Comodo SSL certificates hacked

[nsane.forums]

Comodo's tag line is "creating trust online". That may be true most of the time, but after an attack resulted in nine fraudulent SSL certificates--targeting domains like Google, Yahoo, Skype, and Windows Live--it might be wise to trust Comodo a little less.

A statement from Comodo explains that a root authority (RA) was breached. The attacker created a user account, and used the fraudulent account to issue nine rogue SSL certificates spanning seven different domains. The Comodo statement says, "The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the [requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

Comodo stresses that all nine certificates were revoked immediately upon discovery of the attack, and that it has not detected any attempts to use the certificates after they were revoked. Comodo believes the attack originated in Iran, and based on the target domains it may be a state-sponsored attempt to hack webmail accounts of political dissidents.

Oliver Lavery, Director of Security Research at nCircle, shared some thoughts about the attack. "What I find fascinating about this attack is the choice of domains because they aren't useful unless you have control of the DNS infrastructure." Lavery goes on to explain that a country--like Iran--does have control of the DNS infrastructure within its boundaries to an extent, and speculate that this attack could have been executed with the intent to intercept encrypted Internet communications.

The login.live.com domain used for logging in to Windows Live accounts was one of the domains compromised by the rogue Comodo certificates. Microsoft has issued a security advisory, and released a mitigation update to update the certificate revocation list on Windows PCs and prevent them from accepting the fake SSL certificates as legitimate.

In the wake of the hack against the RSA network which breached sensitive information related to the SecurID tokens used by millions to provide two-factor authentication and prevent unauthorized access, the compromise of Comodo SSL certificates is concerning. We all know that attackers are out there, and we realize we must take steps to protect our PCs and our data. But, if two of the most trusted names in providing that security get compromised in the same week, it leaves you feeling a little hopeless and outgunned.

nCircle's Director of Security Operations, Andrew Storms, added, "There will be a lot of critical people watching to see how Comodo responds as this incident unfolds. The security community in particular will demand a lot of transparency in order to rebuild their trust in Comodo."

View: Original Article

[Ambrocious]

A statement from Comodo explains that a root authority (RA) was breached. The attacker created a user account, and used the fraudulent account to issue nine rogue SSL certificates spanning seven different domains. The Comodo statement says, "The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the [requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

Which simply means, it was most likely an inside job, or a previous disgruntled employee who had system access and knew very well what to do and how quickly to do it.

[nsane.forums]

Whenever you visit a secure website (HTTPS) your browser verifies that site is properly secured based on the sites certificate. If the site doesn't have a valid certificate, most browsers make it pretty clear that the site you are visiting cannot be verified as an actual secure site. It all works pretty well to ensure your browsing experience is safe until the company issuing the certificates is hacked.

Comodo admitted yesterday that on March 15, 2011 a Registration Authority (RA) in southern Europe was compromised and fraudulent certificates were created. The hacker some how gained access to an administrative username and password which they then used to create themselves their own username and password to create SSL certificates for login.live.com, mail.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and Global Trustee.

As soon as they found out the fraudulent certificates were created, Comodo immediately revoked them. They also said that only one of the certificates was tested and it received a revoked response. The site that the hacker used to test it was immediately unavailable after the certificate failed. The attack originated from an Iranian IP address and the server used to test the certificate was based in Iran. This led Comodo to draw the following conclusions:

The circumstantial evidence suggests that the attack originated in Iran.

The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).

The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.

The perpetrator has executed its attacks with clinical accuracy.

The Iranian government has recently attacked other encrypted methods of communication.

All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

Fortunately, the certificates the hacker created would not be useable unless they were able to take over the DNS to point the domains for the fraudulent certificates to his own servers IPs.

View: Original Article