[liberationtech] DW: Iranian hacker breaches Web's digital certificate system [Farivar]

[Cyrus Farivar]

DW-WORLD.DE | Print
30.03.2011

http://www.dw-world.de/dw/article/0,,14954119,00.html

Hed: Iranian hacker breaches Web's digital certificate system
Dek: Computer security experts are worried about potential damage to
secure websites. A 21-year-old Iranian student claims to have acted
alone in compromising a widely used system to create secure
connections on the Web.

The Internet-security company Comodo said it sustained a major
security breach by allowing nine SSL certificates to be issued in
their name. These certificates digitally authenticate a secure
connection to websites and are used by many major Internet companies,
including Google, Microsoft and Skype.

The hacker acquired fake certificates for Google and Microsoft's
e-mail services, Yahoo, Skype, and Mozilla, the developer of the
popular Firefox Web browser.

Comodo, which disclosed the attack on its company blog on March 23,
revoked the affected certificates when it became aware of the attack,
eliminating the risk of their being used for malicious purposes.

The first breach came through a Comodo partner in Italy, GlobalTrust,
which according to an initial analysis of the attack had its network
compromised by an Iranian hacker. The tech news website CNET reported
Tuesday that US and Italian law enforcement agencies were
investigating the breach.

Security researchers, who have noted that the origins of such a breach
can never be determined with absolute certainty, said they were very
concerned that if Iranian government or other agents could duplicate
the attack they could create serious problems for Internet security.

"In theory, an Iranian attempting to log into his Yahoo account, for
example, could have been misdirected to a fake site," Mikko Hypponen,
the chief research officer at F-Secure, a computer security research
firm in Finland, wrote on his company's blog last week.

"That would allow the perpetrators to obtain a host of online
information including contents of e-mail, passwords and usernames,
while monitoring activity on the dummy sites. Since the targeted sites
offer communication services, not financial transactions, Comodo said
it seemed clear the hackers sought information, not money."

Comodohacker is 'undoubtedly' genuine

On Saturday, someone using the name "Comodohacker" began posting
messages and technical details of the attack on the website
Pastebin.com, leading many to believe that the anonymous poster was,
indeed, responsible for these breaches. In those messages,
Comodohacker claimed to be a self-taught, 21-year-old university
student in Iran who was acting alone.

Some experts have pointed to the details in Comodohacker's online
posts as evidence that this person who perpetrated the Comodo attack.

"The Comodohacker Pastebin posts are undoubtedly from the genuine
hacker," Paul Mutton, a British computer security expert with
Netcraft, wrote in e-mail to Deutsche Welle, adding that only the
hacker would have access to material included in the original posts.

Given the potentially disastrous nature of the hack, and the tense
relationship between Iran and most Western nations in the wake of the
Stuxnet worm and discussions over Tehran's nuclear energy program,
many in the computer security community have speculated that
Comodohacker was politically motivated or was affiliated with the
Iranian government.

Comodohacker claims access to opposition groups

In an e-mail to Deutsche Welle, the person claiming to be Comodohacker
re-iterated that he acted alone, but dodged direct questions as to his
motives and reasons for selecting the targets he chose.

It remains impossible to verify the location of the person responding
DW's questions and whether that person was in fact responsible for
compromising Comodo's SSL certificates.

Comodohacker also dismissed Iran's opposition parties - specifically
the MKO, an expatriate Islamic socialist organization that advocates
the overthrow of the Islamic Republic of Iran, and the reformist Green
Movement - calling them "gangsters." The hacker added that
non-Iranians often underestimate Iran's technical prowess.

"People don't understand power of Iranian scientist, they also didn't
believe our power in physics, in laser, in sending satellites, to be
honest, I'm tired of explaining my country's potential, when we decide
to do something, we just do," Comodohacker wrote.

Comodohacker's message inferred that part of his motivations, however,
may stem from nationalistic interests, and the computational
inequality between the United States and Iran, where some high-level
cryptographic abilities are under export restrictions.

"All encryption systems [and] protocols, [the CIA has] access to them
but my country doesn't. I'll reverse/cryptanalysis/attack in any
method I can, owning servers, breaking algorithms, reversing code to
break them and bring equality," he wrote, adding "I love equality."

Hacker 'likes to boast'

He also claimed that he has access to, or "owns a lot of networks” run
by the MKO, the Green Movement, and Balatarin, a popular Iranian news
website run from Los Angeles, a claim that is impossible to verify
without additional information Comodohacker did not provide.

"It will help me to decrypt all their encrypted communications," the
hacker threatened. "Their private networks are located in France,
Germany, Jordan, USA and Canada. Some of them also connected to people
in Iran via VPNs. They should know from now, they are insecure, I got
what I wanted, Comodo published the breach, others don't."

However, Hypponen said Comodohacker "likes to boast," and that some of
the hacker's other claims, such as that he decrypts most encryption
protocols are "obviously false," but Hypponen added that doesn't mean
that the security community should not take him seriously.

"A rogue SSL certificate alone doesn't get you anywhere, you still
need to be able to reroute the victim's traffic to a server that the
attacker can control," Hypponen wrote. "Comodohacker claims he has
infiltrated the networks of MKO et al. This would create a plausible
scenario. If he is able to reconfigure the routers or firewalls of an
organization, he can reroute, say, login.skype.com to his own server
and do invisible man-in-the-middle with a rogue SSL certificate,
stealing usernames and passwords.

"ISPs and [certificate authorities] around the world should be
watching very carefully for weird certificate requests for the servers
he was targeting originally," he added.

Author: Cyrus Farivar

Editor: Sean Sinico

DW-WORLD.DE | Print

| www.dw-world.de | © Deutsche Welle.


-- 
Cyrus Farivar
"suh-ROOS FAR-ih-var"

Freelance technology journalist and radio producer

Author, "The Internet of Elsewhere"
http://www.internetofelsewhere.com

DE: +49 163 763 3108 (m)
US: +1 510 394 5485 (m)

Twitter/Skype: cfarivar

"Being a good writer is 3% talent, 97% not being distracted by the Internet."

http://cyrusfarivar.com
cfarivar at cfarivar.org