LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘Comodohacker’ Category

Rooted Trust | TechSNAP 22

without comments

post thumbnail

Remember the Man in the Middle attack on google from last week? Turns out it was far worse than though, we now have more details on the DigiNotar compromise, and a number of other important sites have had their DNS hijacked.

Plus we cover the advantages of running your own DNS server at home, and how Allan and Chris got their start in the world of IT!

All that and more, in this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

DigiNotar Hack Details

  • A company spokesman said that “several dozen” certificates had been acquired by the attackers.
  • The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531.
  • The first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.
  • But the attack didn’t come to light until August 27
  • Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre.
  • He also suggested that he wasn’t operating under the auspices of Iranian authorities, but that he may have given them the certificates.
  • Comodohacker also posted additional proof that he had the private key for the invalid google.com certificate, by using it to sign a copy of calc.exe, a feature a regular website SSL certificate should not have.
  • The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens–in a country with a population of 17 million–that use DigiD , a government website for accessing services, such as paying taxes.
  • According to news reports, the country’s lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet.
  • The Netherlands has also indefinitely extended the country’s tax deadline until DigiD can again be declared secure.
  • Mozilla has made this public statement: “This is not a temporary suspension, it is a complete removal from our trusted root program.”. Such harsh action was taken because DigiNotar did NOT notify everyone when the breech was discovered.
  • F-Secure Weblog says they were hacked by someone who was connected to “ComodoGate” — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

Removing the DigiNotar Root CA certificate : Ubuntu

Microsoft out-of-cycle patch to fix DigiNotar bogus certificates

Hacker claims to have compromised Other SSL Cert Authorities

  • Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack.

  • The hacker boasted he still has access to four other (unnamed) “high-profile” CAs and retains the ability to issue new rogue certificates, including code signing certificates.

  • ComodoHacker also claims to have compromised StartSSL, however issuance of invalid certificates was prevented by a policy change that required the CEO to manually offline approve each issued certificate. The HSM (Hardware Signing Module) being offline seems like the only way to be entirely sure that invalid certificates are not issued. A proper policy, more than just rubber stamping any certificate that doesn’t say google.com on it should be required.

  • GlobalSign on Tuesday announced that it would temporarily cease issuing any new certificates.
    “GlobalSign takes this claim very seriously and is currently investigating,” according to a statement released by the company

  • Is the fifth-largest CA

  • GlobalSign Suspends Issuance of SSL Certificates

  • BBC Article

DNS hack hits popular websites: Telegraph, Register, UPS, etc

  • Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
  • Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
  • Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours even after the fix.
  • The attack was against the domain registrars Ascio and NetNames, both owned by the same parent company.
  • Apparently the attacker managed to use an SQL injection attack to gain access to the domain accounts, and change the name servers.
  • BBC Article

Feedback:

Home DNS Software:

A different kind of question for TechSNAP! : techsnap

Round-Up:

Bitcoin-Blaster: