Digital Version of November/December 2014 Print Edition
Authentication firm compromised by alleged Iranian hackers
A company that issues certificates used by web browsers to assure the authenticity of Internet sites was breached by what it believes to be Iranian hackers.
Comodo revealed the breach March 23, although the actual infraction took place on March 15.
According to an incident report posted at the company's website, a Registration Authority based in Southern Europe had one of its accounts breached. Registration Authorities, or RAs, are like subcontractors with whom a Certificate Authority, like Comodo, allow to issue certificates in its behalf.
After compromising the RA account, the attackers issued nine fraudulent certificates. All the certificates were revoked shortly after the discovery of the breach, the report said. Only one was actually seen "live" on the Internet. When its creator tried to use the certificate, it received a "revoked" response.
No other RAs were compromised, the report noted. Neither was Comodo's CA infrastructure nor its "root" keys violated.
Several IP addresses were used in the attack, but the primary one was located in Iran.
"The attacker was well prepared and knew in advance what he was to try to achieve.," the report explained. "He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."
Although an Iranian address was used in the attack and also used when an attempt was made to use the live certificate, those addresses could have been used as proxies for hackers elsewhere. However, other evidence points to a state-sponsored attack from that Middle Eastern nation, according to Comodo CEO Melih Abdulhayoglu.
For example, the domains for the certificates did not include any financial websites, which would be a tipoff that the attackers had criminal intentions. "I don't see a Citibank, for example," Abdulhayoglu told Government Security News. "I see purely communication-related domains, like email communication or Skype-like communication."
"It was a clinical execution," he said. "We did not see any telltale signs of cyber criminals in this."
Moreover, Iran is the sole nation where root keys aren't embedded into browsers. Root keys are provided by Certificate Authorities to browser makers who embed them into their software. Once the browser recognizes a root key as trusted, any digital certificate issued by the root key's CA will automatically be trusted as authentic.
"What they [the attackers] are trying to do is read people's emails," Abdulhayoglu asserted.
To do that, though, a digital certificate alone is inadequate, he explained. "You also have to have access to the DNS infrastructure so you can redirect people's traffic to a fraudulent website," he said.
"Getting a certificate is meaningless," he maintained. "The attacker must have had access to the DNS infrastructure. That points to a state-based attack."