Communications providers should be on alert following an attack on a digital certificate issuer that targeted them, a leading anti-virus researcher warned.
Comodo, a US company that issued digital SSL certificates used by websites to validate their identity to visitors, said last Wednesday that it mistakenly issued nine fradulent certificates for big-name sites such as Google, Yahoo!, Skype and Microsoft's Hotmail. They could have allowed attackers to set up fake versions of the sites to collect usernames and passwords, or read users' email messages, researchers have warned.
Comodo said it had evidence that the attack was state-sponsored and some speculated that Iranian Government hackers launched the attack to aid monitoring of its citizens.
And the websites that attackers targeted indicated something about their motive, said Mikko Hypponen, chief research officer at anti-virus firm F-Secure.
By gaining access to Comodo's certificate generation system, the attackers could have issued as many certificates as they wanted for any website in the world. They generated nine, not for banks or online retailers, but for communications providers.
“They weren't interested in stealing money, they were interested in reading email and collecting logins,” Hypponen said.
“And that would point to a nation that wants to snoop on its own people.”
The origin of the attack was traced to IP addresses, mainly from Iran, Comodo wrote on its website. The attacker gained entry to Comodo's systems after obtaining the username and password of an employee at one of the company's European resellers. Hackers used the credentials to log into Comodo's systems and issue the fraudulent certificates.
“The attack was very clinically executed and cleanly carried out,” said Comodo chief executive officer Melih Abdulhayoglu.
“They did not have the telltale signs of cybercriminals. We have come to the conclusion that this isn't a typical cybercriminal, it is a state-sponsored attack.”
Abdulhayoglu added that the attackers could have been using proxy servers in Iran to disguise their location.
“Whether it is Iran or someone else, I can't say for sure, but it is most definitely state sponsored,” he said.
Although the attacker requested nine certificates, Comodo is uncertain whether all were issued. At least one was issued, but all certificates were revoked immediately on discovery. In addition, Microsoft has issued a Windows update to protect against the fraudulent digital certificates.
Moreover, the certificates would have been useless unless the attackers also had the ability to modify the domain name server (DNS) infrastructure to direct users to the phony sites associated with the fraudulent certificates, Abdulhayoglu said. Still, governments with control over communication companies would likely have access to the DNS infrastructure.
Comodo has instituted new controls "in the wake of this new threat to the authentication platform," Abdulhayoglu said. The company is still investigating the incident and has involved federal law enforcement agencies.
But Hypponen questioned the security of Comodo's certificate generation system in light of the incident.
“The way they allow their resellers to issue certificates doesn't sound very secure,” Hypponen said. “All resellers are allowed to issue certificates without any checks.” He suggested that extra precautions be taken when certificates are requested for high traffic sites.
Others have said the entire SSL certification system is flawed. Ivan Ristic, director of engineering at vulnerability management and compliance firm Qualys, said there were “many layers of problems” with SSL issuance starting with the hundreds of certificate authorities, any one of which can issue a certificate for any domain name.
“I am glad, in a way, that this is happening,” he said. “It will direct people's attention to the problem and speed up the ways to fix it.”
He said the Domain Name Security system, a set of Internet Engineering Task Force extensions that provided authentication of DNS data, would help. It would only be possible to specify a certificate from an authority for each domain name, he said.
Dane, a system that put encrypted keys in secure domain name servers and was deployed in top-level domains, was another candidate.