I wrote an article about the Comodo hack for Deutsche Welle here. The following is an introduction to the full interview (further below) with Comodohacker.
On March 15, 2011, a major Internet-security company, Comodo, said that it sustained a major security breach, by allowing nine “SSL certificates,” to be issued in their name. These certificates are used to digitally authenticate a secure connection to websites like Gmail, Hotmail and Skype. The hacker acquired fake certificates for Gmail, Hotmail, Google, Yahoo, Skype, and Mozilla. However, once this attack became known, those certificates were revoked, eliminating their risk of being used for malicious purposes. On Tuesday, Comodo further announced on an security e-mail list that two more registration authority accounts had been compromised.
The first breach came through a Comodo partner in Italy, GlobalTrust, which had its network compromised apparently by an Iranian hacker. Comodo disclosed the attack on its company blog on March 23, but noted that “this may be the result of an attacker attempting to lay a false trail.” Computer security experts often note that they can never be 100 percent certain of the origins of such a breach.
However, security researchers are very concerned that if a Iranian government agents or other malicious agents could duplicate this attack, then that could create serious problems.
“In theory, an Iranian attempting to log into his Yahoo account, for example, could have been misdirected to a fake site,” wrote Mikko Hypponen, the chief research officer at F-Secure in Finland, on his company’s blog last week.
“That would allow the perpetrators to obtain a host of online information including contents of email, passwords and usernames, while monitoring activity on the dummy sites. Since the targeted sites offer communication services, not financial transactions, Comodo said it seemed clear the hackers sought information, not money.”
Last Saturday, March 26, someone claiming to be the “ComodoHacker,” began posting messages and technical details of the attack, leading many to believe that he was, indeed, responsible for these breaches. Comodohacker said that he was a self-taught, 21-year-old university student in Iran.
To learn more, Icontacted him using the e-mail address that he provided on these posts. However, it is impossible to verify with 100 percent certainty the claims that he makes. His responses have only been edited for spelling and clarity.
Cyrus Farivar: What’s your name, and where do you live in Iran? What school do you attend? How can you prove that you are in Iran?
ComodoHacker: My name is ComodoHacker. University, I don’t want to prove it, I already sent my political views and my writeups shows I’m from Iran. Anyone doesn’t believe, I think have personal problems, no offense.
What was your ultimate goal in terms of cracking the system of digital certificates? How were you trying to use them, presuming you’re not working with the government? Why these specific targets, Yahoo, Skype, et cetera?
I answered this question too much time. First of all, I should say, there is no Green Movement in Iran, just some gangsters with woods and stones, attacks normal people in a day they get out. Really they are counted and they just harm people.
From here, I say to them, stop being a gang and hear the voice of people of Iran, do not obey instructions who comes from people outside of Iran, they don’t have power to do anything, they just use you for their targets, they write reports about how they managed [protesters] in Tehran and get paid, what you can in return? Jail.
Let’s back to idea of its usage. MKO members [Note: an Islamic socialist organization that advocates the overthrow of the Islamic Republic of Iran] have secure private networks in Germany, France, Canada, USA, Iraq, Jordan. Other Green Movement leaders mostly reside in USA.
Some remaining and counted people lives in Iran. Accessing and owning their private networks, maybe already done, maybe I’ll do it. But with a good control on their gateway and my signed certificates everything would go well, right?
A group of people who just harm and have no use for people, should not have privacy in digital world, with zero-day bugs [Note: A flaw in a security system that the operators of that system are unaware of] I have which I don’t want to even name vulnerable software or hardware, owning network itself is so easy. For decrypting traffic, I need some other tools which I gathered. I invite Comodo CEO to talk, I don’t want to talk about second breach to Comodo.
Comodo was lucky for detecting me, who knows? Maybe another not popular [certificate authority] decided to not talk. Or maybe they didn’t notice anything (at least not yet)?
I said it once, as I live, privacy in Internet is impossible. I would be happy to publish PGP and GPG keyrings of these gangsters which they think protect them. Enough said. Enjoy surfing Internet.
You’ve said that you acted alone. Do you understand why that’s hard for a lot of people to believe?
It’s because people don’t understand power of Iranian scientist, they also didn’t believe our power in physics, in laser, in sending satellites, to be honest, I’m tired of explaining my country’s potential, when we decide to do something, we just do.
Everything isn’t what you see, everything isn’t materials you touch, there is some stuff you can’t see, like God, sometimes God helps some people. Most of people doesn’t understand, it’s exactly what Holy Quran says. That’s someone like me in my age owns Internet security structure alone, decrypt most of encryption protocols, breaks A5/1, breaks other software/hardware which I don’t want to talk about them.
Have you had any contact with anyone in the Iranian government, Sepah [Islamic Revolutionary Guard Corps], Basij, Gerdab.ir or anyone else in that vein prior to, during, or subsequent to this attack?
No, to be honest, [I’ve been wondering] about it also, no one can reach me personally via tracing that IP, that’s not my actual IP, I have too much tunnels, in fact I tried to be completely hidden and being appeared from another country’s IP, but I didn’t noticed my tunnel’s VPN connection disconnected from target server. So they saw my first tunnel. I thought some people inside Iran, some press or any other org. will contact me, but no one contacted me, maybe they didn’t find my email address or they got so deep in that IP. Who knows?
Because I saw a lot of false allegations about my hack, some said it was Iranian government, some said I’m from Cyber Army, etc. I decided to tell the truth about it. I don’t like to see my work assigned to someone else, in previous works.
Comodo said on its blog: “The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran.” Why didn’t you conceal your IP better, presuming you are actually in Iran?
What’s next for you?
All encryption systems/protocols CIA have access to them but my country doesn’t. I’ll reverse/cryptanalysis/attack in any method I can, owning servers, breaking algorithm, reversing code to break them and bring equality.
As I said in my first post, CIA have access to all e-mails of me, a copy of my e-mail goes to CIA officals before even reaching you, I want same rights, why not?
Funny printer bug patched two years after being public, because creators of Stuxnet (USA and Israel) ordered so. So I have my own zero-days for several highly critical softwares which I don’t want to even name them, I use them on my targets, no one should patch it. I love equality.
I’m Iranian-American, so I don’t doubt the capability of Iran or Iranians. 🙂
But still, you haven’t quite answered this basic question: What was your ultimate goal and what did you plan on doing with these certificates, and why target these specific companies, Yahoo, Skype, etc?
Decrypting traffic of anti-Islamic republic groups like MKO and Green Movement leaders like Balatarin and other site’s members, I already own a lot of their networks. It will help me to decrypt all their encrypted communications. Their private networks are located in France, Germany, Jordan, USA and Canada. Some of them also connected to people in Iran via VPNs. They should know from now, they are insecure, I got what I wanted, Comodo published breach, others don’t that’s all.