Sunday, March 27, 2011

The Comodo hacker releases his manifesto

Somebody claiming to be the "Comodo hacker" has released a statement here
http://pastebin.com/74KXCaEZ, decompiled code here http://pastebin.com/DBDqm6Km, and account database here http://pastebin.com/CvGXyfiJ. As a pentester who does attacks similar to what the ComodoHacker did, I find it credible. I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political.

The hacker describes the full details of his hack. Only Comodo can verify whether the precise details are correct. But, as a pentester who regularly does attacks like this, I can verify that the general details are correct.

People believe that once you compile human readable "source" code, that humans can no longer read the resulting binary "object" code. That is in incorrect. Code can easily be decompiled back to (nearly) the original source. In our (Errata Security) pentests, we regularly find embedded usernames and passwords that nobody believe hackers can read. It usually takes us less than 5 minutes.

But just as important is the other hidden information, such as URLs. The hacker describes how once he had the login info, he still had to reverse engineer exactly how to submit a "certificate request". We’ve gone through the same experience. For example, we once downloaded an iPhone app of a customer, grabbed all the hidden URLs, then slowly built up valid requests with the right information. In our case, we were aided by the fact that submitting wrong information gives error messages that hint at what the right information should be.

A hacker is somebody who doesn't realize that what he’s attempting is impossible. You see that in the ComodoHacker’s text. He just followed breadcrumbs, solving one clue at a time. Only after he was done does he realize the enormity of the problem, and how clever (and lucky) he was to solve it. This is why hacking gets addictive -- solving puzzles like this is enormously satisfying. It's also why people are quick to assume the difficulty of a hack means a "nation state" is involved rather than a "21 year old college student".


The hacker (probably) acted alone. People imagine that hackers are part of a larger conspiracy, especially when you can’t understand how a single person could have done the hack.

But the reality is that hacking is individualistic. You talk about generalities with your friends, but when it comes time to crack a target, it’s a marathon 20 hour session with just you, a computer, and endless supplies of caffeine.

I’m guessing that this guy has talked with his college buddies about cracking RSA keys, but that none of his friends knows that he’s the guy who did this attack -- although he probably can’t resist bragging to them eventually.

Even the "Iranian Cyber Army" could be a single guy. While essentially loners, hackers like to imagine themselves as a larger movement (with themselves at the head, of course). They use the words "us" to mean just "I".

This dispels the notion that this was a coordinated attack from a state-sponsored actor. The details credibly demonstrate the actions of just one lone person.


The hacker is pro-Iran, but not necessarily political. News in the United States is extraordinarily chauvinistic. We imagine that everyone in Iran is either part of the government or part of the "Green" movement opposing the government. The reality is that most Iranians are neither: they support their country against attacks from outsiders, but that doesn't mean they are happy with everything that happens in their country.

The hacker does say Janam Fadaye Rahbar. Apparently, this means "I'll sacrifice my soul to my leader", which probably refers to the religious leader Ayatollah Hamanei. My impression that this is a sign of patriotism rather than ideology. Even many of the "Green" protesters complaining about the election of the President (a lower position) supported their Supreme Leader.

The ComodoHacker asks:
I heard that some stupids tried to ask about it from Iran's ambassador in UN, really? How smartass you are? Where were you when Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA systems and Nuclear softwares? Why no one asked a question from Israel and USA ambassador to UN?
So you can't ask about SSL situtation from my ambassador, I answer your question about situtation: "Ask about Stuxnet from USA and Israel", this is your answer, so don't waste my Iran's ambassador's worthy time.

I’m betting he’s referring to articles like this one which says:
Representatives with Iran's Permanent Mission to the United Nations were unable to comment Friday.

I share the ComodoHacker’s distaste for how the media covers these events. Let’s assume, for the moment, that their government wasn’t involved. How would the government know? How could their leaders be certain that some secretive group in their intelligence organization didn’t carry out this attack? It would takes months of investigation to say "no, we weren’t involved", and even then, they couldn’t be 100% sure. What answer would you expect from the Iranian ambassador?

More to the point, what evidence points to the Iranian government in the first place? The answer is "zero". The article I linked to above quotes the Comodo CEO saying "All things point to the Iranian government and their newly founded cyberwarfare department" when in fact NOTHING points to that conclusion. The news story above isn’t unique -- almost every story in the press has followed that angle without critically questioning it. Oddly, most stories rightly pointed out that the IP address (located in Iran) couldn’t be relied upon because hackers can redirect attacks through other machines, yet not a single one challenged the CEO when he said all other evidence points to the Iranian government.


Why didn’t he do more? Mikko Hyponen of F-Secure asks on Twitter:
"Do we really believe that a lone hacker gets into a CA, can generate any cert he wants..and goes after login.live.com instead of paypal.com?"

People labeling him with a stereotype such as "cybercriminal" or "hacktivist" and insist that he behave according to the stereotype we’ve assigned him. But that stereotype might not be the correct one.

As he said, he started with one goal, that of factoring RSA keys, and ended up reaching a related goal, forging certificates. The most appropriate stereotype would be "researcher" or simply "hacker" -- hacker in the old sense of somebody who likes to tinker with technology, not necessarily lead a life of cybercrime. He didn’t think of PayPal because we wasn’t trying to do anything at all with the forged certificates.

But the reality more complicated than that. He is is own person, with his own goals and motivations. It would take a lot more of his writing to fully understand why he did everything he did.

By the way, hindsight is 20-20. After the pen-test, when discussing our results, people always ask simple questions, like "why did you go through this convoluted route when you could’ve taken this more obvious and easier one?". The answer is that we hackers do not see the big picture. We follow the breadcrumbs through the forest, solving puzzles, but we can’t see anything beyond the nearest trees.


Here is a screenshot of a database fragment containing 467 account names. This was the file he posted in his third pastebin message:


This database contains the "encrypted" passwords. In order to use this file, a hacker would have to "crack" the passwords, which involves trying lots of combinations until they get one that matches the one in the database.

If you are the hacker, I would love to interview you. Just leave a comment on this post -- comments are moderated, so it won't be public.

28 comments:

Patrick Niedzielski said...

Please. Not hacker, but cracker. It is very offensive to actual hackers.

http://www.catb.org/~esr/faqs/hacker-howto.html#what_is

Cheers,
Patrick Niedzielski

Robert Graham said...

Nope, it's the proper use of the word "hacker".

Hackers everywhere are offended by ESR's attempt to redefine words.

Unknown said...

Oh shutup about hacker/cracker. It makes you sound stupid.

Anonymous said...

"But just as important is the other hidden information, such as URLs. The hacker describes how once he had the login info, he still had to reverse engineer exactly how to submit a "certificate request". We’ve gone through the same experience."

The API documentation used by Comodo has been available for years on http://secure.comodo.net/api/ and can be easily found by searching for "Comodo API" on Google. Code examples on how to use it are everywhere. Knowledge of this doesn't prove anything at all, you do not need to be a hacker or reverse engineer anything to understand how it works. Creating a code example and make up some bogus data would take minutes. The company issuing the certificates has already been published by Microsoft days ago.

When the CEO of Comodo thinks the hack is related to RSA's you don't trust him at all, but when somebody is posting anonymously on pastebin and is claiming to have hacked both Comodo and RSA, his story is legitimate? I do not claim that he is or is not the hacker he says he is, but I do find it awkward that you have no trouble in believing every word he says.

You even share his distaste for how the media covers these events, while in fact you are doing the exact same thing as other media: jumping to conclusions.

Robert Graham said...

The CEO of Comodo gave no evidence to support his speculation, and didn't even claim he had evidence. The only evidence given was one Iranian IP address.

The alleged hacker provided reverse engineered source code, including account name and secret password.

Unknown said...

I wouldn't say that obtaining the username and password was reverse engineering, since there are plenty of programs to pull the string data from a binary without decompiling/translating
http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx

I think the most interesting part of this attack would be how he got access to the server that contained the DLL, which did not appear to be explained in his manifesto.

Anonymous said...

Where do you see proof that the code was reverse engineered and not made up?

How do you know the password is true and not made up?

Why do you believe that this hacker hacked into RSA when he provides no details or evidence for this at all?

Why do you believe this hacker hacked alone?

Making assumptions on what a anonymous person tells you might be dangerous. The truth might be a lot different than what you are told.

It is only Comodo or the RA who has been hacked that can confirm the hacker's story is true or not.

ncr said...

As an Iranian I should fix your statement that Janam Fadaye Rahbar is only an ideological statement and not a patriotic one at all! patriots are anti leader.

WHOIS said...

Everybody thinks according to the corruptness of their own mind. Criminal people distrust each other because they know what to expect: nothing good. Taking the same stuxnet reply from the "comodohacker" persona, it makes a lot of sense for Comodo to point to Iranian government. "After all, we have dome something similar to them, it would be expected that they want to get even?"

Lava Kafle said...

thats all so true , as the technical details prove it that the guy did it

Unknown said...

Like you said, only Comodo or globaltrust.it will be able to confirm the details to prove that this person was involved. It will be quite a bit harder to believe anything else that this person says. It could easily be a Chinese or American hacker just trying to pass the blame or set LE on a wild goose chase.

Mehrdad said...

FYI, "Janam Fadaye Rahbar" is an strong government-fans' motto.
As an Iranian, who lives in Iran im telling this.

sniffing into private-data of ppl in Iran is not a new concept. search and read about recent TOR SSL MITM issue :)
and this comodo issue is another like that. i heard they have most politicians' gmail password right now :)

for final, this manifesto is just for make Iranian ppl fear.
tnx

LikeLearning said...

See another update:
http://pastebin.com/CvGXyfiJ

LikeLearning said...

I'm the hacker, contact me at ichsun@ymail.com

Unknown said...

The English writing style of this guy (or group) is much like Eastern Europeans. They simply try too hard to use metaphors and colloquial American phrases that are used in action movies. Considering Iranian natives are simply not used to these phrases and short sentences and punctuations when they speak/write in their own version of broken English; just like mine :), thus it's likely that the hacker(s) works as a paid contractor.

To our TERRORIST FRIEND "COMODO HACKER": I know you read this blog. You bragged too much and you gave away too much. What exactly does this mean: "Green movement (so little part of Iran)"? If you are Iranian there's simply no way you could translate what that sentence really meant, takes after what you had been briefed about the green movement position in Iran. Not every movement has a moving part. The green movement is more like an ideology and not a town or location. This one: "Don't believe? Try it" really cracked me up. Next time just say “не верите?” where “no believe?” is the same as “don’t believe?” Iranians don’t talk like that so thanks for the laugh. And several other transliteration mistakes which I will keep to myself. Us Iranians just don't like to deprive ourselves from the kind of amusement this mule is providing us. No believe? :)

A piece of advice to the hacker: Have you heard of the term lost in translation? Well, those who promised they would pay you will lose you, confuse you and screw you just the way they have made a fool out of you by handing you this translation joke. I'm pretty sure somebody is tracking every movement and word you produce and you know how the whole intelligence thing is interconnected in the world. You wish you were Iranian living in some remote location disconnected from the whole world but since you are not then you know you are not safe.

Also a request: since you seem to be interested in movements, parts and body parts then maybe you can go back to the junk email business where your people are good at. Maybe it helped people increase body parts instead of increasing the bus loads that will be sent out to prison.

- parazit

Unknown said...

@ Aaron : How to access to the server ? just analyze the server, the server isn't shared and according to the confidentially of InstantSSL.it there's nothing like a 0day could caused the server access .

anoyomous said...

I am not sure why people are giving this guy so much credit. What he has done is not a very complicated work of hacking, e.g. refer to what Anonymous did with HBGary: http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

I accept what he did was big, but it was not something extraordinary, most of the steps are the same as what anonymous did. And after accessing the system things are straightforward. He only had luck and lots of free time.

Being an Iranian, I can tell you he is definitely with the government without any doubt. there are many paradoxes in his writings. And carrying a political message against Green movement, Israel and Supporting the government and the leader!? He is even trying to advise Obama; for someone who spent "15 hours a day studying cryptography for 6 years", and considering himself the most intelligent creature on earth, it is not intelligent to make a fool of himself and talk about politics which he has no expertise in. one should be blind not to see the relation, probably he is doing this to receive more money from Iranian government as most of the people in Iranian government have basic information about even how to use a computer. The mission is clear, to scare people inside of Iran from being active over the net against the current regime.

Breaking RSA? OK, well done. If I was about to break the RSA I would have kept my mouth shut and mind my own business instead of being an attention whore and bluffing about what I can do and using professional expressions to scare normal people off. Well I don't think no one in Iran stops their activity because of someone like you. Make sure, you break that damn code soon cause the government might not last that long to continue supporting you.

These people are all the same, the leader thinks he is ruling the Islamic world while he is not an accepted religious leader even in Iran, Ahmadinejad thinks he is ruling the world while he cannot even manage his own country and is being played by Sepah. Finally, this guy thinks he is ruling the Internet because he got lucky and broke into a website and got access to some certificates. The other thing is giving out wrong statistics to back themselves up, look how Ahmadinejad lies about various aspects of progress in Iran, and look how this guy is providing fake statistics about the percentage of the young government supporters: 90%, are you kidding me !? Looking at the latest election results Ahmadinejad only got 60% of the votes, considering most of the population are young in Iran, even if we assume that the election was held correctly, from within Iran I know after the election the number of supporters decreased as the government started killing people and putting them to jail because of their political views. So I believe this guy is just bluffing and just craving attention, or why on earth someone should provide fake info just to back himself up !?

To the hacker: Ok, we accepted that you are a superhuman and you are the greatest of all hackers, so please stop nagging and being demanding and stick to what you are doing till you prove what you claim. Have you checked for HPD !?

Colin said...

As our supposed Iranian anoyomous poster must know Iran has its own version of the Benghazis known locally as 'the bearded ones'. Iranians as a whole are 'mostly' happy with the government they have and would never dream of exchanging what they have for a AHI/Soros/CIA replacement as has happened in so many well televised colour revolutions. Funny that the people in the countries that had these coloured revolutions now want to replace the CIA/Mossad/HeritageInstitute/CIA rulers they ended up with(and these subsequent uprisings don't get any press in the MSM). Also it is very funny that after the popular uprisings overthrew the government in Egypt that the first laws passed there included bans on popular uprisings and the supply of modern weapons to 'the bearded ones' of Benghazi so as to overthrow Gaddafi.

Unknown said...

BS

Test said...

Another Interview by hacker: http://bit.ly/hPLw6Q

Test said...

Another Interview by hacker: http://bit.ly/hPLw6Q

gerald said...

Who he is. Paradigm Intel.
http://warintel.blogspot.com/2011/04/comodo-hacker-paradigm-intel.html

Gerald
Anthropologist

Lava Kafle said...

wonderful; news

Unknown said...

@ Diaoul - That's all that Comodo have done since the incident occurred, blame-shift.

Anonymous said...

In the days when mainframes walked the Earth, "hacker" meant "Jedi", and came with the same honor and responsibility.

We were respected, hyper-ethical guardian angels who could understand and do things nobody else could. In particular, things that common belief held were impossible.

We felt that we were given "the power" so we could help people whose talents were in other areas. They, in turn, would help someone else.

It was not to be.

PCs became ubiquitous, and suddenly anyone and everyone could control more power than a Univac 1108 mainframe.

Irresponsible, egotistical, immature, amoral children like "Comodo" now had light sabres and called themselves "hackers".

The word became a joke... as did the concept of "integrity" in systems engineering.

Software development became an industrial vocation, like car repair. It no longer meant "Djykstra" and "JACM"; it meant "Learn how to make BIG MONEY programming computers!" on the packs of matches in a bar.

There is now a LOT of
"computer" but no more "science".

I grieve for what once was and what could have been, as I lay alone naked in a cave, watching and waiting... for nothing.


faye kane h☹meless brain

No Name said...
This comment has been removed by a blog administrator.
Mark said...
This comment has been removed by a blog administrator.
Mark said...
This comment has been removed by a blog administrator.