Home > SEO News Blog > Comodo Hacker Strikes Again

Translate:

Latest SEO Articles:

Speaking At:

Follow Us:

Hear Us On:

Blog Partner Of:

Helping Out:

Archives

RSS

Top Posts

Beanstalk's SEO News Blog

At Beanstalk Search Engine Optimization we know that knowledge is power. That's the reason we started this SEO blog. We know that the better informed our visitors are, the better the decisions they will make for their websites and their online businesses. We hope you enjoy your stay and find the SEO news contained within this blog useful.

March 30, 2011

Comodo Hacker Strikes Again

A follow up message was again posted on pastebin by an individual using the handle of “COMODOHACKER.” This message was from the same individual who claimed responsibility for the hack on Comodo’s site and who issued 9 SSL Certificates for major sites such as: mail.google.com, www.google.com, login.live.com, addons.mozilla.org, login.skype.com, and login.yahoo.com.

Apparently, the “comodohacker” became quite upset that people did not believe that he was in fact the real perpetrator of the hack. In his follow up post, he gave further evidence to support his claims. In his message, he includes a link to the forged Mozilla certificate as well as a file claimed to be from one of the Comodo databases he downloaded.

In his follow up message, Comodohacker states:

Some stupids in internet still cannot understand I’m behind the attack on SSL, talks about their small understandings about my hack and makes me nervous,”

"I uploaded JUST 1 table of their ENTIRE database which I own. Also ask Comodo about my hack, ask them what I did to them. Let me tell you what I did: I was logged in into their server via RDP (remote desktop), they detected me and via hardware firewall, they added allowed IP for RDP, so I was no longer able to login via RDP. But I got UI control in their server just 2 days later, then I logged in via roberto franchini’s user/pass, then I formatted their external backup HDD, it was LG with backup of all files inside it. I formatted it. Then I stopped IIS, deleted all logs, not normal delete which could be recovered with recovery tools, I deleted it with secure delete method and in fact I wiped them."

Rob Graham of Errata Security states that he has had further correspondence with the “comodhacker” and has verified that the private key for the forged Mozilla certificate was in fact authentic.

Graham wrote, "Note that even the "Certificate Authority" who signs a key does not know the private key. When somebody requests a certificate, they only send the "hash" to the certificate authority. Therefore, nobody, not even Comodo, should know the private key."

In a possible retaliatory attack from the Comodohacker, this morning it was reported by Comodo that two more affiliate Registration Authorities had been compromised, "but that no further mis-issued certificated have resulted from those compromised."

To address the growing list of concerns regarding the security practices of Comodo in the wake of the attacks, Robin Alden stated that the company will be implementing improved authentication methods for all RA accounts. Comodo will be implementing IP address restrictions and hardware based two-factor authentication.

Until the situation has been rectified, Mozilla officials have called on Comodo to stop the issuance of certificates to RAs directly from the root that the company maintained. Alden stated that the company is proceeding to implement that model as soon as possible.

SEO news blog post by guestpost @ 6:03 pm

Categories: internet security,Uncategorized
Tags: comodo, comodo hacker, ssl certificates —

March 29, 2011

The Lone Comodo-Hacker Theory

In a message posted on pastebin, an individual using the handle of "comodohacker" has claimed responsibility for last week’s hack-attack on the Comodo site in which someone was able to gain access to the RAs site and issue 9 SSL Certificates for some major sites such as:

mail.google.com
www.google.com
login.live.com
addons.mozilla.org
login.skype.com
login.yahoo.com

Comodo’s security blog states that they believe the attack was instigated by the Iranian government. However the alleged hackers post does offer some clues that could be used to verify the claim of his attack. Robert Graham, of security consultancy Errata, said the results of his firm’s examination of the attack fit with the hacker’s general claims but that such an attack could certainly be perpetrated by a single individual.

Graham agreed with the alleged hacker that many were too quick to jump to the conclusion that the attack was backed by the Iranian state."More to the point, what evidence points to the Iranian Government in the first place? The answer is ZERO," he said.

Chester Wisniewski, a security advisor from Sophos, added it was "…impossible to tell if the hacker was telling the truth, but whatever the case, it was clear that Comodo’s security wasn’t up to scratch."

The writer says that he is a 21 year old Iranian college student. His post reads more like a manifesto other than anything that is truly noteworthy. The whole debate over whether or not this is the alleged hacker(s) could be settled instantly by verifying the credentials he says that he used to access the databases by Comodo.

From the "comodohacker:"

"I hacked Comodo from InstantSSL.it, their CEO’s e-mail address mfpenco@mfpenco.com
Their Comodo username/password was: user: gtadmin password: globaltrust
Their DB name was: globaltrust and instantsslcms"

His claim comes across as total quackery. The accounts involved shouldn’t accept that password. It doesn’t meet base criteria for security on even a middling level. The most basic rule of password security tells us not to use a dictionary word. Regardless of whether or not this is the actual perpetrator, Comodo certainly needs to conduct a security audit to ease the minds of those they issues SSLs to.

SEO news blog post by guestpost @ 5:59 pm

Categories: internet security,Privacy
Tags: comodo, ssl certificates —

March 25, 2011

Comodo SSL Cracker-gate

On March 15th 2011, a Comodo affiliate RA was compromised resulting in the fraudulent issue of 9 SSL certificates to sites in 7 domains:

mail.google.com
www.google.com
login.live.com
addons.mozilla.org
login.skype.com
login.yahoo.com

In the ongoing Comodo SSL Cert Scandal, Comodo claims they were infiltrated and that a computer cracker was able to bypass security with a valid username and password. This gave the unwanted user access to an affiliate of Comodo which issues SSL certificates through its UserTrust arm.

Essentially SSL certificates are used to prove that a site is legitimate. Stolen certificates can be used by unscrupulous admins to fool end users into thinking that they are accessing a registered site when in reality they are not.

Comodo has stated that their site was hacked from an Iranian IP address, which usually indicates that the source was anything but Iranian, however one of the bogus certs was used on an Iranian site for a short period of time.

CEO of Comodo: Melih Abdulhayoglu, stated on his company’s blog:

Why do we think these are state driven/funded?

"Well, one of the origin of the attack that we experienced is from Iran, what is being obtained would enable the perpetrator to intercept web based email/communication and the only way this could be done is if the perpetrator had access to the Country’s DNS infrastructure (and we believe it might be the case here). Of course this is our interpretation of the situation.
First time we are seeing a "state funded" attack against the "authentication" infrastructure. The Threat Model is changing and Comodo had already initiated a proposal for new standards in 2010 which would help mitigate some of these attacks. We will make sure to double our efforts in getting industry wide acceptance to these much needed standards so that we can continue to defend our security and freedom."

Comodo’s security blog went in to more detail regarding the Iranian connection and claimed that at least two Iranian IP addresses and one ISP were involved.

The question I keep wondering is; how did someone get a username and password from Comodo with sufficient privileges to issue the SSL certificates in the first place and who is monitoring the issuance of certificates?

How could Comodo issue an SSL certificates for google.com, live.com, yahoo.com, mozilla.org, and skype.com without somebody noticing or raising an alarm? Are there no watch lists in place to ensure that the issuance and distribution of SSL certificates to critical domain names is monitored? It seems to me that there is room for improvement withing the trusted certification system and it’s oversight.

Because each and every browser treats SSL certification revocation differently, and because there is no standardized methodology between them all to do so, Comodo would have had to remove anywhere from 85,000 to 205,000 perfectly legitimate certificates.

In a perfect internet, where all users have OCSP enabled, Google, Microsoft, Mozilla, and others, would be able to simply update their list of revoked certificates so that when each of their browsers checked to verify the certificate, an alarm would go off and the site would then be flagged for investigation or simply removed from the list of trusted sites.

Why are browser updates necessary in order to revoke the SSL certificates? Because OCSP is not mandatory, browser manufacturers are pushing the updates to the browsers themselves creating a delay in the updating of trusted certificates.

As increasingly more and more sites are moving towards using HTTPS, more efficiency and trust within the signing authority needs to be considered. Clearly we should also consider the need to monitor the issuance and distribution of trusted SSL certificates.
Even though the certificates have now been revoked, users should be sure to update their browsers immediately, and make sure OCSP is enabled, in order to verify that they have the latest list of trusted sites.

Peter Eckersley, from the Electronic Frontier Foundation, states the obvious by saying:

"What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time."

The press was quick to label the offending perpetrators as originating from Iran. It is simply far too easy to spoof your IP address to hide your tracks and make it seem that you are coming from a different part of the word or from a different IP address. Claims that the attackers IP originated from Iran, are still ambiguous at best.

Comodo states:

"It does not escape [our] notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the [Persian] Gulf region are facing popular protests."

IMO, Comodo’s statement smacks of a conspiracy theory to me…or is it a convert attempt to divert us from seeing the truthfulness of the possibility of it being an inside job?

I think the bigger issue is not who was able to hack in and issue the bogus SSL certificates, security is always going to be a concern in any business. The fact that we do not have a single distinct authority monitoring all and issuing SSL certificates needs to be strongly examined.

SEO news blog post by guestpost @ 10:50 pm

Categories: internet security,Uncategorized
Tags: comodo, https, ssl —