Admins eHow SysAdmin Tips & Tricks

March 29, 2011

A response to ComodoHacker

Filed under: General,Security — Tags: , , — admin @ 5:03 am

I was following up the news regarding the recent attacks to Comodo and gaining access to their cert signing system. Today I found out he has posted some comments regarding his attack and claimed some nonsense , so I decided to write a response to him , here it goes :

First of all you have claimed you are only a 21 years kid , are you kidding ? the aim of the attack has been to create certs signed by Comodo CAs for mail.google.com and login.yahoo.com and etc which can only be used to doย man-in-middle type of attack. in fact if you do not have access to internet infrastructure in Iran , these certs have no use ! why would a 21 years old kid want to do that ? if you are interested in some signed certs which can not be used anywhere , next time send an email to me , I will sign some certs myself and send it back to you ๐Ÿ™‚ it is very clear that this attack has been done withย cooperationย of Iran’s government and Iranian revolutionary guards and their cyber army who have access to Iran’s IT infrastructure.

Second I agree what you have done is impressive. it shows your budget and the size of your criminal organization to find security holes in internet. but you have not compromised anything fundamental or serious on internet ! do you think the same trick which you use on Iranian people ( I mean bragging about your power ) will work on the world either ? in fact when I was 21 I could do better than you ( your whole criminal organization ). lol , I can send you some proofs if you like.
because you have signed fake certs for yahoo and google, many people think you have hacked their systems and compromised their security ! but pro people know it has nothing to do with google or yahoo or the security of their systems. everything is intact and secure.
The only companies who should be blamed are Comodo and their Italian partner because of ย weak security system and I am sure they are already in a lot of trouble by authorities ๐Ÿ™‚

Third you talk about breaking RSA 2048 keys and so on , it just makes me laugh. you can not even break the security of RSA 16 bit ! lol
If you had the power to do that , there were no need to generate fake certs from Comodo , you generated these fake certs because you can not decrypt the SSL traffic in Iran ! you need fake signed certs to do man-in-middle attack. it itself shows how weak you are. so come on , do not brag about your power. we all know thats a big lie.

Fourth lets assume you gain access to Comodo root CAs so you can sign the certs yourself , I dont think there is any bigger achievement for you ! you know what happens ? in less than 24 hours all major browsers will update their software and revoke the certificate. as simple as that. so I recommend you to waste your time on better solutions.

Fifth I would like to thank you guys for doing this personally , what you did had no gains for you and showed your real face to the world. I am not going to get political on this post ๐Ÿ™‚ but it had a lot of benefits to the security of the internet. I am sure authorities are already working on implementing more secure and safe procedures to generate certificates and check for revoked certs. Thank You.

And at last I would like to talk to Iranian people , they are just trying to frighten you. they have not compromised anything serious on internet. this attack shows they have nothing in hand. these fake certs CAN NOT be used the decrypt SSL traffic. always use VPN encrypted connections and for emails use SSL connections , Gmail is the best. also always use the latest versions of Google Chrome and Firefox for browsing the web. NEVER USE INTERNET EXPLORER ! not even version 9. and you will be safe ๐Ÿ™‚

Here is the link to hacker speech : http://pastebin.com/74KXCaEZ

  • BatteRy

    great

  • Ali from Iran

    Thanks.
    I want to add some points.
    1-I am a professional programmer and based on this hacker codes, no programmer would write a code like that. The codes shows an amateur coder with no knowledge of programming.
    2-besides, there is no decompiler that can decompile #region directives.
    3- moreover, Iranian gov can sniff all SSL traffic in order to gain access to public and private keys. Why somebody needs to fake certs for sniffing.
    4- This stupid guy tries to frighten Iranian people in way that Iran gov do. last year they showed a new type of security cameras that can recognize the face behind a mask.LOL! Now they want to show that they have full access to all SSL traffic in Iran.
    5- This guy is not a hacker. He is just an Iranian Cyber Army with a mission to make us disappointed.

    thanks

  • Anonymous

    Thank you for your comment Ali , But I should disagree with your point number 3. it is not possible to gain access to private keys by sniffing SSL traffic and thats why SSL traffic is safe ๐Ÿ™‚

  • Admin

    Ali has a good point about decompliers not being able to decomplie #region directives. Perhaps the code was given to the hacker(s), an inside job? You be the judge!

  • Anonymous

    unfortunately I am not an expert in c# decompilation field , so I can not be sure if this code is really decompiled version or not.
    but I believe it doesn’t matter , lets say they can decompile a DLL which calls some APIs , so what ?
    as I said in my post , they are trying the propaganda thing to frighten the people and say “look , we have the source code !” or prove they have hacked Italian partner of Comodo. we already said OK , we approved you did it ๐Ÿ™‚
    but the point is that the whole thing has no use for them.
    It is just an alert for Comodo and other security companies to take security more serious.
    The whole thing could be started by hacking the password of an email address inside Italian company and a chain of other actions to gain access to signing APIs , but they talk about breaking RSA 2048 bit , u know thats funny , lol.

  • Myself

    ?? ????? ????: ?? ??? ? ?? ?? ????????????? ???????? ????????????? ??????????? ????????? ???????????? ????????? ???????? ? ???? ????… ?? ????? ?? ???????? ??? ??.
    ?? ??? ?????? ?? ??? ???????? ????? ? ?????? ?? ??? ???? ??????? ??? ? ?? ??? ????? ??? ?? ???? ???? ????? ??? ? ?? ?????? ???? ???? ????? ????? ? ??? ????? ???? ????? ????? ??? ???? ????? ?? ???? ????. ????? ??????? ?? ??? ???? ?? ??????? ????? ?? ?? ????? ????? ?????. ???? ????? ??? ???? ??? ?? ???? ??????? ????? ?????? ????? ???. ???? ?????? ? ?????? ?? ???????? ??? ??? ????! ???? ?????? ???? ????? ??? ???? ???? ??? ?? ???? ???????? ???!
    ?????? ????? ?? ?? ?? ?? ??? ????? ???? ????? ???? ??????? ???? ????? ????? – ????? ?? ??? ?? ??? ????. ?? ?? ?? ??? ?????? ??? ?????? ?????? ?? ???? ??? ???? ???: ???? ?? ??? ?????? ???? ? ??? ?? ????? ??. ??????? ?? ???? ???????? ?? ???? ????? ???? ????? ??????? ??? ?? ??? ??? ??? ?? ??????? ??? ???? ?? ?? ?????? ?????? ??????. (?? ??? ???? ?????? – ???? ???? ????? ???? ?? ?????? ????? ????) . ??? ?????? ????? ? ?????? ???? ???? ???? ?? ??? ???? ?????? ??? ?????? ?? ???? ???? ?????? ??? ????? ???? ?? ????? ?? ???? ? ???? ????. ??? ??????!!!

  • namnam

    Thanx mate. Greate response to the stupid hacker. My response is better though! ๐Ÿ™‚ http://pastebin.com/R8zBtL9a

  • namnam

    By the way, how google and yahoo let their certificates be managed by Italian company on a Windows server?
    The alarm would say WRANG! WRANG! Hacker Attach! And the guy probably is busy hooking a colleague after a bottle of wine that he had with his pasta! And probably the gucci coat is more expensive than the server. :))

  • Anonymous

    that’s the point I tried to explain , any certificate issuer company can issue certificate for any domain. even I can issue certificate for google at my home desktop , but the problem is that my signed certificate is not trusted by browsers and will give you the alarm. Comodo signed certificates are trusted by browsers and wont give you an alarm.
    it has nothing to do with Google or yahoo , but I don’t know if legally they can sue Comodo for this incident or not.

  • Sa Ren19811981

    Hi everyone , I’m a Persian programmer and I Sure you that stupid Hackers ( Islamic Republic Cyber Army ) just say jokes .

    Just Lessen and have fun …

    Some years ago , Mahmud Ahmadi Nejad ( president of This Prison ” Iran ” ) says : the 13 year old Girl on her basement Discover the Nuclear energy !!!

    and what the hell you must Hear from his Freaky Cyber army ?

    Just Jokes ๐Ÿ˜‰

    Persians Love to Communicate With All World , But this regime don’t Like that , because Terrorism Never Like Friendship .

    Love you all , whit hope Free IRAN

  • Komodo

    When a tree starts to load neighboring gardeners begin to Stone throwing!

  • Gigi Hani

    tnx man for this post.can i ask question? which firewall is good? and what is your recommendation ?
    tnx alot

  • Hidden

    And as the PS add this reply in Persian, like he did:
    Khayat fadaye antar

  • saeed

    hi… i’m an iranian. i’m sure the hacker has to relation to iran cyber army. they way is different. the hacker thinks he had done a big deal because western broadcasts tried to show it real threat. in fact they tried to scare us.
    our gov keeps internet quality low. unlike iran’s 5-year plan. so if anyone here really wants to connect to internet use other gates.
    only powerful hackers in iran are iranian cyber army. i never saw they do anything against iranians peoples. others (specially ict) are week; really week. so anyone here can access to anywhere. otherwise israel wouldn’t try to transpire by a virus built for windows!
    however some of the hackers reason was right. USA gov and israel really try to interfere in iran. do you believe they boycott us for our own good?

  • Arash

    Actually they can. Right now they using Man-In-Middle attacks using ISPs.

  • Hamid Haghayegh

    Comodo says: Only SSL certifcates has been hacked and hacker(s) haven’t gained the CSR’s. Is it possible to decrypt the credentials via SSL certificate only? As far as I know serfers requires Certificate, CSR and private key for decrypting passwords.

    Thanks
    Hamid

  • Hossein

    you’re kidding me? man In the middle want access to internet infrastructure?! :)) I think you should really read more about this attack!
    I see many bugs in every paragraph of your article. but I can’t right English well. anyway it’s better that you watch this subject scientifically not political! ๐Ÿ˜‰

  • mohem nist!

    He is hossein asgari! I’m sure you are stupid.are you hacker? HaHaHa!

  • Ordinary Iranian

    Hi Admin,
    I’m from Iran. As you and other bros said before, there is no access to Private key by and Man-In-The-Middle, But people didn’t know about that. And an expert one should write a paper about this that people can understand and reveal that to be translated. Poor Iranian guys that roamed by these kind of brutes.

    Also I want to add that if even for 24 hours someone (Protest guys) fall in this kind of attack (man in the middle), will blown up since the protest may know nothing about security. In this way a security alert showed by browser up to say that this is not the cert. owner, but they may proceed if they know nothing about security and encryption.

  • Guest

    Hi namnam,
    would you please help Iranian protest to have secure surfing and sharing on the net. As may you heard, many many sites are blocked and even the only whole in their blocking system (mini opera on mobiles) was found and they blocked GPRS packets to reach opera servers. So they need a secure and reliable knowledge and softwares to resist against GOV EVILS.

    Thanks in advanced.

  • Sadasd

    The attack is not a complicated one. He has simply hacked the email of one person and the rest is not difficult. Considering the password the guy was using hacking it should not have been difficult.

    Also making certificates for those sites seems completely reasonable to me. It might not seem so to you since you leave outside Iran, if you were that guy you would probably create certificates to some financial institutions, but I wouldn’t expect it from someone inside Iran, they are not used to electronic financial institutions (they don’t have even credit cards!). Put yourself in place of the guy, what which sites would you create certificates for? The first thing that would come to mind is the most famous ones and guess what are those.

    This is not a great hack, no advanced knowledge or anything needed, it could have been done by a script kiddy (as it is probably the case). The f***ing thing is that a CEO of a famous security company can use such a simple password for his email. I think Comodo is playing it to make it a big thing so they are not criticized and their reputation is not trashed, it is much more reasonable to say the guy that f***ed then is a 4 meter high giant than a small kid. This also show that the certificate structure is fundamentally problematic, a hack in a small company can have great consequences. A more reasonable thing to do is using multiple certificates created by independent CAs to decrease the possibility of a similar incident in future.

  • namnam

    So, if the Iranian gov. buys a company that issues trusted certificates, can they fool browsers and site in the middle of gmail traffic?

  • Anonymous

    sure they need to internet infrastructure , in order to do it they have to change the DNS of those domains to their own server or simply grab the SSL session somewhere on their gateway.
    I have no political interest , I just hope freedom for Iran and Iranian people. they deserve it ๐Ÿ™‚

  • Anonymous

    Yes , but if they do man-in-middle attacks for SSL sessions using not signed certs , users will get a warning on their browser. thats why they tried to gain access to comodo signed SSL certs.

  • Anonymous

    I dont think they can buy such a company , these companies are very well-known worldwide and trusted.
    But if they can buy one or bribe one to get the certificates , unfortunately the answer is yes. they can use the certs to do man-in-middle attack.
    Although there are still solutions to prevent these and make sure site SSL certificate is authentic.

  • Anonymous

    Yes , They have not gained access to private keys which are used to generate signed certificates , they have just generated some certificates using Comodo API.
    With what they have gained they can NOT decrypt any authentic SSL traffic.

  • Lex

    yes and everyone gets that warnings in Iran even for Iranian banks but no one knows if its cus of using expired one or Man-in-middle or both

  • Anonymous

    if u get such warning for Gmail or other well-known sites , then you should feel unsafe.
    I would recommend to use VPN connections for higher security , it will make it more difficult ( or almost impossible ) to do such attacks on users who are connected by VPN.

  • Private

    I couldn’t agree more with your response. the statement by the hacker was a complete nonsense.
    cheers to you bro.

  • Javan_Soft

    I hacked the Microsoft members DB
    DbName : DBMainMemers
    User :SaAdmin
    Pass:MynaAlll

    !!!
    is it correct?
    the hacker says a simple password not a mix pass like JKHJ657jkh8is90d …so i think he want to says lie but he he said a bad lie …

    he is really 21 i think .. he just want to say “im a hacker … please believe me”

  • Qwryary

    You are really feeling a huge pain in your ass.Huh…!

  • Test

    nice information

  • Someone from Iran

    Rule#8: I’m slave of Rahbar.
    Go to the hell with your Rahbar….

  • Dhvil

    He answred you dude!:D
    http://pastebin.com/u/ComodoHacker

  • Anonymous

    which part of his response is to me ?

  • Babak Memari

    Hi
    I am an Iranian. I am sure that Somebody inside Comodo has sold out some information to government of IRAN. Please inform FBI for this possibility.
    Babak Memari
    https://sites.google.com/site/babakmemariwebsite

  • There is a big problem with VPNs in Iran. and almost anything else internet-related.

    First, you don’t know if VPNs are middle-men or not, I always consider they are.
    Then the whole ISP system is ran by them, either directly, or companies are forced to help gov, or leave the business.
    Worse, only 2 infrastructure exists in Iran, one is ran by TCI, absolutely governmental, and the other is ran and owned by governmental people, providing access to to National TV, universities and some research institutes, owned by them.

    SSL is the only way to access “almost” secure, why? because not only they sniff the whole traffic using the latest Nokia-Siemens technology, But also they officially do phishing/Domain-jacking etc. etc.

    None of us can use SSL directly, they simply block it whenever they like! it is also 2nd year they have jacked Facebook domain so if you use default DNS, even using SSL you can not attach to FB or even secure YouTube etc.

    I am trying here to say how complex and wildly they are trying to control.
    The only thing I am glad we have is, these guys are the most stupid people on earth, and they are not many. this is the only chance we have had since last year’s problems. If they had enough educated people, they would read everybody’s email every time (Actually they are stupid enough to officialy claim that on national TV!!!).

    Just my 2 cents.

  • sdfyj

    lol. the hacker really needs to learn English.

  • You can benefit from this attack even if you don’t have access to the infrastructure, but it is not going to concern anyone.
    Yes you can DNS poison your the network in your office and see what your colleagues are doing, but who cares?

  • Anonymous

    oh really ? I would appreciate if you exactly explain how to poison your office DNS and then see what your colleagues are doing.

  • DNS poisoning is a type of ARP poisoning.
    We had once been playing around with ARP poisoning to breach users’ secure connections to a VPN server (we were using Ettercap if I’m not wrong).
    This is what DNS poisoning is, if anyone is interested: http://www.youtube.com/watch?v=1d1tUefYn4U

  • Anonymous

    Although DNS poisoning has nothing to do with ARP poisoning.
    DNS resolves domain names to IPs.
    ARP resoves IPs to MAC addresses.
    These two are completely different.
    but anyway , my point is not the poisoning part , it is easy.
    do u know any practical solutions to steal SSL sessions ? and do man-in-middle attack in your office ?

  • Pingback: An analysis of recent security breach to DigiNotar and Man-In-The-Middle attack to Iranian users « Admins eHow()

  • Ghazzafi

    hi ,

    how about new attack ? any ideas?

    how can i understand that i m infected with the attack or not?

  • Dsadsadas

    hi i like this post and i wanna say i’m persian and my king name is cyrus , we r not terrorist … our goverment is terrorist and they suck arabian *****

    Hi everyone , I’m a Persian programmer and I Sure you that stupid Hackers ( Islamic Republic Cyber Army ) just say jokes .

    Just Lessen and have fun …

    Some
    years ago , Mahmud Ahmadi Nejad ( president of This Prison ” Iran ” )
    says : the 13 year old Girl on her basement Discover the Nuclear
    energy !!!

    and what the hell you must Hear from his Freaky Cyber army ?

    Just Jokes ๐Ÿ˜‰

    Persians Love to Communicate With All World , But this regime don’t Like that , because Terrorism Never Like Friendship .

    Love you all , whit hope Free IRAN

Powered by WordPress