Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hackers target Google, Skype with rogue SSL certificates

Tony Bradley | March 24, 2011
In root authority breach, fraudulent Comodo SSL certificates were created in a suspected state-sponsored attack by Iran

FRAMINGHAM, 24 MARCH 2011 - Comodo's tag line is "creating trust online." That may be true most of the time, but after an attack resulted in nine fraudulent SSL certificates -- targeting domains like Google, Yahoo, Skype, and Windows Live -- it might be wise to trust Comodo a little less.

A statement from Comodo explains that a root authority (RA) was breached. The attacker created a user account and used the fraudulent account to issue nine rogue SSL certificates spanning seven different domains. The Comodo statement reads, "The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the [requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

Comodo stresses that all nine certificates were revoked immediately upon discovery of the attack, and it has not detected any attempts to use the certificates after they were revoked. Comodo believes the attack originated in Iran, and based on the target domains, it may be a state-sponsored attempt to hack Web mail accounts of political dissidents.

Oliver Lavery, director of security research at nCircle, shared some thoughts about the attack. "What I find fascinating about this attack is the choice of domains because they aren't useful unless you have control of the DNS infrastructure." Lavery goes on to explain that a country like Iran does have control of the DNS infrastructure within its boundaries to an extent and speculates that this attack could have been executed with the intent to intercept encrypted Internet communications.

The login.live.com domain used for logging in to Windows Live accounts was one of the domains compromised by the rogue Comodo certificates. Microsoft has issued a security advisory and released a mitigation update to update the certificate revocation list on Windows PCs and prevent them from accepting the fake SSL certificates as legitimate.

In the wake of the hack against the RSA network, which breached sensitive information related to the SecurID tokens used by millions to provide two-factor authentication and prevent unauthorized access, the compromise of Comodo SSL certificates is concerning. We all know attackers are out there and must take steps to protect our PCs and our data. But if two of the most trusted names in providing that security get compromised in the same week, it leaves you feeling a little hopeless and outgunned.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.