FBI probes Comodo Web security breach

FBI and Italian police investigate how hacker managed to convince N.J. security firm to issue it digital certificates for Google, Yahoo, Microsoft, other major Web sites.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
2 min read

Compromise related to fraudulent digital certificates is traced to IP addresses in Iran, Comodo says. Comodo

The FBI is investigating how a hacker tricked a New Jersey company into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other major Web sites, the firm's chief executive said today.

Comodo CEO Melih Abdulhayoglu told CNET this afternoon that "it is an ongoing investigation" that has drawn in both the FBI and Italian law enforcement.

Abdulhayoglu confirmed that a reseller in Italy called GlobalTrust had its network compromised by a hacker traced to Iran. That person, or multiple people, obtained fake digital certificates for nine Web sites that also included Skype and Mozilla. Those certificates, which have since been revoked, allowed someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled.

"We're letting the government agencies handle the issue and figure out what exactly has happened here," Abdulhayoglu said.

The FBI did not immediately respond to a request for comment.

Melih Abdulhayoglu, Comodo's CEO and chief security architect Comodo

An unknown person using the alias "ComodoHacker" and "ichsunx" has posted proof, in the form of an encryption key, that he (or she, or they) were responsible for the intrusions or in contact with whoever was. ComodoHacker claims to be a pro-regime cryptanalyst in Iran, arguing that the country should be free to pursue its "nuclear program, as it's simple right [sic] of each nation."

Comodo's revelation last week highlights the flaws in the current method of trusting certificate authorities.

At the moment, there is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance; Tunisia even has its own certificate-issuing government agency trusted by Internet Explorer.

CNET reporter Elinor Mills contributed to this report.