InstantSSL.it named as source of Comodo breach by attacker

Update: No word from Comodo yet. However, their attacker has posted another message. You can see it here.

On Saturday, the person behind the breach at Comodo named the Registration Authority (RA) responsible for the rogue SSL certificates generated earlier this month. In addition, he blasted the media and Comodo for the spin placed on the story.

Last week, Comodo came clean and admitted that an RA in southern Europe had been compromised. As it turns out, the RA was InstantSSL.it. The 21-year-old Iranian hacker, known by the name 'ComodoHacker', said that pulling off the compromise itself was easy.

In the report regarding the incident, Comodo said it looked as if the attacker knew what they wanted ahead of time, as they were “able quickly to generate the CSRs for these certificates and submit the orders to our system.”

The origin of the attacking IP address led Comodo to speculate that the breach was a state-sponsored attack. The security community was split on this issue, with both sides of the debate making valid points for and against the idea. However, in addition to admitting his part in the attack, ComodoHacker blasted Comodo’s CEO and the media for assuming his actions were state sponsored.

He claims he acted alone, and that he’s a ghost. Moreover, he questioned the media and security community on why they were asking political leaders in Iran about the CA attack, when no one bothered to ask Israel or the U.S. about Stuxnet. That isn’t the case, but at this point in the letter he mostly went on a rant driven by propaganda and ego.

As mentioned in our previous report on the Comodo breach, Sophos’ Mike Wood was correct when he pointed out that Comodo (which is a Certificate Authority or CA) trusted that its RA would scrutinize requested certificates. In addition, Comodo trusted it to protect its own power to issue certificates. Because transitive trust is passed down the certificate chain, if any single link is compromised, the entire chain becomes broken.

In a follow-up on the incident, Mozilla mirrored many in the security community when it commented on concerns “about the amount of trust Comodo seems to have placed in RAs whose network security they did not oversee.”

As ComodoHacker outlined in his public address, InstantSSL.it did not protect the ability to issue certificates.

“At first I decided to hack RSA algorithm, I did too much investigation on SSL protocol, tried to find an algorithm for factoring integer, analyzed existing algorithms, for now I was not able to do so, at least not yet, but I know it's not impossible and I'll prove it,” the message explains.

“I saw that there is easier ways of doing it, like hacking a CA. I was looking to hack some CAs like [Thawte], [VeriSign], Comodo, etc. I found some small vulnerabilities in their servers, but it wasn't enough to gain access to server and sign my CSRs,” he added. 

Researching Comodo’s InstantSSL, ComodoHacker explained that he located the Italian portal (InstantSSL.it), and was able to exploit the server for full access. From there, he discovered TrustDLL.dll, which does the signing for certificates issued by the RA.

Like any pentester, ComodoHacker decompiled the DLL. It contained all the hard coded URLs and authentication credentials needed for him to bend Comodo to his will. It took some trial and error on his part, but the clues within the DLL allowed him to recode the things needed and issue the rogue certificates. Also hardcoded in the DLL were links to GlobalTrust.

InstantSSL.it and GlobalTrust.it, as well as the domain mentioned as the one owned by InstantSSL’s CEO, mfpenco.com, are offline with “page under construction” messages. The CEO’s domain links to Entrust via the GlobalTrust logo, and GlobalTrust.it mirrors that link as well.

Comodo reported in its disclosure that the RA had other accounts breached. Also, according to ComodoHacker’s letter, GlobalTrust’s reseller links were not working at the time the attack was initiated.

The Tech Herald duly reached out to Entrust for comment and spoke with David Rockvam, the GM of Entrust Certificate Services and company CMO.

The first thing Rockvam stressed was that Entrust did not suffer any kind of breach during the Comodo incident. When it comes to ties with GlobalTrust, he explained that Entrust had enjoyed a relationship with the company, but that was in the early part of the last decade.

Based on the evidence, after GlobalTrust split with Entrust, it then went to Comodo. In truth, GlobalTrust is essentially an abandoned business; the use of GlobalTrust logos pointing to Entrust’s domain are relics of the past. The only link between Comodo and Entrust in existence today is the cross-certificate from Entrust that Comodo uses. This allows Comodo to have its root certificate in older browsers and mobile devices.

After some ranting, the anonymous Iranian hacker finished his letter with a simple statement: “Janam Fadaye Rahbar”. For many, this was instantly recognized as 'I will sacrifice my soul for my leader'.

The first time The Tech Herald was exposed to that phrase was earlier this year. As we watched protestors supporting Anonymous’ efforts with Operation: Iran, the phrase would appear occasionally on our screens. Not everyone agrees with it, but it’s more of a patriotic point of view than an ideological one.

After reading the letter, one security expert said that it’s possible a single person pulled off the Comodo breach.

“A hacker is somebody who is too stupid to realize that what he’s attempting is impossible. You see that in the Comodo Hacker’s text. He just followed breadcrumbs, solving one clue at a time. Only after he was done does he realize the enormity of the problem,” commented Errata’s Robert Graham.

As word of the letter spread online, some asked why the attacker didn’t do more with his ill-gotten access. For example, why didn’t he target PayPal or other high-value targets?

“As he said, he started with one goal... He didn’t think of PayPal because [he] wasn’t trying to do anything at all with the forged certificates. The answer is that we hackers do not see the big picture. We follow the breadcrumbs through the forest, solving puzzles, but we can’t see anything beyond the nearest trees,” Graham explained.

The Tech Herald has reached out to Comodo for its thoughts on the hacker's explanatory letter. If we hear back, we will update this story.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]