An Iranian claiming to be the person behind last week's attack on a Comodo partner said poor coding practices allowed him to generate SSL certificates, but asserted he was acting alone, not as part of a state-sponsored attack.
individual claiming responsibility for generating bogus SSL
certificates for Google, Skype, Microsoft Live and Yahoo has identified
himself, and surprise, it's not the Iranian Cyber Army.
Comodo attack was not the act of an organized, state-sponsored organization,
but a lone hacker interested in bringing down the SSL
root certificate system
, according to a rambling message filled with
grammatical and spelling errors posted online March 26. The note on code and
text-sharing site Pastebin was signed by Janam
, an Iranian who claimed to not be part of the Iranian Cyber
Army or any other organized group of hackers.
not a group of hacker, I'm a single hacker with experience of 1000 hackers,"
told eWEEK on March 24 that considering the IP addresses
originated in Iran and that the targeted sites were all for communications
infrastructure, he was sure the compromise had been part of a
state-organized attack from Iran to eavesdrop on dissidents. "This is my
opinion. I don't have proof," he said.
claimed he was trying to bring down a certificate authority like "Thawthe,
Verisign, [and] Comodo," and had found "some small vulnerabilities"
in servers, but wasn't able to gain access to signed certificates. He then
discovered Website vulnerabilities for two Comodo partners in Italy,
GlobalTrust.it and InstantSSL.it, Rahbar wrote.
used a DLL on its site to submit Certificate Signing Requests to Comodo and to
retrieve the signed digital certificate. When the attacker disassembled the C#
code, he found the username and password used as part of the CSR
submission process embedded in the file in plain text. With this information,
he could submit any CSR he wished to be
signed by Comodo and instantly retrieve the signed certificate, Rahbar said.
learned all these stuff, re-wrote the code and generated CSR
for those sites all in about 10-15 minutes," he wrote.
attacker managed to generate SSL
certificates for login.skype.com, mail.google.com, login.live.com,
login.live.com, www.google.com, login.yahoo.com and addons.mozilla.org. Both
GlobalTrust and InstantSSL sites are currently unavailable.
what should no longer be a surprise, the attack succeeded because of insecure
passwords and password handling techniques. A number of recent attacks recently
have revealed that even the most security-conscious organizations aren't
enforcing their password policies. For example, hacktivist group Anonymous
managed to get into HBGary Federal's emails because the CEO
had a weak password and reused it across several systems.
practice of directly signing issued certificates with the root certificate to
registration authorities is really bad practice, Mozilla noted in a blog post
on March 25. "We are concerned about the amount of trust
seems to have placed in RAs whose network security they did not
oversee," the company wrote.
possible Rahbar is grandstanding for attention, but he did post some
TrustDLL.dll source code onto text-sharing site Pastebin, including the parts
that stored the unencrypted password.
claimed the attack was retaliation for Stuxnet, which he believed had been
created by the United States
and Israel to
specifically attack Iran.
write Stuxnet, nobody talks about it, nobody gots blamed, nothing happened at
all," he wrote, concluding, "When I sign certificates nothing should
happen. It's a simple deal."
damaged Iranian nuclear reactors by compromising SCADA systems early last year.
While a number of security researchers have speculated the possibility of some
kind of state involvement, nothing has been proven. It was very clearly one of
the most sophisticated pieces of malware ever developed, according to Randy
Abrams, director of technical education at ESET.
also called out Microsoft, Google and Mozilla for updating their browsers
immediately after the breach came to light to ensure the certificates would be
blocked. He claimed that the companies had been slow, "two years," in
patching the Printer vulnerability uncovered by Stuxnet in their browsers, but
had been quick with the certificates. "I'll bring equality in internet,"