http://pastebin.com/74KXCaEZ, decompiled code here http://pastebin.com/DBDqm6Km, and account database here http://pastebin.com/CvGXyfiJ. As a pentester who does attacks similar to what the ComodoHacker did, I find it credible. I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political.
The hacker describes the full details of his hack. Only Comodo can verify whether the precise details are correct. But, as a pentester who regularly does attacks like this, I can verify that the general details are correct.
People believe that once you compile human readable "source" code, that humans can no longer read the resulting binary "object" code. That is in incorrect. Code can easily be decompiled back to (nearly) the original source. In our (Errata Security) pentests, we regularly find embedded usernames and passwords that nobody believe hackers can read. It usually takes us less than 5 minutes.
But just as important is the other hidden information, such as URLs. The hacker describes how once he had the login info, he still had to reverse engineer exactly how to submit a "certificate request". We’ve gone through the same experience. For example, we once downloaded an iPhone app of a customer, grabbed all the hidden URLs, then slowly built up valid requests with the right information. In our case, we were aided by the fact that submitting wrong information gives error messages that hint at what the right information should be.
A hacker is somebody who doesn't realize that what he’s attempting is impossible. You see that in the ComodoHacker’s text. He just followed breadcrumbs, solving one clue at a time. Only after he was done does he realize the enormity of the problem, and how clever (and lucky) he was to solve it. This is why hacking gets addictive -- solving puzzles like this is enormously satisfying. It's also why people are quick to assume the difficulty of a hack means a "nation state" is involved rather than a "21 year old college student".
The hacker (probably) acted alone. People imagine that hackers are part of a larger conspiracy, especially when you can’t understand how a single person could have done the hack.
But the reality is that hacking is individualistic. You talk about generalities with your friends, but when it comes time to crack a target, it’s a marathon 20 hour session with just you, a computer, and endless supplies of caffeine.
I’m guessing that this guy has talked with his college buddies about cracking RSA keys, but that none of his friends knows that he’s the guy who did this attack -- although he probably can’t resist bragging to them eventually.
Even the "Iranian Cyber Army" could be a single guy. While essentially loners, hackers like to imagine themselves as a larger movement (with themselves at the head, of course). They use the words "us" to mean just "I".
This dispels the notion that this was a coordinated attack from a state-sponsored actor. The details credibly demonstrate the actions of just one lone person.
The hacker is pro-Iran, but not necessarily political. News in the United States is extraordinarily chauvinistic. We imagine that everyone in Iran is either part of the government or part of the "Green" movement opposing the government. The reality is that most Iranians are neither: they support their country against attacks from outsiders, but that doesn't mean they are happy with everything that happens in their country.
The hacker does say Janam Fadaye Rahbar. Apparently, this means "I'll sacrifice my soul to my leader", which probably refers to the religious leader Ayatollah Hamanei. My impression that this is a sign of patriotism rather than ideology. Even many of the "Green" protesters complaining about the election of the President (a lower position) supported their Supreme Leader.
The ComodoHacker asks:
I heard that some stupids tried to ask about it from Iran's ambassador in UN, really? How smartass you are? Where were you when Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA systems and Nuclear softwares? Why no one asked a question from Israel and USA ambassador to UN?
So you can't ask about SSL situtation from my ambassador, I answer your question about situtation: "Ask about Stuxnet from USA and Israel", this is your answer, so don't waste my Iran's ambassador's worthy time.
I’m betting he’s referring to articles like this one which says:
Representatives with Iran's Permanent Mission to the United Nations were unable to comment Friday.
I share the ComodoHacker’s distaste for how the media covers these events. Let’s assume, for the moment, that their government wasn’t involved. How would the government know? How could their leaders be certain that some secretive group in their intelligence organization didn’t carry out this attack? It would takes months of investigation to say "no, we weren’t involved", and even then, they couldn’t be 100% sure. What answer would you expect from the Iranian ambassador?
More to the point, what evidence points to the Iranian government in the first place? The answer is "zero". The article I linked to above quotes the Comodo CEO saying "All things point to the Iranian government and their newly founded cyberwarfare department" when in fact NOTHING points to that conclusion. The news story above isn’t unique -- almost every story in the press has followed that angle without critically questioning it. Oddly, most stories rightly pointed out that the IP address (located in Iran) couldn’t be relied upon because hackers can redirect attacks through other machines, yet not a single one challenged the CEO when he said all other evidence points to the Iranian government.
Why didn’t he do more? Mikko Hyponen of F-Secure asks on Twitter:
"Do we really believe that a lone hacker gets into a CA, can generate any cert he wants..and goes after login.live.com instead of paypal.com?"
People labeling him with a stereotype such as "cybercriminal" or "hacktivist" and insist that he behave according to the stereotype we’ve assigned him. But that stereotype might not be the correct one.
As he said, he started with one goal, that of factoring RSA keys, and ended up reaching a related goal, forging certificates. The most appropriate stereotype would be "researcher" or simply "hacker" -- hacker in the old sense of somebody who likes to tinker with technology, not necessarily lead a life of cybercrime. He didn’t think of PayPal because we wasn’t trying to do anything at all with the forged certificates.
But the reality more complicated than that. He is is own person, with his own goals and motivations. It would take a lot more of his writing to fully understand why he did everything he did.
By the way, hindsight is 20-20. After the pen-test, when discussing our results, people always ask simple questions, like "why did you go through this convoluted route when you could’ve taken this more obvious and easier one?". The answer is that we hackers do not see the big picture. We follow the breadcrumbs through the forest, solving puzzles, but we can’t see anything beyond the nearest trees.
Here is a screenshot of a database fragment containing 467 account names. This was the file he posted in his third pastebin message:
This database contains the "encrypted" passwords. In order to use this file, a hacker would have to "crack" the passwords, which involves trying lots of combinations until they get one that matches the one in the database.
If you are the hacker, I would love to interview you. Just leave a comment on this post -- comments are moderated, so it won't be public.