Comodohacker returns in DigiNotar incident

A hacker known as Comodohacker has taken responsibility for the recent attack against Dutch certificate authority DigiNotar and is now threatening to release fake security certificates for other companies that he has hacked.

Beyond issuing a phony certificate for Google.com, DigiNotar has admitted that the attack actually caused the company to issue more than 500 fake Secure Sockets Layer (SSL) certificates for a variety of major organizations, including the CIA, MI6, Facebook, Microsoft, Skype, and Twitter.

SSL certificates are used to authenticate secure Web sites to ensure that users are connecting to the intended site. Faked certificates are especially alarming, as they can redirect Internet users to the wrong Web sites, perhaps with malicious intent, and destroy confidence in the CAs (certificate authorities).

The name "Comodohacker" stems from a similar security breach in March. At that time, New Jersey-based Comodo, which issues digital certificates, announced that an intruder it traced to Iran had compromised a reseller's network and obtained fraudulent certificates for major Web sites, including ones operated by Google and Microsoft.

In April, the hacker claimed to CNET that he was a 21-year-old Iranian patriot who carried out the attack to protest the policies of the U.S. government in the Middle East. He also cited revenge over the Stuxnet worm, which was launched last year as an attempt to sabotage an Iranian nuclear power plant and is thought by some to have been triggered by the U.S. or Israeli government.

In an account of the attack posted on Pastebin today, the hacker boasted that he has access to other certificate authorities and will use them.

"You know, I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will, I won't name them, I also had access to StartCom CA, I hacked their server too with so sophisticated methods, he was lucky by being sitted in front of HSM for signing, I will name just one more which I still have access: GlobalSign, let me use these accesses and CAs, later I'll talk about them too.."

Trying to strike out at the Dutch government, the hacker pinned the motive behind his attack on the government's role in the Srebrenica genocide, which occurred 16 years ago on July 11. A report in 2002 blamed the Dutch government for failing to prevent the massacre in which up to 8,000 men and boys were killed by Bosnian Serb forces, according to the BBC, resulting in the resignation of the entire Dutch cabinet.

"For now," the hacker wrote," keep thinking about what Dutch government did in 16 years ago in same day of my hack, I'll talk later and I'll introduce to you MOST sophisticated hack of the year which will come more, you have to also wait for other CA's certificates to be used by me, then I'll talk about them too."

Related stories:
• Behind Comodo hack, an insecure Web (roundup)
• Fraudulent Google certificate points to Internet attack
• Google users in Iran targeted in SSL spoof
• Dutch firm linked to many more fraudulent Net certificates

In light of the incident, the Dutch government has already revoked trust for DigiNotar's security certificates and has taken over management of DigiNotar, according to security vendor Kaspersky Lab. The latest versions of Internet Explorer, Google Chrome, and Firefox have also revoked trust in all DigiNotar certificates.

An audit from DigiNotar by the Dutch government found that the attack apparently started on June 17 and ran for more than a month, despite the hacker's claim of July 11. During that time, the hacker managed to break into several CA servers, a Kaspersky representative noted, where he launched various attack tools, and ran custom scripts and tools designed to compromise DigiNotar. Overall, more than 531 fake certificates were issued as a result of the attack.

Meanwhile, Fox-IT, a digital investigative company hired by the Dutch government, said about 300,000 Internet Protocol addresses had accessed sites using fraudulent google.com certificates between July 27 and August 29 and almost all of them originated in Iran, according to a Computerworld report. That echoes what Google said about the attack primarily affecting people in Iran.

This simulation from Fox-IT on YouTube shows most of the traffic that went through the fake google.com domain was from Iran:

Fox-IT said a Web server in Iran was continuing its attack attempts, against DigiNotar, which is being investigated by the Dutch government, according to Computerworld.

DigiNotar representatives did not immediately respond to e-mails seeking comment today.

Microsoft said this morning that it has designated all DigiNotar certificates as untrustworthy. "We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments, and software vendors to help protect our mutual customers," the company said in a post on its Microsoft Security Response Center blog.

In his account of the attack, the hacker promised to reveal how he bypassed system security, but for now, he seemed to taunt DigiNotar with his exploits.

I'll talk technical details of hack later, I don't have time now... How I got access to 6 layer network behind internet servers of DigiNotar, how I found passwords, how I got SYSTEM privilage in fully patched and up-to-date system, how I bypassed their nCipher NetHSM, their hardware keys, their RSA certificate manager, their 6th layer internal "CERT NETWORK" which have no ANY connection to internet, how I got full remote desktop connection when there was firewalls that blocked all ports except 80 and 443 and doesn't allow Reverse or direct VNC connections, more and more and more..."

Updated at 9:45 a.m. PT with more information on the DigiNotar hacks, and again at 11:56 a.m. PT with Microsoft's response. and 1:16 p.m. PT with Fox-IT and Computerworld report.