The unnamed hacker who has taken credit for the attack on Comodo last week that resulted in a number of fraudulent certificates being issued for high-value sites belonging to Google, Yahoo and Microsoft has posted the certificate that he issued himself for a Mozilla domain, as well as the private key for that certificate, in an effort to prove his claims.
The hacker was apparently incensed that some members of the security community and the media didn’t believe his initial claims of responsibility for the attack on one of Comodo’s registration authority affiliates. So he posted a second message on Pastebin with further evidence to support his claims. The message includes a link to not just the forged Mozilla certificate, but also to a file that the hacker claims is a table from one of Comodo’s databases that he downloaded.
“Some stupids in internet still cannot understand I’m behind the attack on SSL, talks about their small understandings about my hack and makes me nervous,” the message said. “I uploaded JUST 1 table of their ENTIRE database which I own. Also ask Comodo about my hack, ask them what I did to them. Let me tell you what I did: I was logged in into their server via RDP (remote desktop), they detected me and via hardware firewall, they added allowed IP for RDP, so I was no longer able to login via RDP. But I got UI control in their server just 2 days later, then I logged in via roberto franchini’s user/pass, then I formatted their external backup HDD, it was LG with backup of all files inside it. I formatted it. Then I stopped IIS, deleted all logs, not normal delete which could be recovered with recovery tools, I deleted it with secure delete method and in fact I wiped them.”
Late on Monday, Rob Graham of Errata Security posted a description of how he had independently verified the hacker’s claims by verifying the private key for the forged Mozilla certificate. He also had an email exchange with the alleged hacker.
“In order to prove his identity, the person claiming to have hacked Comodo published the private key of his forged certificates. I’ve verified that they key is valid,” Graham wrote. “Note that even the ‘Certificate Authority’ who signs a key does not know the private key. When somebody requests a certificate, they only send the ‘hash’ to the certificate authority. Therefore, nobody, not even Comodo, should know the private key. There are ways the private key may have been lost. For example, another hacker may have broken in, or it may have been given to a friend, or it may have been left behind on a system.
“But, beyond a reasonable doubt, this proves the identify of the hacker. Verification is simple: we just encrypt something with the “public” key, and then decrypt it with the ‘private’ key, then see if things match.”
The hacker also called on Comodo to publicize more details of the attack, which the company so far has not done.