Comodo compromise expands, hacker talks

The attack on certificate authority Comodo continued to stay in the news this week, with a person claiming to be the sole perpetrator of the attack posting a handful of times online and the company acknowledging the hacker’s claims that two more of its partners had been breached.

On Saturday, a person writing under the name of “ComodoHacker” posted to PasteBin, claiming to be the attacker that breached the systems of a Comodo partner that vets requests for secure socket layer (SSL) certificates. Last week, Comodo acknowledged that an attacker coming from Iranian servers, which the company believed to be state-funded, had breached a partner and successfully used the access to request nine high-value certificates.

Tuesday, two security researchers confirmed that the private key released by the person in a subsequent post matched that of one of the fraudulently obtained certificates for Mozilla’s add-on site, proving that some of the hacker’s claims were accurate.

“It’s not so simple a hack, it took me time,” the hacker wrote. “I hacked a lot of resellers, but I found out that most of CAs verify customers in their own way. After a lot of research and talking as a customer to CAs, I found out there was possible potential in Comodo.”

The hacker also claimed to have breached another certificate authority and two more Comodo partners, the latter claim confirmed by Comodo’s chief technical officer on Tuesday.

“Two further RA accounts have since been compromised and had RA privileges withdrawn,” CTO Robin Alden wrote. “No further mis-issued certificates have resulted from those compromises.”

The SSL certificates are a key component of the security of the Internet, adding a level of authentication to domain names. Browsers rely on the certificates to send HTTP requests securely to an authenticated server, such as an online banks site. An attacker would need to control some part of the domain-name infrastructure or conduct a man-in-the-middle attack to make use of a certificate.

The problems in using the certificates were one piece of evidence that convinced Comodo that a nation-state had been behind the attacks, since a country, such as Iran, has control of its own DNS infrastructure.

However, in an email to CSO, the hacker claims that controlling DNS requests are not difficult.

There is “no need to access DNS infrastructure of entire Iran, I have my own personal targets and I already own a lot of these type of networks,” he wrote. “Owning a gateway of a network or owning a single PC in a target network with ARP (address resolution protocol) poisoning with my certs would solve too much problem for me.”