own admission, the hacker is Iranian, but claims not to be a member of the Iranian Cyber Army.

He says he is "a single hacker with experience of 1000 hackers", saying that Comodo's researchers are wrong in their assumption that a team of hackers was behind the incident.

He says that he first tried to bring down the SSL root certificate system by attacking the RSA algorithm, but after that approached proved too difficult, he decided to use the vulnerabilities in InstantSSL.it - Comodo's parner's website - to access the RA's servers and generate the Certificate Signing Requests submitted to the CA.

Some security researchers believe his claims, and some do not. To prove his claims, the hacker also published part of the decompiled TrustDLL of Comodo's partner that stored the unencrypted password that gave him access.

Still, as Sophos' Chester Wisniewski notes, "If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world?"






Spotlight

Banks and IT security: The elements of success

Nathan Horn-Mitchem, VP, Information Security Officer at Provident Bank, talks about delivering and maintaining IT security for 80 branches of the bank.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Mar 27th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //