Solo Iranian hacker takes credit for Comodo certificate attack
Security researchers split on whether 'ComodoHacker' is the real deal
Computerworld - A solo Iranian hacker on Saturday claimed responsibility for stealing multiple SSL certificates belonging to some of the Web's biggest sites, including Google, Microsoft, Skype and Yahoo.
Early reaction from security experts was mixed, with some believing the hacker's claim, while others were dubious.
Last week, conjecture had focused on a state-sponsored attack, perhaps funded or conducted by the Iranian government, that hacked a certificate reseller affiliated with U.S.-based Comodo.
On March 23, Comodo acknowledged the attack, saying that eight days earlier, hackers had obtained nine bogus certificates for the log-on sites of Microsoft's Hotmail, Google's Gmail, the Internet phone and chat service Skype and Yahoo Mail. A certificate for Mozilla's Firefox add-on site was also acquired.
SSL certificates validate the legitimacy of a Web site to the browser, assuring users that they're connecting to the real site, and that the traffic between their browsers and the site is encrypted.
Comodo CEO Melih Abdulhayoglu said last week that circumstantial evidence pointed to a state-backed attack, and claimed the Iranian government was probably behind it. "We believe these are politically motivated, state driven/funded attacks," said Abdulhayoglu.
He based his opinion on the fact that only Iran's government -- which could jigger the country's DNS (domain name system) to funnel traffic through fake sites secured by the stolen certificates -- would benefit.
In Abdulhayoglu's analysis, authorities could have used the certificates to dupe anti-government activists into believing they were at a legitimate Yahoo Mail, for example. In reality, however, the phony sites would have collected users' usernames and passwords, and thus given the government access to their e-mail or Skype accounts.
On Sunday, a single hacker took responsibility for the Comodo attack, backing up his claim with decompiled code.
"I'm not a group of hacker [sic], I'm single hacker with experience of 1,000 hackers," wrote the attacker in a post on Pastebin.com late Saturday. He called himself "ComodoHacker" and said he's 21 years old.
ComodoHacker alleged that he had gained full access to InstantSSL.it, the Italian arm of Comodo's InstantSLL certificate selling service, then decompiled a DLL file he found on its server to uncover the reseller account's username and password.
With the username and password in hand, said ComodoHacker, he was able to generate the nine certificates, "all in about 10-15 minutes." His message was signed "Janam Fadaye Rahbar," which reportedly means "I will sacrifice my soul for my leader."
The InstantSLL.it Web site is currently offline.
Robert Graham, the CEO of Errata Security, believes ComodoHacker is telling a straight story.
"As a pentester who does attacks similar to what the ComodoHacker did, I find it credible," Graham said Sunday on the Errata blog. "I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts