April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Authentication firm compromised by alleged Iranian hackers

Melih Abdulhayoglu

A company that issues certificates used by web browsers to assure the authenticity of Internet sites was breached by what it believes to be Iranian hackers.

Comodo revealed the breach March 23, although the actual infraction took place on March 15.

According to an incident report posted at the company's website, a Registration Authority based in Southern Europe had one of its accounts breached. Registration Authorities, or RAs, are like subcontractors with whom a Certificate Authority, like Comodo, allow to issue certificates in its behalf.

After compromising the RA account, the attackers issued nine fraudulent certificates. All the certificates were revoked shortly after the discovery of the breach, the report said. Only one was actually seen "live" on the Internet. When its creator tried to use the certificate, it received a "revoked" response.

No other RAs were compromised, the report noted. Neither was Comodo's CA infrastructure nor its "root" keys violated.

Several IP addresses were used in the attack, but the primary one was located in Iran.

"The attacker was well prepared and knew in advance what he was to try to achieve.," the report explained. "He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

Although an Iranian address was used in the attack and also used when an attempt was made to use the live certificate, those addresses could have been used as proxies for hackers elsewhere. However, other evidence points to a state-sponsored attack from that Middle Eastern nation, according to Comodo CEO Melih Abdulhayoglu.

For example, the domains for the certificates did not include any financial websites, which would be a tipoff that the attackers had criminal intentions. "I don't see a Citibank, for example," Abdulhayoglu told Government Security News. "I see purely communication-related domains, like email communication or Skype-like communication."

"It was a clinical execution," he said. "We did not see any telltale signs of cyber criminals in this."

Moreover, Iran is the sole nation where root keys aren't embedded into browsers. Root keys are provided by Certificate Authorities to browser makers who embed them into their software. Once the browser recognizes a root key as trusted, any digital certificate issued by the root key's CA will automatically be trusted as authentic.

"What they [the attackers] are trying to do is read people's emails," Abdulhayoglu asserted.

To do that, though, a digital certificate alone is inadequate, he explained. "You also have to have access to the DNS infrastructure so you can redirect people's traffic to a fraudulent website," he said.

"Getting a certificate is meaningless," he maintained. "The attacker must have had access to the DNS infrastructure. That points to a state-based attack."


Recent Videos

Kelvin Hughes leads the way in detection for security and surveillance applications. Utilising its SharpEye™ solid state X-Band radar, paired with...
Kelvin Hughes leads the way in detection for security and surveillance applications. Utilising its SharpEye™ solid state X-Band radar, paired with...
“Varian’s Imaging Components business has a 50 plus year history of dedication to the imaging industry.”—Sunny Sanyal, Senior Vice President and...
IntraLogic's official release of the "One Button" Lockdown system on CBS 2 News.