The hacker who claimed credit for breaking into systems belonging to digital certificate vendor Comodo said he has compromised another certificate authority, along with two more Comodo partners, a move that could further undermine trust in the system used to secure websites on the Internet.
In an e-mail interview Tuesday the hacker, who calls himself “Ich Sun,” said he’d breached security at another certificate authority, but declined to provide details on the incident or any proof that he’d managed to pull off another attack. “Talking about second CA have no use for me, except giving away my work and corrupting it, sorry,” he said in the broken English he’s used in all public communications.
He may have succeeded by breaking into a Comodo partner who was also able to create digital certificates through another certificate authority (CA). Over the past weekend, Ich Sun tried to compromise two other Comodo partners, one of whom also partnered with a different certificate authority according to Comodo CEO Melih Abdulhayoglu. Neither of the attacks was successful against the Comodo system, thanks to newly introduced security measures, but Abdulhayoglu does not know whether the second CA was compromised, he said.
Certificate authorities like Comodo issue the trusted digital certificates used by SSL (Secure Sockets Layer) encryption to prove that a particular computer on the Internet is what it claims to be: that the computer you visit when you type Google.com actually belongs to Google, for example. Browsers use these digital certificates when they’re connecting to secure Web pages, but they’re also used to secure Internet mail and virtual private networks. CAs often work with partners, called registration authorities, who charge to confirm the identity of the company and then use the CA’s system to generate a cryptographic signature for the company in question.
Ich Sun broke into Comodo’s Italian registration authority, called Comodo Italy, and on March 15 used Comodo’s systems to fraudulently issue nine digital certificates.
Comodo went public with details of the attack on Thursday and is cooperating with Italian police and the U.S. Federal Bureau of Investigation on the case, but that has not deterred Ich Sun.
These attacks highlight weaknesses in a widely used part of the Internet’s security infrastructure, but they also provide a glimpse into the shadowy nature of Internet crime. Nobody knows exactly who Ich Sun is, or what his (or her, or their) true motives might be.
Ich Sun said he broke into Comodo Italy using a very common database attack known as SQL injection. He entered data into Web-based forms that tricked the back-end database into running commands that should have been prohibited. He then took advantage of another flaw to get remote access to this system and was eventually in control of the servers used by two Comodo Italy websites: GlobalTrust.it and InstantSSL.it. He said he found a password hard-coded into a file on one of the systems that ultimately allowed him to issue the digital certificates.
One week after he issued the bogus digital certificates, Ich Sun got in touch with Comodo Italy Vice President Massimo Penco and demanded a “talk.” When Penco ignored this note and a subsequent e-mail, he got angry: “Because I didn’t saw your reply, for now, just for now, I wiped your LG Drive and F: drive and all log files,” he wrote in a March 23 e-mail, obtained by the IDG News Service. “So now, contact me before I do something so dangerous. Simply personally contact me, do not try to find me, do not try to remove me, do not try anything…”
And then, ominously: “I could cause so hard impossible to recover damages, simply contact me, that’s all for now.”
In the interview, Ich Sun said he wasn’t trying to extort money from Comodo Italy. “No, it wasn’t money request and I haven’t received any money,” he said. “I just wanted to talk them about breach or if possible even have a chat, I wanted to know what they’re thinking about breach, how they detected my orders, etc.”
Ich Sun has published details of the attack in a series of Web posts, including data that only the real Comodo hacker would know such as the private key used to generate the digital certificates that Comodo certified. He says that he was researching ways to hack the RSA algorithm. But nobody knows whether Ich Sun is really a 21-year-old Iranian student who supports his government, as he claims, or, say, a group of Turkish hackers with a completely different agenda.
Comodo’s Abdulhayoglu says that despite Ich Sun’s claims, he believes that all signs still point to an Iranian state-sponsored attack. That’s because certificates for these domains would be useful for a country that also controlled the network infrastructure. By having digital certificates for websites used for Internet communication — Skype, Google and Yahoo, for example — along with the kind of network control enjoyed by the Iranian government — Iran could spy on its citizens, even if they were connecting to secure https websites. “What did you want to do with these certificates,” he said. “They are no use unless you have access to infrastructure.”
Ich Sun’s public statements have helped foment uncertainty about the safety of Internet communications — especially within Iran — a result that dovetails nicely with Iran’s desire to curb dissent on the Internet, Abdulhayoglu said.
Security expert Robert Graham, who’s swapped e-mails with Ich Sun and ultimately confirmed that he was indeed the one who pulled off the Comodo hack, thinks otherwise. He accuses Comodo and reporters who have covered this story of jumping to conclusions about the Iran connection. “We make the assumption that anyone who supports the government there works for the government and that’s just not true,” said Graham, CEO of Errata Security. “My theory is he’s exactly what he says he is. That’s what the evidence points to. There’s no evidence that says he would have to be part of a state-sponsored effort. The attack is not that complex. It’s just what your average pen-tester would do.”
Comodo Italy’s Penco said that whoever is speaking as Ich Sun is lying about some things. “When I saw what they published on the Web about this attack, I thought what they said was absolutely crazy,” he said. “They didn’t breach any of my servers; they didn’t breach any of my hard drives.”
But Penco wouldn’t say how his company’s account with Comodo was compromised and used to generate the digital certificates.
Security experts believe that the important lesson here is not how Comodo was compromised, but how the system that is used to secure Web browsing and Internet e-mail broke down so completely. The problem is that browsers are programmed to trust hundreds of certificate authorities (CA), each of which can issue a digital certificate for any domain on the Internet, be it Google.com or Whitehouse.gov, and it’s simply too easy to abuse this system.
SSL’s security is only as strong as its weakest link, and as the Comodo incident has shown, there are plenty of weak links, said Peter Eckersley, a senior staff technologist with the Electronic Frontier Foundation who has closely studied SSL. “It was not a matter of if a CA would be compromised in this way, but when,” he said. In the meantime, “people who need to have very secure computers will have to regard the CA system with a certain degree of suspicion.”
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com