Comodo Hacker Takes Credit For Massive DigiNotar Hack

Even as the number of rogue digital certificates skyrockets to more than 500 -- with some spoofing major domains -- overall impact so far has mostly been minimal outside of Iran, experts say

The fallout from the recent breach of certificate authority (CA) DigiNotar continues at a rapid pace as more details about the scope of the attack come to light: More than 500 rogue digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsofts windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, have been compromised.
The plot further thickened today when the hacker who breached certificate authority Comodo earlier this year claimed he was also behind the DigiNotar attack, and has hacked four more CAs, including GlobalSign and StartCom: I told all that I can do it again, I told all in interviews that I still have accesses in Comodo resellers, I told all I have access to most of CAs, wrote the hacker, who goes by the alias ComodoHacker and claims to be Iranian. He indicated that the attacks were in retaliation for the
16-year anniversary of a massacre of thousands of Muslims during the Bosnian War in the town of Srebrenica
.
He says he has 300 code-signing certs, including code-signing privileges with Googles certificate. Im able to issue windows update, Microsofts statement about Windows Update and that I cant issue such update is totally false! I already reversed ENTIRE windows update protocol he wrote today.
GlobalSign as of today has temporarily suspended the issuance of digital certificates until it can investigate ComodoHackers claims. We saw the Pastebin message. We are currently investigating and take this very seriously, says Steve Wait, chief marketing officer at GlobalSign.
And Microsoft today moved all DigiNotar certs to its untrusted certificate store -- not just the initial
offending ones that Microsoft and other browser makers revoked last week
-- and yesterday said that no Microsoft users were at risk of phony Windows Updates from attackers using the rogue windowsupdate.com certificate. The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised, blogged Dave Forstrom, director of Microsofts Trustworthy Computing program.
But what does the breach of the Dutch CA DigiNotar really mean for most U.S. businesses and individuals?
Aside from providing a stark example of just how broken the CA system really is, not much, some security experts say. An official preliminary audit report by Fox-IT on the DigiNotar hack, as well as a report by Trend Micro, show how the attackers appear to be going after intercepting communications in Iran.
The impact on the rest of the world is pretty small, says Ivan Ristic, director of engineering at Qualys and an SSL expert. The worst-case scenario is that Iranian citizens who oppose their government have had their encrypted Gmail correspondence intercepted and read, he says. Their lives could be ruined, Ristic says of the Iranian dissidents who might have had their SSL communications hijacked.
But theres been virtually no impact outside Iran thus far, he says. And this type of attack typically doesnt have much shelf life, anyway, he says. Hijacking of a CA is not a reliable [method in the long run] because its easy to detect, he says. This was the first big case. In the future, people will be more vigilant and able to detect these things more quickly. Then the usefulness of this attack is going to decrease.
According to the Fox-IT report, the evidence points to targeting Iranians. Fingerprints also were left behind that are linked to the ComodoHacker, according to the report. They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011, Fox-IT said in
its report.
The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran, the report says.
Trend Micro also has posted evidence of what it says demonstrates that the attack was targeting Iranians. We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack,
blogged
Feike Hacquebord, senior threat researcher for Trend Micro.
Even so, theres real potential for collateral damage when phony certs are floating around, experts say.
Jeff Hudson, CEO at Venafi, says enterprises must wake up because a forged certificate can compromise an entire network: Get out of denial. Understand that this is a huge issue of business continuity, he says. And dont think you wont be compromised, because you will.
He recommends taking a close look at certificate-protected servers and apps. All enterprises need to look at their highest-value assets -- servers and applications where sensitive and regulated data flows, and that are protected by certificates, Hudson says. Plans must be in place to recover anytime the trust provider is compromised.
But Roel Schouwenberg, senior researcher at Kaspersky Lab, says the breach at DigiNotar will place cybersecurity and cyberwarfare on the political agenda in a way Stuxnet did not. Stuxnet had a huge impact. However, there didn’t seem to be a sense of urgency to put cyberwar and cybersecurity on most of the political agendas, he said in a blog post today.
Schouwenberg maintains that the attack was most likely the work of a government body. Any kind of hints found in the registered certificates could well be decoys, he said.
He also predicted that DigiNotar would be driven out of business, mainly due to its failure to disclose the breach. With some 500 authorities out there globally, its hard to believe Diginotar is the only compromised CA out there. Diginotar will quite likely go out of business. This should serve as a very strong message for CAs to go public with any breach, he said.
Meanwhile, the Dutch government is investigating criminal and civil responsibilities for the hack, and DigiNotar could be accused of negligence. And according to
a report today in
The New York Times
, the Dutch government is also looking at whether personal information of Dutch citizens was exposed in the wake of the breach.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Comodo Hacker Takes Credit For Massive DigiNotar Hack