Lone Iranian claims credit for Comodo certificate hack
By Nicole Kobie
Posted on 28 Mar 2011 at 08:34
An Iranian hacker has claimed the security certificate attack against Comodo, claiming it wasn't backed by the Government.
Last week, the security certificate issuing authority admitted it had been hacked, with the attackers creating fake security certificates for sites such as Gmail, Skype, Hotmail and more.
Comodo said the nature of the hack and the targets lead it to believe the attack was instigated by the Iranian Government.
A hacker is somebody who doesn't realize that what he’s attempting is impossible
That belief has been thrown into doubt by posts on website PasteBin from a hacker who claims to have managed the attack by himself. The individual, who calls himself ComodoHacker, claims to be a 21-year-old Iranian.
He shared details of the attack in a post online, promising more attacks to come, and bragging: "I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers".
Robert Graham, of security consultancy Errata, said the results of his firm's examination of the attack fit with the hacker's general claims.
Despite the complexity and size of the attack, Graham said it was possible the hack came from one person, and didn't need state backing. "A hacker is somebody who doesn't realise that what he’s attempting is impossible," he said in a blog post, explaining that the attack would have been accomplished "one clue at a time."
"This is why hacking gets addictive - solving puzzles like this is enormously satisfying. It's also why people are quick to assume the difficulty of a hack means a 'nation state' is involved rather than a '21-year-old college student'."
Graham agreed with the alleged hacker that many were to quick to jump to the conclusion that the attack was backed by the Iranian state. "More to the point, what evidence points to the Iranian Government in the first place? The answer is 'zero'," he said.
Lone hacker or good PR?
Others weren't so sure the claims should be believed. "Do we really believe that a lone hacker gets into a CA [certificate authority], can generate any certificate he wants... and goes after login.live.com instead of paypal.com?" F-Secure's Mikko Hypponen said via Twitter.
"The PasteBins look convincing," he added. "Whether they were posted by a 21-year-old lone gunman or Iran Government PR department, I don't know."
Chester Wisniewski, a security advisor from Sophos, added it was "impossible" to tell if the hacker was telling the truth, but whatever the case, it was clear that Comodo's security wasn't up to scratch.
"Once again we come back to insecure passwords and password handling techniques," he said in a post on the Sophos blog, adding that "the practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice."
US-based Comodo wasn't available for comment at the time of publishing.
Is your business a social business? For helpful info and tips visit our hub.
- Hello Cortana, it's nice to meet you
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords