The attacker was able to generate false SSL certificates for Skype, Yahoo, Windows Live, Google Mail and Mozilla by breaking into websites GlobalTrust.it and InstantSSL.it, a Comodo partner based in Italy. The false certificates could have allowed others to launch phishing and man-in-the-middle attacks by disguising themselves behind counterfeit mirrored versions of the targeted sites.
While Comodo stated last week that the sophistication of the attack indicated that it was based in Iran and state-sponsored, a letter posted on text-sharing site Pastebin and signed by Janam Fadaye Rahbar, claimed that he acted alone and was not part of any state-sponsored political agenda, nor was he affiliated with the Iranian Cyber Army, a hacking group believed to be part of the Iranian government.
In his message, written in broken English, Rahba explains that what motivated him was the failure for any action to follow revelations of Israel and the United States being behind Stuxnet, a cyberattack on nuclear facilities in Iran believed to have originated from the two countries. He brags of his technical abilities and threatens those "who have problem with Islamic Republic of Iran."
His attack, he explained, sought to compromise the SSL root certificate system. He began by trying to find the RSA algorithm underlying the security of the system. When that proved too difficult, he turned his attention to the security of certificate authorities (CAs), which serve as proof of digital identities to secure websites.
"Comodohacker,” as the self-described 21-year-old dubbed himself, quickly discovered a weak link in the so-called chain of trust on which the entirety of the digital certificate system is based: Comodo partner InstantSSL.it provided application interfaces to enable developers to submit certificate signing requests with plain text login credentials. The attacker was then able to create phony countersigning signatures for digital certificates.
In an advisory on the Mozilla Security Blog, the web browser company stated that it does not believe that there has been a root key compromise: "Nevertheless, an attacker armed with these fraudulent certificates and an ability to control their victim's network could impersonate the sites in a way that would be undetectable to most users."
While the certs were revoked, the incident was serious enough to prompt Comodo to institute new controls and for the major web browsers – Mozilla's Firefox, Microsoft's Internet Explorer and Google's Chrome – to issue updates to their browsers last week.
Despite the defenses put in place, some experts are raising doubts as to whether this was really the work of a single attacker.
"The Comodo hacker says he's Iranian but not from the government," Mikko Hypponen, chief research officer at Helsinki, Finland-based computer security firm F-Secure. posted in a tweet. "But [if] he could have created certs for any site, why choose Skype, Gmail, Hotmail?"
Chester Wisniewski, senior security adviser at Sophos Canada, writing on a Sophos blog, asked a similar question: "If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world?" he asked. "His ramblings certainly show his support for [Iran President] Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government."
While nabbing the culprit might take some time, what is clear, say experts, is that the incident is a wake-up call for the security of the SSL certification process.
"Once again we come back to insecure passwords and password handling techniques," Wisniewski wrote. "Fortunately the impact of this incident is quite small and may be a wake-up call for the certificate industry as a whole. The practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice, he added.
"We are concerned about the amount of trust Comodo seems to have placed in RAs (registration authority) whose network security they did not oversee," the Mozilla Security Blog stated.