The Iranian who claimed responsibility last week for breaking into two afilitaes of Comodo, the Internet security provider, and issuing false security certificates says he has struck again and will continue to do so.
Comodo and other Certificate Authorities (CAs) issue, manage and revoke digital certificates that allow emails and other e-traffic to be processed—and read by the processor. They also have affiliated Registration Authorities (RAs) that verify the applicant’s identity before the applicant can receive a certificate. In an email interview reported by the magazine PCWorld, the Iranian who claims to be a solo hacker said he had hacked into two more of Comodo’s RAs as well as another CA like Comodo.
Comodo chief technical officer Robin Alden confirmed the breach of two RAs, adding that the accounts had their RA privileges withdrawn. “No further mis-issued certificates have resulted from those compromises,” he wrote in an online post.
Comodo CEO Melih Abdulhayoglu, a Turkish-American, also said the attacks against the system were not successful, but did not know the status of the other CA and whether it was compromised. Abdulhayoglu says he doesn’t believe the hacker who claims to be loner; Abdulhayoglu remains convinced that the Iranian government is behind the hacking.
After the first attack last month, the Comodo hacker demanded a “talk” with Massimo Penco, the Comodo Italy vice president who was first alerted to the attack and initiated the response that stopped the hacker from getting certificates. The hacker said he wanted to “know what they’re thinking about breach, how they detected my orders, etc.”
Penco ignored the demands, provoking this angry response from the alleged hacker: “Because I didn’t saw your reply, for now, just for now, I wiped your LG Drive and F: drive and all log files,” he wrote in a March 23 email, obtained by the IDG News Service. “ So now, contact me before I do something so dangerous. Simply personally contact me, do not try to find me, do not try to remove me, do not try anything.… I could cause so hard impossible to recover damages, simply contact me, that’s all for now.”
Penco says must of the hacker’s claims are false. “When I saw what they published on the web about this attack, I thought what they said was absolutely crazy,” he commented. “They didn’t breach any of my servers; they didn’t breach any of my hard drives.”
Abdulhayoglu continues to say he doesn’t believe the hacker is a 21-year-old solo operator. He says the evidence strongly suggests the attack to have been launched bt the Iranian government. The stealing of certificates would be useful for a country wanting to spy on its people that also controls the Internet infrastructure, he said. The certificates, he said, “are no use unless you have access to infrastructure.”
Regardless of who attacked, the threat of a breakdown of the Internet security system has security experts wondering what to do to prevent it. With hundreds of CAs issuing certificates to any domain and the programming of Internet browsers to automatically trust the CAs, there is certainly an opportunity for abuse.
In the meantime, Comodo is working to ensure its RAs correctly authenticate applicants for certificates. Within the next two weeks, all RAs will have restricted Internet addresses and a two-step authentication process so that others cannot copy-cat issuing security certificates. “Until that process is complete, Comodo will review 100 percent of all RA validation work before issuing any certificate,” said Alden of Comodo.
