Skip Links

Comodo hacker claims another certificate authority

The hacker won't identify the certificate authority in question but says another has been breached

By , IDG News Service
March 30, 2011 03:48 PM ET

IDG News Service - The hacker who claimed credit for breaking into systems belonging to digital certificate vendor Comodo said he has compromised another certificate authority, along with two more Comodo partners, a move that could further undermine trust in the system used to secure websites on the Internet.

In an e-mail interview Tuesday the hacker, who calls himself "Ich Sun," said he'd breached security at another certificate authority, but declined to provide details on the incident or any proof that he'd managed to pull off another attack. "Talking about second CA have no use for me, except giving away my work and corrupting it, sorry," he said in the broken English he's used in all public communications.

BACKGROUND: In Iran, new attack escalates ongoing cyberconflict

He may have succeeded by breaking into a Comodo partner who was also able to create digital certificates through another certificate authority (CA). Over the past weekend, Ich Sun tried to compromise two other Comodo partners, one of whom also partnered with a different certificate authority according to Comodo CEO Melih Abdulhayoglu. Neither of the attacks was successful against the Comodo system, thanks to newly introduced security measures, but Abdulhayoglu does not know whether the second CA was compromised, he said.

Certificate authorities like Comodo issue the trusted digital certificates used by SSL (Secure Sockets Layer) encryption to prove that a particular computer on the Internet is what it claims to be: that the computer you visit when you type Google.com actually belongs to Google, for example. Browsers use these digital certificates when they're connecting to secure Web pages, but they're also used to secure Internet mail and virtual private networks. CAs often work with partners, called registration authorities, who charge to confirm the identity of the company and then use the CA's system to generate a cryptographic signature for the company in question.

Ich Sun broke into Comodo's Italian registration authority, called Comodo Italy, and on March 15 used Comodo's systems to fraudulently issue nine digital certificates.

Comodo went public with details of the attack on Thursday and is cooperating with Italian police and the U.S. Federal Bureau of Investigation on the case, but that has not deterred Ich Sun.

These attacks highlight weaknesses in a widely used part of the Internet's security infrastructure, but they also provide a glimpse into the shadowy nature of Internet crime. Nobody knows exactly who Ich Sun is, or what his (or her, or their) true motives might be.

Ich Sun said he broke into Comodo Italy using a very common database attack known as SQL injection. He entered data into Web-based forms that tricked the back-end database into running commands that should have been prohibited. He then took advantage of another flaw to get remote access to this system and was eventually in control of the servers used by two Comodo Italy websites: GlobalTrust.it and InstantSSL.it. He said he found a password hard-coded into a file on one of the systems that ultimately allowed him to issue the digital certificates.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News