THE IRANIAN HACKER who claims to be responsible for the Diginotar certificate authority (CA) compromise has released a file signed with the rogue Google certificate in order to prove that he knows the certificate authority’s private key.
The Diginotar hack has raised serious questions about the reliability of the current online trust infrastructure and will probably lead to significant changes in its design. The fact that the same individual is probably responsible for at least three confirmed CA compromises came as a shock to the information security community.
Many people doubted the person known as the Comodo hacker when he announced a few days ago that he was behind the attacks against Diginotar, Starcom and Globalsign as well as three other undisclosed CAs. But the attacker just released a copy of calculator.exe signed with the rogue Google certificate in order to prove the validity of his claims.
“In case of Comodo there was also so many stupids who never beleived [sic] it, I don’t have time, this time, to negotiate it. I signed windows calculator using Google Cert, you have to have private key of cert to be able to sign calculator. It’s enough reason/proof,” he wrote.
He also took the time to make other clarifications about the attack, including the fact that he acted alone. This somewhat conflicts with the defacement messages found on Diginotar’s website last week that mentioned Extrance Digital Security Team, Iranian hackers, or the Federal-Attack Team.
The hacker claims he has around 300 code signing certificates and a lot more SSL certificates that can also be used for the same purpose. These certificates can be used to sign malware code and bypass security checks performed by some versions of Windows.
Surprisingly, despite being the one who generated the rogue *.google.com certificate, the hacker doesn’t consider himself responsible for the Iranian man-in-the-middle attacks that used it. “If someone in Iran used certs I have generated, I’m not one who should explain,” he said.
According to a report released by Fox-IT, the company that investigated the incident, almost 300,000 unique IP addresses queried the OCSP (Online Certificate Status Protocol) responder operated by Diginotar when trying to access Google.
This means those clients had been served with the rogue certificate instead of the real one. Over 99 per cent of the requests originated in Iran and the rest were Tor exit nodes, probably used by Iranian users trying to avoid censorship.
The hacker reiterated that one of the four CAs he currently has access to is Globalsign. Following the original announcement the company suspended its certificate issuing operations and launched an internal investigation. It has yet to release its findings. µ
View full post on National Cyber Security » Computer Hacking