THE IRANIAN HACKER who previously broke into the network of a certificate authority (CA) Comodo reseller and issued rogue certificates for high-profile domains, has claimed to be responsible for the July breach at Diginotar that had similar consequences.
In a message posted from a Pastebin account used in March to release details about the Comodo compromise, the hacker claimed the Diginotar attack was retribution for the Dutch military’s failure to protect Srebrenica during the Bosnian War.
“When Dutch government, exchanged 8000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8000 Muslims in same day, Dutch government have to pay for it, nothing is changed, just 16 years has been passed,” the hacker wrote.
“Dutch government’s 13 million dollars which paid for DigiNotar will have to go DIRECTLY into trash, it’s what I can do from KMs away,” he added.
The hacker also claimed responsibility for the June cyber intrusion at Startcom CA, which resulted in the temporary suspension of certificate signing. The company’s CTO said at the time that hackers unsuccessfully tried to issue certificates for www.google.com, login.yahoo.com, login.skype.com, login.live.com and mail.google.com.
The Comodo hacker claimed that only luck saved Startcom CA from a fate similar to Diginotar’s. He also said that he has access to four more high-profile CAs that he will not name, except for Globalsign.
As far as the Diginotar hack goes, he claimed to have exploited many zero-day vulnerabilities to compromise the company’s system, as well as bypass its Ncipher NetHSM, its hardware keys and RSA certificate manager. He promised to return with more details later.
The Iranian hacker, who previously declared himself faithful to his country’s government and spiritual leader, warned that the most sophisticated hack of the year is yet to come and that more rogue certificates should be expected. As proof that he is behind the Diginotar breach, the hacker published the alleged password for the domain administrator account on the Dutch company’s network.
If all the hacker’s claims are true – and he is not known to have lied so far – then the public key infrastructure is in a very bad shape and in dire need of an overhaul. Many security experts seem to endorse a technology proposed by the security researcher who uses the alias Moxie Marlinspike.
Called Convergence, this solution uses network perspective to validate certificates and can entirely replace the CA model. It allows browsers to check certificates they receive with the ones downloaded by third-party notary servers from the same domains. If there’s a mismatch, it means a man-in-the-middle attack is most likely in progress.
The security community is waiting for Diginotar, or the Dutch government which now has control over the company, to confirm or deny the existence of the administrative credentials the hacker shared. µ
View full post on National Cyber Security » Computer Hacking