All posts tagged ‘Comodo’

Independent Iranian Hacker Claims Responsibility for Comodo Hack

The hack that resulted in Comodo creating certificates for popular e-mail providers including Google Gmail, Yahoo Mail, and Microsoft Hotmail has been claimed as the work of an independent Iranian patriot. A post made to data sharing site pastebin.com by a person going by the handle “comodohacker” claimed responsibility for the hack and described details of the attack. A second post provided source code apparently reverse-engineered as one of the parts of the attack.

Whether the postings are authentic and accurate is, at present at least, a matter of conjecture. The post specifies a number of details that appear authentic. The writer fingers Italian Registration Authority GlobalTrust.it/InstantSSL.it (the same company operating under multiple names) as the weak link. A Registration Authority (RA) is essentially a local reseller for a Certification Authority (CA); in principle, the RA performs the validation of identity that would be too difficult or expensive for the root CA to do, and then sends a request to the root CA to generate an appropriate certificate. Comodo’s systems trust that the RA has done its job appropriately, and issues the certificate. This is consistent with Comodo’s statement that it was a Southern European company that was compromised.

In addition to blaming a specific RA, the post includes other details: the username (“gtadmin”) and password (“globaltrust,” proving once again that security companies can pick really bad passwords) used by the RA to submit requests to Comodo’s system, the e-mail address of InstantSSL’s CEO (“[email protected]”), and the names of the databases used by GlobalTrust’s website. In practice, though, only Comodo can verify this information, and the company has no good reason to do so.

The alleged hacker also described some details of the hack itself. He claims to have broken into GlobalTrust’s server and found a DLL, TrustDLL.dll, used by that server to send the requests to Comodo and retrieve the generated certificates. The DLL was written in C#, so decompiling it to produce relatively clear C# was easy; within the DLL the hacker found hard-coded usernames and passwords corresponding to GlobalTrust’s account on Comodo’s system, and another account for the system of another CA, GeoTrust. The source code the hacker posted was part of this DLL, and certainly has the right form for decompiled source code. Again, though, only GlobalTrust could provide absolute confirmation of its authenticity.

Continue Reading “Independent Iranian Hacker Claims Responsibility for Comodo Hack” »

Tags:
Back to top

Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran

In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”

Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.

In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.

Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.

“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”

“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”

Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.

Continue Reading “Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran” »

Tags: , , ,
Back to top