Comodo hacker claims another certificate authority
IDG News Service - The hacker who claimed credit for breaking into systems belonging to digital certificate vendor Comodo said he has compromised another certificate authority, along with two more Comodo partners, a move that could further undermine trust in the system used to secure websites on the Internet.
In an e-mail interview Tuesday the hacker, who calls himself "Ich Sun," said he'd breached security at another certificate authority, but declined to provide details on the incident or any proof that he'd managed to pull off another attack. "Talking about second CA have no use for me, except giving away my work and corrupting it, sorry," he said in the broken English he's used in all public communications.
He may have succeeded by breaking into a Comodo partner who was also able to create digital certificates through another certificate authority (CA). Over the past weekend, Ich Sun tried to compromise two other Comodo partners, one of whom also partnered with a different certificate authority according to Comodo CEO Melih Abdulhayoglu. Neither of the attacks was successful against the Comodo system, thanks to newly introduced security measures, but Abdulhayoglu does not know whether the second CA was compromised, he said.
Certificate authorities like Comodo issue the trusted digital certificates used by SSL (Secure Sockets Layer) encryption to prove that a particular computer on the Internet is what it claims to be: that the computer you visit when you type Google.com actually belongs to Google, for example. Browsers use these digital certificates when they're connecting to secure Web pages, but they're also used to secure Internet mail and virtual private networks. CAs often work with partners, called registration authorities, who charge to confirm the identity of the company and then use the CA's system to generate a cryptographic signature for the company in question.
Ich Sun broke into Comodo's Italian registration authority, called Comodo Italy, and on March 15 used Comodo's systems to fraudulently issue nine digital certificates.
Comodo went public with details of the attack on Thursday and is cooperating with Italian police and the U.S. Federal Bureau of Investigation on the case, but that has not deterred Ich Sun.
These attacks highlight weaknesses in a widely used part of the Internet's security infrastructure, but they also provide a glimpse into the shadowy nature of Internet crime. Nobody knows exactly who Ich Sun is, or what his (or her, or their) true motives might be.
Ich Sun said he broke into Comodo Italy using a very common database attack known as SQL injection. He entered data into Web-based forms that tricked the back-end database into running commands that should have been prohibited. He then took advantage of another flaw to get remote access to this system and was eventually in control of the servers used by two Comodo Italy websites: GlobalTrust.it and InstantSSL.it. He said he found a password hard-coded into a file on one of the systems that ultimately allowed him to issue the digital certificates.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts