Single hacker claims responsibility for Comodo certificate theft

An individual, presumably Iranian, hacker claims to be behind the unauthorised creation of illegitimate SSL certificates for the web servers of various major web service providers. Previously, the Iranian government was among those suspected to have carried out the attack, potentially in order to use the certificates to spy out the communications between members of the national opposition.

On the text snippets publishing website, pastebin.com, a 21-year-old programmer who goes by the name of "Comodohacker" has released a manifesto in which he provides details about the intrusion. While security experts think that his description of the hack is plausible, they continue to doubt that an individual could be responsible for the attack.

In his manifesto, the hacker claims that he initially broke into the web server of Italian Comodo reseller InstantSSL.it – whose services were, indeed, suspended last week. On the web server, the hacker said that he found a .NET library used by the reseller to submit Certificate Signing Requests (CSRs) to Comodo and to GeoTrust. When decompiling the library written in C#, the hacker says he found the embedded access credentials for the reseller's Comodo and GeoTrust accounts.

Having established that the GeoTrust URLs stored in the DLL didn't work, the hacker said that he did manage to access the Comodo account. Although he said that in order to sign his CSRs he initially had to familiarise himself with the API, the hacker, who throughout his manifesto repeatedly praised his own talents, said that it only took him 15 minutes to do this. He then reportedly managed to submit the requests; according to Comodo, the affected domains included login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org.

The apparently patriotic hacker didn't state his precise motives. It seems that, when trying to factor RSA keys, he got lost in the details and, being unsuccessful, proceeded to focus on hacking the CAs.

Comodo hasn't provided any further information to confirm or invalidate his claims. Pen testers Errata Security find that at least the technical description is plausible. Errata Security said that, in its pen tests, they "regularly find embedded usernames and passwords that nobody believe hackers can read."

On Twitter, Metasploit developer H.D. Moore doubts that a single person could be responsible for the entire attack. Mikko Hyyponen from F-Secure also thinks that the attack wasn't carried out by an individual perpetrator. The security expert asked: "Do we really believe that a lone hacker gets into a CA, can generate any cert he wants... and goes after login.live.com instead of paypal.com?" However, in view of the capabilities the hacker required for obtaining the certificates, some people speculate that his abilities would also be sufficient to create the red herring this manifesto could turn out to be.

(crve)