Serious Doubts Cast Over Comodo's State-Sponsored Attack Hypothesis

The Comodo digital certificate theft plot thickens as lone Iranian hacker claims to be responsible for the compromise and offers evidence.

The security world was taken by storm last week when it was revealed that someone managed to obtain fake digital certificates for high-profile domains from Comodo.

The company, which is a Certification Authority (CA) trusted by default by all browsers and operating systems, said the hackers abused credentials stolen from one of its resellers.

It also pointed the finger at the Iranian government for being behind the attack, based on the fact that one rogue certificate was temporarily spotted on a server in Iran and the attackers connected from an Iranian IP address.

However, on Saturday, someone posted a message on pastebin.com claiming to be the hacker behind the compromise and blasting Comodo and the media for advancing the government-sponsored attack hypothesis.

The hacker describes himself as a 21-year-old Iranian student and judging by his message he is very patriotic, but more in the spiritual sense rather than political.

He does, however, issue threats in his open letter, calling Microsoft, Google and Mozilla his new enemies for updating their software "as soon as instructions came from CIA" and warning that "I'll do it again, but this time nobody will notice it."

He also advises Iranian companies and activists that work against the state on the Internet to quit immediately because he will expose them.

To back up his claims the hacker published a second pastebin containing reverse engineered source code for a DLL file used by Comodo reseller GlobalTrust.it to request certificates.

Opinions are split in the security community about the validity of the hacker's claims. Mikko H. Hypponen, chief research officer at F-Secure asked: "Do we really believe that a lone hacker gets into a CA, can generate any cert he wants..and goes after login.live.com instead of paypal.com?"

Although later he admitted that, whether the message came from a lone hacker or someone connected to the Iranian government, the "pastebins look convincing."

Robert Graham, CEO of Errata Security and an experienced penetration tester, said that "I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political."

Regarding the attack approach described by the hacker, he notes that "as a pentester who regularly does attacks like this, I can verify that the general details are correct."