He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country.
He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure. He then shared that bounty with people he declines to name.
The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.
Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on antigovernment compatriots.
“I’m totally independent,” he said in an e-mail exchange with The New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”
In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.
It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site – to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.
Hundreds of companies and government authorities around the world, including in the United States and China, have the power to issue the digital certificates that the system relies upon to verify a site’s identity. The same hacker is believed to be responsible for attacks on three such companies.
In March, he claimed credit for a breach of Comodo, in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.
Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.
Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.
“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, the chief security officer of Mandiant Security in Alexandria, Va. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure, and you have results like this.”
Comodohacker said via e-mail that he began his explorations by scrolling through a list of certificate authority companies. DigiNotar caught his interest because it was Dutch. He said he was motivated by the failure of Dutch peacekeepers to prevent the massacres of Muslims in Srebenica in 1995. He also said he chose the Dutch company because of a Dutch legislator, Geert Wilders, who has built a political career out of criticizing Muslims in his country.
DigiNotar, which is owned by an Illinois company called Vasco Data Security International, did not make the attack particularly difficult, according to a report by Fox-IT, a security company that was commissioned by the Dutch government to investigate. The company’s critical servers contained malicious software that should have been spotted by antivirus tools, the report said, and the servers related to certificates were all protected by just one weak password. DigiNotar did not respond to requests for comment last week.
There was fallout in the Netherlands as well. The government there said last week that it was widening its investigation into the breach in an effort to learn whether the private data of Dutch citizens, many of whom file income tax returns online, had been compromised.
Comodohacker apparently began poking around DigiNotar’s systems in early June, the Fox-IT report said. He gained control of the server in about 10 days and generated 531 fake certificates, including some for well-known sites like Google, Skype and Facebook, along with a few foreign intelligence sites. He shared them with a person or organization believed to have had control over dozens of Internet service providers and university networks in Iran – perhaps the government itself.
Fox-IT concluded that over the course of a month, 300,000 people were served up fake certificates produced by Comodohacker. E-mails, chats, user names and passwords could have been monitored, revealing who they were talking to and what they were planning.
Google on Thursday issued an unusual warning to its users in Iran, calling on them to change passwords and check if their e-mails were being forwarded to unfamiliar or suspicious addresses.
Word of the Google warning caught the attention of Jubeen Sharbaf, an Iranian in Toronto. He is not ignorant of the Iranian government’s attempts to spy on its people, he said via e-mail. “This was alarming though because Google is perceived to be very secure, and beside Skype it has been used for the line of communication within and outside Iran,” he said.
Comodohacker was plainspoken about his motivations.
“My country should have control over Google, Skype, Yahoo, etc.,” he said by e-mail. “I’m breaking all encryption algorithms and giving power to my country to control all of them.”
In the days since his attack was discovered, Comodohacker posted lengthy explanations on Pastebin, a sort of Internet bulletin board, of how he had penetrated the system of the Dutch firm and why, along with his e-mail address.
He has also boasted of his own skills, calling his work the “most sophisticated hack of all time,” and at one point exclaiming: “I’m really sharp, powerful, dangerous and smart!”
Mikko Hypponen, a security researcher with F-Secure Labs of Helsinki, said the hacker was “somebody who has skills, and he also has the old-school hacker mentality where he likes to boast.” Mr. Hypponen added: “If he were an intelligence analyst for the secret police he wouldn’t be doing this.”
Asked whether he was paid for his services, the hacker replied in broken English: “I don’t fight for my belief for award in this world.”
The e-mail he sent appears to have come from a computer in Russia, according to an independent security analyst who reviewed it. Comodohacker has either remotely taken control of someone’s computer in Russia, or he may not be an Iranian software engineer at all.
For NDTV Updates, follow us on Twitter or join us on Facebook
View full post on National Cyber Security » Computer Hacking
