Lone Iranian claims credit for Comodo certificate hack

Confusion surrounds the origins of the attack that lead to fake security certificates

Nicole Kobie
28 Mar 2011

An Iranian hacker has claimed the security certificate attack against Comodo, claiming it wasn't backed by the Government.

Last week, the security certificate issuing authority admitted it had been hacked, with the attackers creating fake security certificates for sites such as Gmail, Skype, Hotmail and more.

Comodo said the nature of the hack and the targets lead it to believe the attack was instigated by the Iranian Government.

A hacker is somebody who doesn't realize that what he’s attempting is impossible

That belief has been thrown into doubt by posts on website PasteBin from a hacker who claims to have managed the attack by himself. The individual, who calls himself ComodoHacker, claims to be a 21-year-old Iranian.

He shared details of the attack in a post online, promising more attacks to come, and bragging: "I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers".

Robert Graham, of security consultancy Errata, said the results of his firm's examination of the attack fit with the hacker's general claims.

Despite the complexity and size of the attack, Graham said it was possible the hack came from one person, and didn't need state backing. "A hacker is somebody who doesn't realise that what he’s attempting is impossible," he said in a blog post, explaining that the attack would have been accomplished "one clue at a time."

"This is why hacking gets addictive - solving puzzles like this is enormously satisfying. It's also why people are quick to assume the difficulty of a hack means a 'nation state' is involved rather than a '21-year-old college student'."

Graham agreed with the alleged hacker that many were to quick to jump to the conclusion that the attack was backed by the Iranian state. "More to the point, what evidence points to the Iranian Government in the first place? The answer is 'zero'," he said.

Lone hacker or good PR?

Others weren't so sure the claims should be believed. "Do we really believe that a lone hacker gets into a CA [certificate authority], can generate any certificate he wants... and goes after login.live.com instead of paypal.com?" F-Secure's Mikko Hypponen said via Twitter.

"The PasteBins look convincing," he added. "Whether they were posted by a 21-year-old lone gunman or Iran Government PR department, I don't know."

Chester Wisniewski, a security advisor from Sophos, added it was "impossible" to tell if the hacker was telling the truth, but whatever the case, it was clear that Comodo's security wasn't up to scratch.

"Once again we come back to insecure passwords and password handling techniques," he said in a post on the Sophos blog, adding that "the practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice."

US-based Comodo wasn't available for comment at the time of publishing.

Read more about: