Lone Iranian claims credit for Comodo certificate hack
By Nicole Kobie
Posted on 28 Mar 2011 at 08:34
An Iranian hacker has claimed the security certificate attack against Comodo, claiming it wasn't backed by the Government.
Last week, the security certificate issuing authority admitted it had been hacked, with the attackers creating fake security certificates for sites such as Gmail, Skype, Hotmail and more.
Comodo said the nature of the hack and the targets lead it to believe the attack was instigated by the Iranian Government.
A hacker is somebody who doesn't realize that what he’s attempting is impossible
That belief has been thrown into doubt by posts on website PasteBin from a hacker who claims to have managed the attack by himself. The individual, who calls himself ComodoHacker, claims to be a 21-year-old Iranian.
He shared details of the attack in a post online, promising more attacks to come, and bragging: "I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers".
Robert Graham, of security consultancy Errata, said the results of his firm's examination of the attack fit with the hacker's general claims.
Despite the complexity and size of the attack, Graham said it was possible the hack came from one person, and didn't need state backing. "A hacker is somebody who doesn't realise that what he’s attempting is impossible," he said in a blog post, explaining that the attack would have been accomplished "one clue at a time."
"This is why hacking gets addictive - solving puzzles like this is enormously satisfying. It's also why people are quick to assume the difficulty of a hack means a 'nation state' is involved rather than a '21-year-old college student'."
Graham agreed with the alleged hacker that many were to quick to jump to the conclusion that the attack was backed by the Iranian state. "More to the point, what evidence points to the Iranian Government in the first place? The answer is 'zero'," he said.
Lone hacker or good PR?
Others weren't so sure the claims should be believed. "Do we really believe that a lone hacker gets into a CA [certificate authority], can generate any certificate he wants... and goes after login.live.com instead of paypal.com?" F-Secure's Mikko Hypponen said via Twitter.
"The PasteBins look convincing," he added. "Whether they were posted by a 21-year-old lone gunman or Iran Government PR department, I don't know."
Chester Wisniewski, a security advisor from Sophos, added it was "impossible" to tell if the hacker was telling the truth, but whatever the case, it was clear that Comodo's security wasn't up to scratch.
"Once again we come back to insecure passwords and password handling techniques," he said in a post on the Sophos blog, adding that "the practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice."
US-based Comodo wasn't available for comment at the time of publishing.
- Tech City: Easy to score when you move the goalposts
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Google’s support policies shove users towards Chrome
- Lenovo Yoga Tablet review: first look
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet