The Green Sheet Online Edition
April 11, 2011 • Issue 11:04:01
Comodo compromise draws swift response
In a recent cyber attack, nine secure sockets layer (SSL) certificates across seven domains were fraudulently obtained from a registration authority (RA) affiliated with the Comodo SSL Certification Authority (CA). Comodo issued an incident report March 15, 2011, stating that all nine certificates had been revoked, which affected domains of Mozilla, Firefox, Yahoo and others. The RA account in question was suspended pending further forensic investigation.
Web security expert Phillip Hallam-Baker stated on a Comodo blog that the "attacker obtained the user name and password of a Comodo Trusted Partner in Southern Europe." He added that the information was used "to log in to the particular Comodo RA account and effect the fraudulent issue of the certificates. ... While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail."
Comodo's incident report provided an interpretation of the attack. "The circumstantial evidence suggests that the attack originated in Iran," the report stated. "The perpetrator has focused simply on the communication infrastructure, not the financial infrastructure as a typical cyber-criminal might. The perpetrator has executed its attacks with clinical accuracy."
Comodo founder and Chief Executive Officer Melih Abdulhayoglu said the attack targeted the "Authentication" layer of the Internet and "what is being obtained would enable the perpetrator to intercept web-based email/communication."
Considered the most popular security protocol on the Internet, SSL digital certificates issued by third-party CAs enable web browsers to establish secure Internet connections with authentic websites.
"Being in that kind of a position at an ISP and trying to fraudulently obtain certificates for some of these social media services and communications services, that's definitely a strong indication of somebody wanting to get in the middle of the communications between two points, somebody using that service and the provider of that service," said Brian Trzupek, Vice President of Managed Identity and SSL for Trustwave.
Trzupek further stated that, in this case, "it definitely seems like the attack was more coordinated from one geographic region, specifically one ISP within that country. And at the ISP level you have more controls over what you can do on the network if you're trying to fraudulently do something, because you're controlling the network for that country, in effect."
Payments industry not targeted
According to Comodo, circumstances surrounding the incident suggest the motive of the attack was not financial. "To make use of the fraudulently issued certificates, the perpetrator would have to have the ability to direct Internet users to their fake sites rather than the legitimate ones. This in turn requires control of the DNS [domain name system] infrastructure, which requires government-level resources to achieve on a large scale or for an extended period," Comodo reported.
While the payments industry was spared this time, future attacks could penetrate further. In this case the fraud was detected early, but according to Trzupek, Google Inc. indicated the same login credentials could be used for some payment services on the Google network. Trzupek added that in Mozilla's case, organizations with financial plug-ins that work with Firefox could also be compromised.
Steps to avert future attacks
Following the Comodo incident, members of the CA/Browser Forum, an organization of leading CAs and certain application software suppliers that provides guidelines for standardized procedures for issuance and management of extended validation certificates, held discussions to address preemptive measures for preventing future attacks.
"We just had a call last week, and it's mostly confidential information, but everybody that's there is completely interested in what has happened here," said Trzupek, who is a member of the forum. "One of the good things here is that it's caused a lot of us CAs to communicate about things that I don't think people have communicated about much in the past. There's a broader sense of us communicating and working together as a more secure network of individuals, instead of working in silos and trying to shield that from each other."
Comodo, too, has forged ahead with its own security efforts, reporting that new controls have been introduced in the wake of this latest threat to the authentication platform. "The threat model is changing, and Comodo had already initiated a proposal for new standards in 2010, which would help mitigate some of these attacks," Abdulhayoglu said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.