A follow up message was again posted on pastebin by an individual using the handle of “COMODOHACKER.” This message was from the same individual who claimed responsibility for the hack on Comodo’s site and who issued 9 SSL Certificates for major sites such as: mail.google.com, www.google.com, login.live.com, addons.mozilla.org, login.skype.com, and login.yahoo.com.
Apparently, the “comodohacker” became quite upset that people did not believe that he was in fact the real perpetrator of the hack. In his follow up post, he gave further evidence to support his claims. In his message, he includes a link to the forged Mozilla certificate as well as a file claimed to be from one of the Comodo databases he downloaded.
In his follow up message, Comodohacker states:
Some stupids in internet still cannot understand I’m behind the attack on SSL, talks about their small understandings about my hack and makes me nervous,”
“I uploaded JUST 1 table of their ENTIRE database which I own. Also ask Comodo about my hack, ask them what I did to them. Let me tell you what I did: I was logged in into their server via RDP (remote desktop), they detected me and via hardware firewall, they added allowed IP for RDP, so I was no longer able to login via RDP. But I got UI control in their server just 2 days later, then I logged in via roberto franchini’s user/pass, then I formatted their external backup HDD, it was LG with backup of all files inside it. I formatted it. Then I stopped IIS, deleted all logs, not normal delete which could be recovered with recovery tools, I deleted it with secure delete method and in fact I wiped them.”
Rob Graham of Errata Security states that he has had further correspondence with the “comodhacker” and has verified that the private key for the forged Mozilla certificate was in fact authentic.
Graham wrote, “Note that even the “Certificate Authority” who signs a key does not know the private key. When somebody requests a certificate, they only send the “hash” to the certificate authority. Therefore, nobody, not even Comodo, should know the private key.”
In a possible retaliatory attack from the Comodohacker, this morning it was reported by Comodo that two more affiliate Registration Authorities had been compromised, “but that no further mis-issued certificated have resulted from those compromised.”
To address the growing list of concerns regarding the security practices of Comodo in the wake of the attacks, Robin Alden stated that the company will be implementing improved authentication methods for all RA accounts. Comodo will be implementing IP address restrictions and hardware based two-factor authentication.
Until the situation has been rectified, Mozilla officials have called on Comodo to stop the issuance of certificates to RAs directly from the root that the company maintained. Alden stated that the company is proceeding to implement that model as soon as possible.