Compromised connections
March 30, 2011
The Internet-security company Comodo said it sustained a major security breach by allowing nine SSL certificates to be issued in their name. These certificates digitally authenticate a secure connection to websites and are used by many major Internet companies, including Google, Microsoft and Skype.
The hacker acquired fake certificates for Google and Microsoft's e-mail services, Yahoo, Skype, and Mozilla, the developer of the popular Firefox Web browser.
Comodo, which disclosed the attack on its company blog on March 23, revoked the affected certificates when it became aware of the attack, eliminating the risk of their being used for malicious purposes.
The first breach came through a Comodo partner in Italy, GlobalTrust, which according to an initial analysis of the attack had its network compromised by an Iranian hacker. The tech news website CNET reported Tuesday that US and Italian law enforcement agencies were investigating the breach.
Security researchers, who have noted that the origins of such a breach can never be determined with absolute certainty, said they were very concerned that if Iranian government or other agents could duplicate the attack they could create serious problems for Internet security.
"In theory, an Iranian attempting to log into his Yahoo account, for example, could have been misdirected to a fake site," Mikko Hypponen, the chief research officer at F-Secure, a computer security research firm in Finland, wrote on his company's blog last week.
"That would allow the perpetrators to obtain a host of online information including contents of e-mail, passwords and usernames, while monitoring activity on the dummy sites. Since the targeted sites offer communication services, not financial transactions, Comodo said it seemed clear the hackers sought information, not money."
Comodohacker is 'undoubtedly' genuine
On Saturday, someone using the name "Comodohacker" began posting messages and technical details of the attack on the website Pastebin.com, leading many to believe that the anonymous poster was, indeed, responsible for these breaches. In those messages, Comodohacker claimed to be a self-taught, 21-year-old university student in Iran who was acting alone.
Some experts have pointed to the details in Comodohacker's online posts as evidence that this person who perpetrated the Comodo attack.
"The Comodohacker Pastebin posts are undoubtedly from the genuine hacker," Paul Mutton, a British computer security expert with Netcraft, wrote in e-mail to Deutsche Welle, adding that only the hacker would have access to material included in the original posts.
Given the potentially disastrous nature of the hack, and the tense relationship between Iran and most Western nations in the wake of the Stuxnet worm and discussions over Tehran's nuclear energy program, many in the computer security community have speculated that Comodohacker was politically motivated or was affiliated with the Iranian government.
Comodohacker claims access to opposition groups
In an e-mail to Deutsche Welle, the person claiming to be Comodohacker re-iterated that he acted alone, but dodged direct questions as to his motives and reasons for selecting the targets he chose.
It remains impossible to verify the location of the person responding DW's questions and whether that person was in fact responsible for compromising Comodo's SSL certificates.
Comodohacker also dismissed Iran's opposition parties - specifically the MKO, an expatriate Islamic socialist organization that advocates the overthrow of the Islamic Republic of Iran, and the reformist Green Movement - calling them "gangsters." The hacker added that non-Iranians often underestimate Iran's technical prowess.
"People don't understand power of Iranian scientist, they also didn't believe our power in physics, in laser, in sending satellites, to be honest, I'm tired of explaining my country's potential, when we decide to do something, we just do," Comodohacker wrote.
Comodohacker's message inferred that part of his motivations, however, may stem from nationalistic interests, and the computational inequality between the United States and Iran, where some high-level cryptographic abilities are under export restrictions.
"All encryption systems [and] protocols, [the CIA has] access to them but my country doesn't. I'll reverse/cryptanalysis/attack in any method I can, owning servers, breaking algorithms, reversing code to break them and bring equality," he wrote, adding "I love equality."
Hacker 'likes to boast'
He also claimed that he has access to, or "owns a lot of networks” run by the MKO, the Green Movement, and Balatarin, a popular Iranian news website run from Los Angeles, a claim that is impossible to verify without additional information Comodohacker did not provide.
"It will help me to decrypt all their encrypted communications," the hacker threatened. "Their private networks are located in France, Germany, Jordan, USA and Canada. Some of them also connected to people in Iran via VPNs. They should know from now, they are insecure, I got what I wanted, Comodo published the breach, others don't."
However, Hypponen said Comodohacker "likes to boast," and that some of the hacker's other claims, such as that he decrypts most encryption protocols are "obviously false," but Hypponen added that doesn't mean that the security community should not take him seriously.
"A rogue SSL certificate alone doesn't get you anywhere, you still need to be able to reroute the victim's traffic to a server that the attacker can control," Hypponen wrote. "Comodohacker claims he has infiltrated the networks of MKO et al. This would create a plausible scenario. If he is able to reconfigure the routers or firewalls of an organization, he can reroute, say, login.skype.com to his own server and do invisible man-in-the-middle with a rogue SSL certificate, stealing usernames and passwords.
"ISPs and [certificate authorities] around the world should be watching very carefully for weird certificate requests for the servers he was targeting originally," he added.
Author: Cyrus Farivar
Editor: Sean Sinico