Lone Iranian claims credit for Comodo certificate hack
By Nicole Kobie
Posted on 28 Mar 2011 at 08:34
An Iranian hacker has claimed the security certificate attack against Comodo, claiming it wasn't backed by the Government.
Last week, the security certificate issuing authority admitted it had been hacked, with the attackers creating fake security certificates for sites such as Gmail, Skype, Hotmail and more.
Comodo said the nature of the hack and the targets lead it to believe the attack was instigated by the Iranian Government.
A hacker is somebody who doesn't realize that what he’s attempting is impossible
That belief has been thrown into doubt by posts on website PasteBin from a hacker who claims to have managed the attack by himself. The individual, who calls himself ComodoHacker, claims to be a 21-year-old Iranian.
He shared details of the attack in a post online, promising more attacks to come, and bragging: "I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers".
Robert Graham, of security consultancy Errata, said the results of his firm's examination of the attack fit with the hacker's general claims.
Despite the complexity and size of the attack, Graham said it was possible the hack came from one person, and didn't need state backing. "A hacker is somebody who doesn't realise that what he’s attempting is impossible," he said in a blog post, explaining that the attack would have been accomplished "one clue at a time."
"This is why hacking gets addictive - solving puzzles like this is enormously satisfying. It's also why people are quick to assume the difficulty of a hack means a 'nation state' is involved rather than a '21-year-old college student'."
Graham agreed with the alleged hacker that many were to quick to jump to the conclusion that the attack was backed by the Iranian state. "More to the point, what evidence points to the Iranian Government in the first place? The answer is 'zero'," he said.
Lone hacker or good PR?
Others weren't so sure the claims should be believed. "Do we really believe that a lone hacker gets into a CA [certificate authority], can generate any certificate he wants... and goes after login.live.com instead of paypal.com?" F-Secure's Mikko Hypponen said via Twitter.
"The PasteBins look convincing," he added. "Whether they were posted by a 21-year-old lone gunman or Iran Government PR department, I don't know."
Chester Wisniewski, a security advisor from Sophos, added it was "impossible" to tell if the hacker was telling the truth, but whatever the case, it was clear that Comodo's security wasn't up to scratch.
"Once again we come back to insecure passwords and password handling techniques," he said in a post on the Sophos blog, adding that "the practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice."
US-based Comodo wasn't available for comment at the time of publishing.
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords