Wednesday, March 23, 2011

No reason to believe Comodo attack came from Iranian Government

At the bottom of the recent Comodo advisory is this line:
All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

This is not the only logical conclusion.

The IP address of the source is almost meaningless these days. It’s trivially easy to find an open proxy and bounce your attack through it, proxy through an infected botnet, bounce through a Tor exit node, or use some other anonymization service. For example, last year, a hacker stole e-mails from famous climatologists and posted them to the Internet. He masked his real IP by forwarding through open proxies located in Russia, Turkey, and Saudi Arabia.

Using forged certificates requires an abnormally skilled hacker -- who almost certainly would have wanted to, and been able to, hide his identity.

This seems to be confirmed by Comodo’s statement "The attack came from several IP addresses, but mainly from Iran". An attack coming from all over implies the attacker is trying to hide his source address.

Thus, while an Iranian state-sponsored attack is a plausible theory, it’s not the only one.

Another good theory is simply that this is a hacker wanting to exploit WiFi. Logins are encrypted, so that even though you might be able to temporarily hijack sessions on open WiFi, you cannot steal the password. However, with forged certificates, you can sit at a Starbucks, or an airport international lounge, and steal a lot of passwords. Since people use the same password for everything, that further means you get into their bank account, account, and corporate account.

Another good theory is anybody that does "penetrations", whether it be the Chinese hackers or HBGary style firms that sell capability to the US government. During a pen-test, we almost always pop up a DNS server or network equipment that would allow us to man-in-the-middle such sessions. Forged certificates would be an excellent way to extend those attacks. Obviously, anybody who does "penetration" for a living would have the skills and knowledge to do exactly what Comodo describes.

These are just alternative theories off the top of my head that matches the evidence just as well as Comodo’s pet theory.

Our industry has a flaw in it’s critical thinking process. When something happens, we try to fit it into the story of the day. For example, when Slammer first hit, everyone thought it was a DDoS attack, because DDoS was the major story of the day. Similarly, with the transparent proxying in Tunisia and political unrest throughout the Middle East, that becomes the dominant story. Any crumb of evidence, such as one of the addresses being located in Iran, is suddenly magnified to become the most important piece of evidence. In fact, it’s one of the least important pieces.

In an interview with The Register, Comodo's CEO implies that the attack against his company is part of a larger attack that included the recent RSA compromise:
“The security companies who are providing authentication are being directly attacked by the government,” Abdulhayoglu said. “All of us provide some sort of security, some sort of authentication, to people and we're being attacked. The reason is these people (the attackers) want to have access to communication.”

This gives me little trust in Comodo -- it seems they are trying to create a sensational story to distract people from their own failings. (Although, it's not so much Comodo's failings so much as the fact the system is inherently flawed).

If I were Iran

The easiest way for a state-sponsored actor to forge certificates is buy trust in the SSL system. Just set up your own "Registration Authority" or "subordinate CA", for around %50,000. Or, create your own root CA and spend a couple years, and a couple million dollars, to convince the browser vendors to trust you.

Then, generate as many certificates as you want to compromise all your citizens. You'd get discovered after a week or too, but by that time, it wouldn't matter. By that time, you'd have round up all the dissidents and had them shot for disturbing the public order or some other excuse.


Jeremy said...

If the Iranian government did start a CA, I hope no one would trust it. :P

LikeLearning said...

Have you ever seen hacker's response: