March 25, 2011

Iranian Involvement Suspected In SSL Hack Attempt

Accusations were directed at hackers out of Iran for stealing identification data from a US computer security firm that would have allowed them to pass themselves off as popular websites such as Google, Yahoo, Microsoft and Skype.

Analysis into the attempted attack suggests that it originated and was coordinated via Iranian servers. The impersonation of the sites would have let the hackers trick web users into thinking they were accessing the real services.

"The incident got close to, but was not quite, an Internet-wide security meltdown," Electronic Frontier Foundation senior staff technologist Peter Eckersley said in a message posted to his company's website.

The Secure Sockets Layer (SSL) was the security system vulnerable to the attack. SSL acts as a guarantee of identity so users can trust that the site they are on is actually the site they intended to visit. The guarantee of identity is in the form of a digital passport known as a certificate.

The US Computer Emergency Readiness Team warned that the fraudulent SSL certificates could have been "used by an attacker to masquerade as a trusted website."

It was apparent that the attackers were able to get access to computer systems of one firm that issues such certificates, allowing them to issue fake certification that would have allowed them to impersonate several big Internet companies.

Comodo, one of the largest certificate authenticators (CA) on the web, was the firm attacked in the latest attempt. Hackers using computers with addresses in Iran posed as a European affiliate of NJ-based Comodo on March 15 to attempt to steal the certificates.

In an online statement, Comodo said: "The attacker was well prepared and knew in advance what he was to try to achieve "¦ He seemed to have a list of targets that he knew he wanted to obtain certificates for."

Comodo said the attack came primarily from Iranian IP addresses, and that one fraudulent yahoo certification was briefly deployed on an Iranian web server.

Comodo said the bogus certificates have been revoked and it was looking into ways of improving security at its partner firms.

Browsers have also been updated so anyone visiting a website whose credentials were guaranteed by the fake certificates will be warned.

"These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer," Microsoft said in a security advisory.

The attack posed a "dire risk to internet security," Eckersley said in his message post. "We urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and e-mail systems."

Jacob Appelbaum, posting on the Tor Project's blog, said there needs to be a better way to cross-check what CAs do to provide defense and ensure that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and also that our software does not need to trust all of the CAs, for everything, all of the time.

The Electronic Frontier Foundation's website has more information on this latest story. You can follow https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https to read more.