In a message posted on pastebin, an individual using the handle of "comodohacker" has claimed responsibility for last week’s hack-attack on the Comodo site in which someone was able to gain access to the RAs site and issue 9 SSL Certificates for some major sites such as:
Comodo’s security blog states that they believe the attack was instigated by the Iranian government. However the alleged hackers post does offer some clues that could be used to verify the claim of his attack. Robert Graham, of security consultancy Errata, said the results of his firm’s examination of the attack fit with the hacker’s general claims but that such an attack could certainly be perpetrated by a single individual.
Graham agreed with the alleged hacker that many were too quick to jump to the conclusion that the attack was backed by the Iranian state."More to the point, what evidence points to the Iranian Government in the first place? The answer is ZERO," he said.
Chester Wisniewski, a security advisor from Sophos, added it was "…impossible to tell if the hacker was telling the truth, but whatever the case, it was clear that Comodo’s security wasn’t up to scratch."
The writer says that he is a 21 year old Iranian college student. His post reads more like a manifesto other than anything that is truly noteworthy. The whole debate over whether or not this is the alleged hacker(s) could be settled instantly by verifying the credentials he says that he used to access the databases by Comodo.
From the "comodohacker:"
"I hacked Comodo from InstantSSL.it, their CEO’s e-mail address email@example.com
Their Comodo username/password was: user: gtadmin password: globaltrust
Their DB name was: globaltrust and instantsslcms"
His claim comes across as total quackery. The accounts involved shouldn’t accept that password. It doesn’t meet base criteria for security on even a middling level. The most basic rule of password security tells us not to use a dictionary word. Regardless of whether or not this is the actual perpetrator, Comodo certainly needs to conduct a security audit to ease the minds of those they issues SSLs to.
SEO news blog post by guestpost @ 5:59 pm on March 29, 2011