Share

Related Links

  • Comodo
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

  • Comodo certificate compromise has Iranian fingerprints
    This week's widely reported compromise of a batch of Comodo digital certificates, which resulted in hackers being able to fake trusted sites from the likes of Google and Yahoo, has been blamed on Iranian hackers with possible government assistance.
  • Iran gets access to Google Earth, Picasa and Chrome
    Google has announced that Iranians are to be able to download Google Earth, Picasa and Chrome, available for the first time following the easing of US export controls.
  • Iranian cyber army offers its botnet for rental
    The Seculert Research Lab is reporting that a hacktivist group called the Iranian Cyber Army is renting out access to its botnet. Although not the first time a botnet has been put up for rent – the first known botnet/crimeware renter was BadB in the early noughties – this is one of the most high profile 'offers' seen to date.
  • Iran makes arrests after Stuxnet cyber attack on nuclear plant
    Iran has detained several people for attempting to sabotage the country's nuclear programme through cyberspace.
  • Stuxnet – a new age in cyber warfare says Eugene Kaspersky
    The Stuxnet worm, which has reportedly been successfully targeted at Iranian nuclear plants, is being widely reported as originating from a government agency or well-funded source with political intent. The CEO of Kaspersky Lab, however, says that, whilst there is insufficient evidence to point the finger of blame at anyone yet, the worm represents a new age in cyber warfare.
  • ‘Iranian Cyber Army’ hacks Twitter
    A hacker group called ‘Iranian Cyber Army’ hacked Twitter for an hour early on 18 December, redirecting users to a website containing a green flag and Arabic writing.

Top 5 Stories

News

Lone Iranian hacker claims credit for Comodo digital certificate hack

29 March 2011

Reports are coming in that an independent Iranian hacktivist – portraying himself as a patriot – is claiming credit for the hack of a range of major site certificates from Comodo.

As reported previously, a number of digital certificates were obtained by deception from Comodo that could have resulted in the hijacking of a number of major websites such as lgin.skype.com, mail.google.com, login.live.com and other popular internet websites.

It now appears that the hacker – who calls him/herself Comodohacker – has posted a series of messages on the Pastebin.com portal, both describing how the hack was carried out and several details that experts are saying appear genuine.

Infosecurity understands that Comodohacker has claimed that GlobalTrust.it and InstantSSL.it, the Italian registration authorities, as potential weak links in the authentication process. This is in keeping with Comodo's claims in the last week that it was a southern European company that was central to the hack.

According to Sophos Canada's senior security advisor Chester Wisniewski, whilst investigating how s/he might compromise a certificate authority (CA), the hacker stumbled upon InstantSSL.it and their use of a DLL on their site to submit Certificate Signing Requests (CSRs) for immediate signing by the CA.

"Upon disassembling this DLL, he discovered a plain text username and password used as part of the CSR submission process, allowing him to submit any CSR he wished to be signed by Comodo and instantly retrieve the signed certificate", says Wisniewski in his latest security blog.

"Initially it was unclear if this guy was for real, and of course it is still impossible to tell. He did post some of the source from TrustDLL.dll to Pastebin, including the parts used for authentication that stored the unencrypted password", he adds.

The Sophos researcher went on to say that, once again we come back to insecure passwords and password handling techniques.

Fortunately, he notes, the impact of this incident is quite small and may be a wake-up call for the certificate industry as a whole.

But, adds Wisniewski, there is still a shroud of mystery surrounding the whole affair because, if it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organise protests and share news with the world?

"[Comodohacker's] ramblings certainly show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government", he said.

 

This article is featured in:
Application Security  •  Compliance and Policy  •  Data Loss  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×