informa
News

'Comodo Hacker' Says He Acted Alone

The plot thickens: In an effort to back up his claims, alleged hacker dumps apparent evidence of pilfered database from breached Comodo reseller, as well as Mozilla add-on site certificate
The "whodunnit" drama surrounding nine phony Comodo SSL certificates has taken another twist: Someone claiming to be a 21-year-old Iranian hacker says he alone hacked a Comodo reseller -- which he named as GlobalTrust. And today, with some critics questioning a lone-hacker theory, he fired back by posting what appears to be the reseller's database of 800 encrypted passwords.

"Some stupids in internet still cannot understand I'm behind the attack on SSL, talks about their small understandings about my hack and makes me nervous," he said in his latest post today on Pastebin as the "Comodo hacker," with a link to the stolen database. "I uploaded JUST 1 table of their ENTIRE database which I own. Also ask Comodo about my hack, ask them what I did to them."

But the rambling manifestos by the alleged hacker posted on Pastebin here and here, much of it in broken English, raise more questions and appear to shoot down Comodo's claim that the attack might be nation-state sponsored and most likely out of Iran, since the IP addresses involved came from that country. That had generated debate last week over whether Iran could be using the phony certifications as a way to spy on its citizens via their Google mail, Yahoo mail, Skype calls, and Microsoft Windows Live chats.

And just in case anyone was still skeptical that he is who he says he is, the "Comodo Hacker" posted a Mozilla add-on certificate here just minutes ago. He is also now tweeting his revelations under the Twitter handle of @ichsunx.

Security experts agree that the self-professed attacker got the goods from Comodo's reseller that allowed him to issue nine phony SSL certificates for mail.google.com, www.google.com, login.skype.com, addons.mozilla.org, login.live.com, and global trustee, and three different ones for login.yahoo.com, but they disagree over whether the attacker indeed worked alone or is an Iranian.

"This could be a smokescreen trying to make it look like a lone gunman," says Mikko Hypponen, chief research officer of F-Secure. "Whoever posted it to Pastebin did have access to those original systems, so whoever is behind the posts was also behind the actual attack. But whether it was a 21-year-old lone hacker from Iran or somewhere else -- I have a hard time buying that."

Robert Graham, CEO of Errata Security, says Comodo's and others' claims that the breach of its reseller and subsequent issuance of the phony certificates might have been the work of the Iranian government now appear to be even more of a stretch. Graham says the self-professed "Comodo Hacker" sounds more like a lone hacker who was not politically motivated. "Most of what we do surprises us ... and sometime it has taken on a life of its own," Graham says.

The "Comodo Hacker" says he began with the goal of factoring RSA keys, but ended up stumbling on the certificate hack. He says he hacked Comodo via its reseller GlobalTrust and its InstantSSL.it site, and was able to access its Comodo administrative account, with the database name of "globaltrust and instantsslcms," he wrote in his post on Pastebin. "GlobalTrust.it had a dll called TrustDLL.dll for handling Comodo requests, they had resellers and their url was http://www.globaltrust.it/reseller_admin/."

He said it all started when he decided to try to hack the RSA algorithm. When he hit an obstacle, he began looking at hacking CAs, such as Thawte, VeriSign, and Comodo. "I found some small vulnerabilities in their servers, but it wasn't enough to gain access to server and sign my CSRs. During my search about InstantSSL of Comodo which signs CSRs immediately I found InstantSSL.it which was doing it's job under control of Comodo," he wrote. "After a little try, I analyzed their web server and easily (easy for me, so hard for others) I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing."

From there, he reverse-engineered the DLL, got credentials to the Comodo reseller, and rewrote some code for several APIs that allows him to sign certificates, according to his post.

Errata's Graham, who also blogged on the latest Comodo development today, says the Comodo reseller breach demonstrates that attackers getting binaries, such as .DLLs, is a real threat. His firm has been able to grab .dlls, .exes, and ActiveX controls during penetration testing for its clients, he says. "Now this is a data point showing how this happens," he says.

Blaming the hacker is one way to divert attention away from the security shortcomings of Comodo, he says. "Ultimately, they have themselves [to blame]," Graham says. "And the whole certificate chain is at fault, too. Too many people have trust in this system, and it's too easy to subvert that."

That was the consensus of security experts last week in the wake of Comodo's disclosure: The hack underscores a flawed certificate validation process, and Comodo's model of leaving its resellers free to issue SSL certificates to websites left it wide open for this type of attack.

Meanwhile, researcher Dino Dai Zovi said on Twitter today that he wasn't surprised just one person hacked a Comodo reseller. "Nor am I surprised that the [credentials] were in the DLL," he tweeted.

Not everyone is sold on the lone-hacker theory. F-Secure's Hypponen says fake certificates wouldn't be useful for a lone hacker unless he or she can reroute traffic. "It is possible that it wasn't Iran, and it's very possible it was another nation-state. Right now, Iran is a good scapegoat," he says, although Iran does have the technical skills to pull it off.

Hypponen says the email domains created by the attacker appear to indicate that it's someone who wants to snoop on a large group of people. "It looks like a nation-state snooping on its own citizens," he says.

As of this posting, Comodo had not responded to requests for an interview and comment about the hacker's manifesto. Comodo vice president and principal scientist Phillip Hallam-Baker late Friday blogged that it wasn't as much about who was behind that hack as it was the motives and how to prevent future such attacks.

"Circumstantial evidence suggests that the attack originated in Iran. The original certificate requests were received from an Iranian IP address and one certificate was installed on a server with an Iranian IP address. While the circumstances strongly suggest an Iranian connection we do not know if this is because the attacker was from Iran or because this is the conclusion the attacker intended us to make," he blogged.

It's likely not the last we've heard from the Comodo Hacker. Errata's Graham says he expects the hacker to reveal more information about himself.

Meanwhile, the "Comodo Hacker's" second post today included a veiled threat of more to come:

"So simply keep your mouth shut and wait. I already created my own encryption protocol, from asymmetric algorithm (for key exchange) to symmetric algorithm for encrypting data to my own hash algorithm to sign encrypted algorithms. You are so far from knowing about me..."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: