Establishing Digital Trust: Don't Sacrifice Security for Convenience
An Iranian hacker who claims to be the perpetrator behind the theft earlier this month of legitimate secure sockets layer (SSL) digital certificates, posted a partial description of how it was achieved, including some source code, on a text storage site over the weekend.
The hacker claims to have acted alone -- rather than as a team as had been supposed last week when the exploit was disclosed.
The hacker, who apparently signed Janam Fadaye Rahbar, said that posting a partial description should prove that he -- or she -- was smart and capable enough to have carried out the heist and, in fact, had pulled off the attack alone.
The post was derisive of statements made last week by Comodo's CEO Melih Abdulhayoglu that suggested the exploit had been carried out by a team that might somehow be tied to the Iranian government. The stolen certificates would be useless unless the parties using them had the ability to change domain addresses, like the Iranian government, he had suggested.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The hacker scoffed.
"I'm not a group of hackers, I'm single hacker with experience of 1000 hackers, I'm single programmer with experience of 1000 programmers, I'm single planner/project manager with experience of 1000 project managers," the post said.
The post went on to partially describe how Comodo, the certificate authority that was tricked into issuing as many as nine valid digital certificates, got tripped up.
The certificates were never used and, Comodo claimed, by the time someone tried one out, their validity had already been revoked. Still, the list of sites that the certificates might have been used on included Microsoft, Google, and Yahoo, as well as Skype and Mozilla.
The hacker, who has been identified as working from inside Iran, also denied having any help from or contact with anyone in the Islamic Republic's government or military.
The poster also referred to the Stuxnet worm that attacked PCs in Iran's controversial nuclear plant last September. The Iranian government blamed the U.S. and Israel for creating and releasing the worm.
"Where were you when Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA [Supervisory Control and Data Acquisitions] systems and Nuclear softwares? Why no one asked a question from Israel and USA ambassador to UN?" the post said.
Neither was the post without a threat or two.
"Comodo and other CAs in the world: Never think you are safe, never think you can rule the internet, ruling the world with a 256 digit number which nobody can find its two prime factors (you think so), I'll show."