Need Assistance? Call us at (512) 814-8044, or submit a ticket

The Comodo Hack: How Serious Is It?

The recent Comodo hack seems to be a lot more serious than initially thought with the latest information that the hacker was actually able to wipe a hard drive on the Comodo server. To quote the gloating hacker:

Some stupids in internet still cannot understand I’m behind the attack on SSL, talks about their small understandings about my hack and makes me nervous. I uploaded JUST 1 table of their ENTIRE database which I own. Also ask Comodo about my hack, ask them what I did to them. Let me tell you what I did: I was logged in into their server via RDP (remote desktop), they detected me and via hardware firewall, they added allowed IP for RDP, so I was no longer able to login via RDP. But I got UI control in their server just 2 days later, then I logged in via roberto franchini’s user/pass, then I formatted their external backup HDD, it was LG with backup of all files inside it. I formatted it. Then I stopped IIS, deleted all logs, not normal delete which could be recovered with recovery tools, I deleted it with secure delete method and in fact I wiped them.

In case you did not know about this, Comodo, an issuer of SSL certificates recently admitted that an attacker was able to obtain the user name and password of a Comodo Registration Authority (RA) based in Southern Europe and then proceeded to issue fraudulent certificates for Google, Yahoo, Mozilla etc. The bogus certificates could be used in phishing or man in the middle attacks against organizations that haven’t updated their certificate revocation lists.

Comodo said the hack did not extend to its root keys or intermediate certificate authorities, but did constitute a serious security incident that warranted attention. But this is serious because addons.mozilla.org was one of the bogus certificates and people love their add-ons on Firefox. Users on a compromised network could be directed to phishing Web sites that used the forged SSL certificates and could be fooled into revealing personal information or downloading malicious programs.

Obviously, the hacker took exception to the attempt to sweep things under the rug, as it were.
While attention is focused on whether it is Iranian backed or not, as Comodo posits, this appears to be a diversionary tactic. Even Comodo seems to be aware that IP spoofing could be involved:

While the circumstances strongly suggest an Iranian connection we do not know if this is because the attacker was from Iran or because this is the conclusion the attacker intended us to make.

As good as the Iranian argument sounds, I do not see any one questioning the ease with which this attack succeeded. If you read the so-called ramblings of the hacker, the attack looks too easy against an entity that is supposed to be safeguarding critical data. When we read things like “their TrustDLL.DLL was too old and was sending too little parameters” it makes you wonder.

The hacker wants us to “ask Comodo about my hack, ask them what I did to them”. So how bad is this thing, really? When the hacker says “I formatted their external backup HDD, it was LG with backup of all files inside it”, are we to believe that this Comodo affiliate was using an external drive to backup critical certificate files?

Share
Close Menu
Share
Share