Comodo Hacker Exploited Insecure Passwords to Generate SSL Certs

An Iranian claiming to be the person behind last week's attack on a Comodo partner said poor coding practices allowed him to generate SSL certificates, but asserted he was acting alone, not as part of a state-sponsored attack.

An individual claiming responsibility for generating bogus SSL certificates for Google, Skype, Microsoft Live and Yahoo has identified himself, and surprise, it's not the Iranian Cyber Army.

The Comodo attack was not the act of an organized, state-sponsored organization, but a lone hacker interested in bringing down the SSL root certificate system, according to a rambling message filled with grammatical and spelling errors posted online March 26. The note on code and text-sharing site Pastebin was signed by Janam Fadaye Rahbar, an Iranian who claimed to not be part of the Iranian Cyber Army or any other organized group of hackers.

"I'm not a group of hacker, I'm a single hacker with experience of 1000 hackers," Rahbar wrote.

Comodo CEO Melih Abdulhayohlu told eWEEK on March 24 that considering the IP addresses originated in Iran and that the targeted sites were all for communications infrastructure,  he was sure the compromise had been part of a state-organized attack from Iran to eavesdrop on dissidents. "This is my opinion. I don't have proof," he said.

Rahbar claimed he was trying to bring down a certificate authority like "Thawthe, Verisign, [and] Comodo," and had found "some small vulnerabilities" in servers, but wasn't able to gain access to signed certificates. He then discovered Website vulnerabilities for two Comodo partners in Italy, GlobalTrust.it and InstantSSL.it, Rahbar wrote.

InstantSSL.it used a DLL on its site to submit Certificate Signing Requests to Comodo and to retrieve the signed digital certificate. When the attacker disassembled the C# code, he found the username and password used as part of the CSR submission process embedded in the file in plain text. With this information, he could submit any CSR he wished to be signed by Comodo and instantly retrieve the signed certificate, Rahbar said.

"I learned all these stuff, re-wrote the code and generated CSR for those sites all in about 10-15 minutes," he wrote.

The attacker managed to generate SSL certificates for login.skype.com, mail.google.com, login.live.com, login.live.com, www.google.com, login.yahoo.com and addons.mozilla.org. Both GlobalTrust and InstantSSL sites are currently unavailable.

In what should no longer be a surprise, the attack succeeded because of insecure passwords and password handling techniques. A number of recent attacks recently have revealed that even the most security-conscious organizations aren't enforcing their password policies. For example, hacktivist group Anonymous managed to get into HBGary Federal's emails because the CEO had a weak password and reused it across several systems.

Comodo's practice of directly signing issued certificates with the root certificate to registration authorities is really bad practice, Mozilla noted in a blog post on March 25. "We are concerned about the amount of trust Comodo seems to have placed in RAs whose network security they did not oversee," the company wrote.

It's possible Rahbar is grandstanding for attention, but he did post some TrustDLL.dll source code onto text-sharing site Pastebin, including the parts that stored the unencrypted password.

Rahbar claimed the attack was retaliation for Stuxnet, which he believed had been created by the United States and Israel to specifically attack Iran. "When USA and Israel write Stuxnet, nobody talks about it, nobody gots blamed, nothing happened at all," he wrote, concluding, "When I sign certificates nothing should happen. It's a simple deal."

Stuxnet damaged Iranian nuclear reactors by compromising SCADA systems early last year. While a number of security researchers have speculated the possibility of some kind of state involvement, nothing has been proven. It was very clearly one of the most sophisticated pieces of malware ever developed, according to Randy Abrams, director of technical education at ESET.

Rahbar also called out Microsoft, Google and Mozilla for updating their browsers immediately after the breach came to light to ensure the certificates would be blocked. He claimed that the companies had been slow, "two years," in patching the Printer vulnerability uncovered by Stuxnet in their browsers, but had been quick with the certificates. "I'll bring equality in internet," he wrote.