Iranian Hacker Rattles Security Circles

- By SOMINI SENGUPTA - The New York Times - September 11, 2011

He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country.

He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure. He then shared that bounty with people he declines to name.

The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.

Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on antigovernment compatriots.

“I’m totally independent,” he said in an e-mail exchange with The New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”

In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.

It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.

Hundreds of companies and government authorities around the world, including in the United States and China, have the power to issue the digital certificates that the system relies upon to verify a site’s identity. The same hacker is believed to be responsible for attacks on three such companies.

In March, he claimed credit for a breach of Comodo, in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.

Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.

Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.

“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, the chief security officer of Mandiant Security in Alexandria, Va. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure, and you have results like this.”

Comodohacker said via e-mail that he began his explorations by scrolling through a list of certificate authority companies. DigiNotar caught his interest because it was Dutch. He said he was motivated by the failure of Dutch peacekeepers to prevent the massacres of Muslims in Srebenica in 1995. He also said he chose the Dutch company because of a Dutch legislator, Geert Wilders, who has built a political career out of criticizing Muslims in his country.

DigiNotar, which is owned by an Illinois company called Vasco Data Security International, did not make the attack particularly difficult, according to a report by Fox-IT, a security company that was commissioned by the Dutch government to investigate. The company’s critical servers contained malicious software that should have been spotted by antivirus tools, the report said, and the servers related to certificates were all protected by just one weak password. DigiNotar did not respond to requests for comment last week.

There was fallout in the Netherlands as well. The government there said last week that it was widening its investigation into the breach in an effort to learn whether the private data of Dutch citizens, many of whom file income tax returns online, had been compromised.

Comodohacker apparently began poking around DigiNotar’s systems in early June, the Fox-IT report said. He gained control of the server in about 10 days and generated 531 fake certificates, including some for well-known sites like Google, Skype and Facebook, along with a few foreign intelligence sites. He shared them with a person or organization believed to have had control over dozens of Internet service providers and university networks in Iran — perhaps the government itself.

Fox-IT concluded that over the course of a month, 300,000 people were served up fake certificates produced by Comodohacker. E-mails, chats, user names and passwords could have been monitored, revealing who they were talking to and what they were planning.

Google on Thursday issued an unusual warning to its users in Iran, calling on them to change passwords and check if their e-mails were being forwarded to unfamiliar or suspicious addresses.

Word of the Google warning caught the attention of Jubeen Sharbaf, an Iranian in Toronto. He is not ignorant of the Iranian government’s attempts to spy on its people, he said via e-mail. “This was alarming though because Google is perceived to be very secure, and beside Skype it has been used for the line of communication within and outside Iran,” he said.

Comodohacker was plainspoken about his motivations.

“My country should have control over Google, Skype, Yahoo, etc.,” he said by e-mail. “I’m breaking all encryption algorithms and giving power to my country to control all of them.”

In the days since his attack was discovered, Comodohacker posted lengthy explanations on Pastebin, a sort of Internet bulletin board, of how he had penetrated the system of the Dutch firm and why, along with his e-mail address.

He has also boasted of his own skills, calling his work the “most sophisticated hack of all time,” and at one point exclaiming: “I’m really sharp, powerful, dangerous and smart!”

Mikko Hypponen, a security researcher with F-Secure Labs of Helsinki, said the hacker was “somebody who has skills, and he also has the old-school hacker mentality where he likes to boast.” Mr. Hypponen added: “If he were an intelligence analyst for the secret police he wouldn’t be doing this.”

Asked whether he was paid for his services, the hacker replied in broken English: “I don’t fight for my belief for award in this world.”

The e-mail he sent appears to have come from a computer in Russia, according to an independent security analyst who reviewed it. Comodohacker has either remotely taken control of someone’s computer in Russia, or he may not be an Iranian software engineer at all.

Artin Afkhami and Kevin J. O'Brien contributed reporting.




A message from Comodo Hacker - March 26th, 2011

Hello

I'm writing this to all the world, so you'll know more about us..

At first I want to give some points, so you'll be sure I'm the hacker:

I hacked Comodo from InstantSSL.it, their CEO's e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it.
Their Comodo username/password was: user: gtadmin password: globaltrust
Their DB name was: globaltrust and instantsslcms

Enough said, huh? Yes, enough said, someone who should know already knows...

Anyway, at first I should mention we have no relation to Iranian Cyber Army, we don't change DNSes, we just hack and own.

I see Comodo CEO and other wrote that it was a managed attack, it was a planned attack, a group of cyber criminals did it, etc.

Let me explain:

a) I'm not a group, I'm single hacker with experience of 1000 hacker, I'm single programmer with experience of 1000 programmer, I'm single planner/project manager with experience of 1000 project managers, so you are right, it's managed by 1000 hackers, but it was only I with experience of 1000 hackers.

b) It was not really a managed hack. At first I decided to hack RSA algorithm, I did too much investigation on SSL protocol, tried to find an algorithm for factoring integer, for now I was not able to do so, at least not yet, but I know it's not impossible and I'll prove it, anyway... I saw that there is easier ways of doing it, like hacking a CA. I was looking to hack some CAs like Thawthe, Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn't enough to gain access to server to sign my CSRs. During my search about InstantSSL of Comodo, I found

InstantSSL.it which was doing same thing under control of Comodo. After a little try, easily I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing. It was coded in C#.

Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account.

GeoTrust reseller URL was not working, it was in ADTP.cs. Then I found out their Comodo account works and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs. I had no idea of APIs and how it works. I wrote a code in C# for signing my CSRs using POST request to APIs, I learned their APIs so FAST and their TrustDLL.DLL was too old and was sending too little parameters, it wasn't enough for signing a CSR. As I said, I rewrote the code for !AutoApplySSL and !

PickUpSSL APIs, first API returns OrderID of placed Order and second API returns entire signed certificate if you pass OrderID from previous call. I learned all these stuff, re-wrote the code and generated CSR for those sites all in about 10-15 minutes. I wasn't ready for these type of APIs, these type of CSR generation, API calling, etc. But I did it very very fast.

Anyway, I know you are really shocked about my knowledge, my skill, my speed, my expertise, that's all OK, all of it was so easy for me, I did more important things I can't talk about, so if you have to worry, you can worry... I should mention my age is 21 Let's back to reason of posting this message.

I'm telling this to the world, so listen carefully:

When USA and Israel write Stuxnet, nobody talks about it, nobody gots blamed, nothing happened at all, so when I sign certificates nothing happens, I say that, when I sign certificates nothing should happen. It's a simple deal.

When USA and Isarel could read my emails in Yahoo, Hotmail, Skype, Gmail, etc. without any simple little problem, when they can spy using Echelon, I can do anything I can. It's a simple rule. You do, I do, that's all. You stop, I stop. It's rule #1 (My Rules as I rule to internet, you should know it already...)

Rule#2: So why all the world got worried, internet shocked and all writers write about it, but nobody writes about Stuxnet anymore? Nobody writes about HAARP, nobody writes about Echelon... So nobody should write about SSL certificates.

Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced terrorist, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you won't be able to do so. as I live, you don't have privacy in internet, you don't have security in digital world, just wait and see...

Rule#4: Comodo and other CAs in the world: Never think you are safe, never think you can rule the internet, rule the world with a 256 digit number which nobody can find it's 2 prime factors, I'll show you how someone in my age can rule the digital world.

Rule#5: To microsoft, mozilla and chrome who updated their softwares as soon as instructions came from CIA. You are my targets too. Why Stuxnet's Printer vulnerability patched after 2 years? Because it was need in Stuxnet? So you'll learn sometimes you have to close your eyes on some stuff in internet, you'll learn... You'll learn... I'll bring equality in internet. My orders will equal to CIA orders, lol ;)

Rule#6: I'm a GHOST

Rule#7: I'm unstoppable, so afraid if you should afraid, worry if you should worry.

A message in Persian: Janam Fadaye Rahbar