InstantSSL.it named as source of Comodo breach by attackerby Steve Ragan - Mar 28 2011, 09:30
Update: No word from Comodo yet. However, their attacker has posted another message. You can see it here.
On Saturday, the person behind the breach at Comodo named the Registration Authority (RA) responsible for the rogue SSL certificates generated earlier this month. In addition, he blasted the media and Comodo for the spin placed on the story.
Last week, Comodo came clean and admitted that an RA in southern Europe had been compromised. As it turns out, the RA was InstantSSL.it. The 21-year-old Iranian hacker, known by the name 'ComodoHacker', said that pulling off the compromise itself was easy.
In the report regarding the incident, Comodo said it looked as if the attacker knew what they wanted ahead of time, as they were “able quickly to generate the CSRs for these certificates and submit the orders to our system.”
The origin of the attacking IP address led Comodo to speculate that the breach was a state-sponsored attack. The security community was split on this issue, with both sides of the debate making valid points for and against the idea. However, in addition to admitting his part in the attack, ComodoHacker blasted Comodo’s CEO and the media for assuming his actions were state sponsored.
He claims he acted alone, and that he’s a ghost. Moreover, he questioned the media and security community on why they were asking political leaders in Iran about the CA attack, when no one bothered to ask Israel or the U.S. about Stuxnet. That isn’t the case, but at this point in the letter he mostly went on a rant driven by propaganda and ego.
As mentioned in our previous report on the Comodo breach, Sophos’ Mike Wood was correct when he pointed out that Comodo (which is a Certificate Authority or CA) trusted that its RA would scrutinize requested certificates. In addition, Comodo trusted it to protect its own power to issue certificates. Because transitive trust is passed down the certificate chain, if any single link is compromised, the entire chain becomes broken.
In a follow-up on the incident, Mozilla mirrored many in the security community when it commented on concerns “about the amount of trust Comodo seems to have placed in RAs whose network security they did not oversee.”
As ComodoHacker outlined in his public address, InstantSSL.it did not protect the ability to issue certificates.
“At first I decided to hack RSA algorithm, I did too much investigation on SSL protocol, tried to find an algorithm for factoring integer, analyzed existing algorithms, for now I was not able to do so, at least not yet, but I know it's not impossible and I'll prove it,” the message explains.
“I saw that there is easier ways of doing it, like hacking a CA. I was looking to hack some CAs like [Thawte], [VeriSign], Comodo, etc. I found some small vulnerabilities in their servers, but it wasn't enough to gain access to server and sign my CSRs,” he added.
Researching Comodo’s InstantSSL, ComodoHacker explained that he located the Italian portal (InstantSSL.it), and was able to exploit the server for full access. From there, he discovered TrustDLL.dll, which does the signing for certificates issued by the RA.
Like any pentester, ComodoHacker decompiled the DLL. It contained all the hard coded URLs and authentication credentials needed for him to bend Comodo to his will. It took some trial and error on his part, but the clues within the DLL allowed him to recode the things needed and issue the rogue certificates. Also hardcoded in the DLL were links to GlobalTrust.
InstantSSL.it and GlobalTrust.it, as well as the domain mentioned as the one owned by InstantSSL’s CEO, mfpenco.com, are offline with “page under construction” messages. The CEO’s domain links to Entrust via the GlobalTrust logo, and GlobalTrust.it mirrors that link as well.
Comodo reported in its disclosure that the RA had other accounts breached. Also, according to ComodoHacker’s letter, GlobalTrust’s reseller links were not working at the time the attack was initiated.
The Tech Herald duly reached out to Entrust for comment and spoke with David Rockvam, the GM of Entrust Certificate Services and company CMO.
The first thing Rockvam stressed was that Entrust did not suffer any kind of breach during the Comodo incident. When it comes to ties with GlobalTrust, he explained that Entrust had enjoyed a relationship with the company, but that was in the early part of the last decade.
Based on the evidence, after GlobalTrust split with Entrust, it then went to Comodo. In truth, GlobalTrust is essentially an abandoned business; the use of GlobalTrust logos pointing to Entrust’s domain are relics of the past. The only link between Comodo and Entrust in existence today is the cross-certificate from Entrust that Comodo uses. This allows Comodo to have its root certificate in older browsers and mobile devices.
After some ranting, the anonymous Iranian hacker finished his letter with a simple statement: “Janam Fadaye Rahbar”. For many, this was instantly recognized as 'I will sacrifice my soul for my leader'.
The first time The Tech Herald was exposed to that phrase was earlier this year. As we watched protestors supporting Anonymous’ efforts with Operation: Iran, the phrase would appear occasionally on our screens. Not everyone agrees with it, but it’s more of a patriotic point of view than an ideological one.
After reading the letter, one security expert said that it’s possible a single person pulled off the Comodo breach.
“A hacker is somebody who is too stupid to realize that what he’s attempting is impossible. You see that in the Comodo Hacker’s text. He just followed breadcrumbs, solving one clue at a time. Only after he was done does he realize the enormity of the problem,” commented Errata’s Robert Graham.
As word of the letter spread online, some asked why the attacker didn’t do more with his ill-gotten access. For example, why didn’t he target PayPal or other high-value targets?
“As he said, he started with one goal... He didn’t think of PayPal because [he] wasn’t trying to do anything at all with the forged certificates. The answer is that we hackers do not see the big picture. We follow the breadcrumbs through the forest, solving puzzles, but we can’t see anything beyond the nearest trees,” Graham explained.
The Tech Herald has reached out to Comodo for its thoughts on the hacker's explanatory letter. If we hear back, we will update this story.