CA hacker plans global expansion

Summary:The hacker that compromised the Comodo, DigiNotar and StartCOM Certificate Authorities (CA), and caused GlobalSign to stop issuing certificates, has said that more attacks will come, and that he will publicly release customer data that he has collected from the hacked CAs.

The hacker that compromised the Comodo, DigiNotar and StartCOM Certificate Authorities (CA), and caused GlobalSign to stop issuing certificates, has said that more attacks will come, and that he will publicly release customer data that he has collected from the hacked CAs.

(Lost battle? image by Eivind Barstad Waaler, CC BY-SA 2.0)

The 21-year-old Iranian patriot, who goes by the hacker alias "Sun Ich", used the same ComodoHacker PasteBin account that he used to claim responsibility for the previous CA hacks to issue some clarification on why his attacks appeared to be limited to within Iran, and also what was to come. CAs are responsible for authorising the digital certificates that determine which websites browsers can trust.

He said that although he appeared to be targeting Iranians, his real targets were spies from foreign agencies within the country, and Iran and Islam's enemies, stating that "these are not people of Iran, these type of people [were] my target, not normal people".

His attacks in the future would extend to Israel, USA and Europe, according to the post, which provided a username and password for a Californian ISP as proof of his expanding operations. The username appears to match the first name of the ISP's system administrator. He said that in addition to the four CAs he had already compromised, he had at least three more within his sights.

Sun Ich had also claimed that he would attack more CAs after the Comodo breach in March, words backed up by the fact that fraudulent digital certificates signed by DigiNotar began to appear in the wild at the end of last month.

In his pastebin post today, the hacker also claimed that he had emails, database back-ups and customer data from his previous attack on Israel-based CA StartCOM, and would publish them in the future, adding that he also has access to GlobalSign's systems and has downloaded its back-ups.

"I have access to their entire server, got DB backups, their linux/tar gzipped and downloaded, I even have private key of their own globalsign.com domain."

GlobalSign has already stopped issuing certificates while it conducts an investigation into whether it has been breached.

He rejected previous claims by Comodo CEO Melih Abdulhayoglu that the DigiNotar breach was a state-sponsored attack.

"Dear Melih, please wake up, I'm the only hacker, just I have shared some certs with some people in Iran, that's all," he said. He has previously said that he hacks independently, with even his closest friends unaware of the attacks on Comodo at the time.

Further claims that his hacks were a result of simple SQL injection techniques or the use of default passwords were also rejected, with the hacker stating that while the process was complicated, people should "just know it is the most sophisticated hack of all time".

In fact, he suggested that the Wikipedia page on SSL certificates be updated in the future to say that he caused the removal of the CA security model, and that he came up with an idea for private communication via browsers to replace it.

However, he said that he wouldn't be sharing his idea with others at this point, unless a condition was met. He believes that the US and Israel are able to read private Iranian emails and posts made over social networks. If Iran was able to reach US and Israeli emails, he would share his work, he said.

"If my country get equal right as USA in controlling emails, I may share my brilliant unbreakable encryption system for replacement of SSL and CA system."

Topics: Security

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.