Iranian Internet Traffic

[Sabre]

So I figure I'll just start a thread about every country at this point...

'Iranian' attackers forge Google's Gmail credentials

Extremely sophisticated hackers, possibly from the Iranian government or another state-sponsored actor, broke into the servers of a web authentication authority and counterfeited certificates for Google mail and six other sensitive addresses, the CEO of Comodo said.

The March 15 intrusion came from IP addresses belonging to an Iranian internet service provider, and one of the purloined certificates was tested from the same country, said Melih Abdulhayoglu, whose company is the certificate authority used to validate the bogus web credentials. Other web addresses that were targeted included http://www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.com, and Microsoft's login.live.com.

“All the IPs were from Iran, and this was critically executed,” Abdulhayoglu told The Register. “It wasn't like a brute-force attack like you would see from a typical cyber criminal. It was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate.”

The intrusion on what amounts to a reseller of Comodo certificates allowed the attackers to obtain the encryption keys needed to create SSL, or secure socket layer, certificates that web browsers and email programs use to mathematically determine that the server they're connected to belongs to its true owner, rather than an imposter. The attack came around the same time that unknown parties compromised the security of RSA's SecurID, the matchbook-sized tokens that 40 million people use to secure logins to sensitive and corporate networks.

...

Comodo revoked the forged certificates almost immediately after discovering they had been issued. That would cause most modern browsers to warn of a forgery when encountering them. But older browsers don't provide such warnings, and the validation check can be turned off, both of which create the possibility that people visiting the targeted websites on unsecured networks could have been duped by the counterfeited certificates.

Google very quietly blacklisted “a small number of certificates” two days after the attack, and Mozilla and Microsoft took similar action for Firefox or Internet Explorer until Tuesday and Wednesday respectively.

[complacent]

here's a post directly from comodo.

Report of incident on 15-MAR-2011

An RA suffered an attack that resulted in a breach of one user account of that specific RA.

This RA account was then used fraudulently to issue 9 certificates (across 7 different domains).

All of these certificates were revoked immediately on discovery.

Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation.
Fraudulently issued certificates

9 certificates were issued as follows:

Domain: mail.google.com [NOT seen live on the internet]

Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E



Domain: www.google.com [NOT seen live on the internet]

Serial: 00F5C86AF36162F13A64F54F6DC9587C06



Domain: login.yahoo.com [Seen live on the internet]

Serial: 00D7558FDAF5F1105BB213282B707729A3



Domain: login.yahoo.com [NOT seen live on the internet]

Serial: 392A434F0E07DF1F8AA305DE34E0C229



Domain: login.yahoo.com [NOT seen live on the internet]

Serial: 3E75CED46B693021218830AE86A82A71



Domain: login.skype.com [NOT seen live on the internet]

Serial: 00E9028B9578E415DC1A710A2B88154447



Domain: addons.mozilla.org [NOT seen live on the internet]

Serial: 009239D5348F40D1695A745470E1F23F43



Domain: login.live.com [NOT seen live on the internet]

Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0



Domain: global trustee [NOT seen live on the internet]

Serial: 00D8F35F4EB7872B2DAB0692E315382FB0
What didn’t Happen

Our CA infrastructure was not compromised.

Our keys in our HSMs were not compromised.

No other RA was compromised. No other RA user accounts were compromised.
What Happened

One user account in one RA was compromised.

The attacker created himself a new userID (with a new username and password) on the compromised user account.



The attack came from several IP addresses, but mainly from Iran.

IP Address Location

IP Address


212.95.136.18

City


Tehran

State or Region


Tehran

Country


Iran, Islamic Republic of

ISP


Pishgaman TOSE Ertebatat Tehran Network.

Latitude & Longitude


35.696111 51.423056



The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.



Although they requested 9 certificates we do not know if they received all of these certificates.



We know that they definitely received one of the certificates.

All certificates were revoked immediately on discovery.

Our systems indicate that when this one certificate was first tested it received a ‘revoked’ response from our OCSP responders.

The site in Iran on which the certificate was tested quickly became unavailable.



We immediately got in touch with the principal browsers and domain owners and alerted them to what had happened.

There was a coordinated effort for a responsible disclosure.



All relevant government authorities were informed and involved.



The RA account in question has been suspended pending on-going forensic investigation.



We immediately introduced new controls in the wake of this new threat to the authentication platform.
Our interpretation

The circumstantial evidence suggests that the attack originated in Iran.

The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).

The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.

The perpetrator has executed its attacks with clinical accuracy.

The Iranian government has recently attacked other encrypted methods of communication.

All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

[PGT]

[complacent]

looks like there was another compromise including two additional RA's. no bueno.

[Sabre]

Yikes!

[Sabre]

Comodo hack may reshape browser security

Major browser makers are beginning to revisit how they handle Web authentication after last month's breach that allowed a hacker to impersonate sites including Google.com, Yahoo.com, and Skype.com.

The efforts are designed to remedy flaws in the odd way Web security is currently handled. Currently, everyone from the Tunisian government to a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices and scores of German colleges are trusted to issue digital certificates for the largest and most popular sites on the Internet.

Microsoft's manager for trustworthy computing, Bruce Cowper, told CNET that the company is "investigating mechanisms to help better secure" certificate authorities, which issue trusted digital certificates used to encrypt Web browsing, against this type of attack.
On Friday, Ben Laurie, a member of Google's security team, said the Mountain View, Calif., company is "thinking" about ways to upgrade Chrome to highlight possibly fraudulent certificates that "should be treated with suspicion."

If the technology were widely adopted and glued into major browsers, that would have made last month's Comodo breach a non-event. The Jersey City, N.J.-based company announced on March 23 that an intruder it traced to Iran compromised a reseller's network and obtained fraudulent certificates for major Web sites including ones operated by Google and Microsoft. The FBI is investigating.

Shocker

[complacent]

has anyone looked at the default trusted cert chain in a default install of firefox? it's downright creepy.

[Sabre]

Not in a LONG time...