Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran
- 03.23.11
- 5:37 PM
In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.
The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.
The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.
At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.
Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.
“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”
Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.
In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.
Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.
“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”
“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”
Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.
Out of the nine fraudulent certificates the hacker requested, only one — for Yahoo — was found to be active. Abdulhayoglu said Comodo tracked it, because the attackers had tried to test the certificate using a second Iranian IP address.
All of the fraudulent certificates have since been revoked, and Mozilla, Google and Microsoft have issued updates to their Firefox, Chrome and Internet Explorer browsers to block any websites from using the fraudulent certificates.
Comodo came clean about the breach this week, after security researcher Jacob Appelbaum noticed the updates to Chrome and Firefox and began poking around. Mozilla persuaded Appelbaum to withhold public disclosure of the information until the situation with the certificates could be resolved, which he agreed to do.
Abdulhayoglu told Threat Level that his company first learned of the breach from the partner that was compromised.
The attacker had compromised the username and password of a registration authority, or R.A., in southern Europe that had been a Comodo Trusted Partner for five or six years, he said. Registration authorities are entities that are authorized to issue certificates after conducting a due-diligence check to determine that the person or entity seeking the certificate is legitimate.
“We have certain checks and balances that alerted the R.A. [about the breach], which brought it to our attention,” he said. “Within hours we were alerted to it, and within hours we revoked everything.”
It’s not the first time that the integrity of web certificates has come into question.
Security researcher Moxie Marlinspike showed in 2009 how a vulnerability in the way that web certificates are issued by authorities and authenticated by web browsers would allow an attacker to impersonate any trusted website with a legitimately issued certificate.
Photo: Iranian President Mahmoud Ahmadinejad gestures as he talks at a 2006 news conference. (Misha Japaridze/AP)
See also:
Kim Zetter is a senior reporter at Wired covering cybercrime, privacy, security and civil liberties.
Follow @KimZetter and @ThreatLevel on Twitter.
