An internet user with proven ties to the DigiNotar hack claims he
stole email, customer data and other sensitive data from two competing
web authentication authority that will be released publicly soon.
In a statement posted Thursday, an individual calling himself Comodohacker expanded on previous claims
that he breached the security of Israel-based certificate authority
StartCom and its competitor GlobalSign, which is headquartered in the
US. "I have ALL emails, database backups, customer data” for StartCom,
he wrote, and went on to say he had access to "the entire server,”
database backups and system configuration of GlobalSign. GlobalSign has
already stopped issuing certificates while it investigates.
Thursday's claims came shortly after Comodohacker offered the first conclusive proof he had insider knowledge of the security breach of Netherlands-based DigiNotar that minted more than 500 counterfeit certificates for Google.com
and dozens of other websites. The unknown individual, who claims to be a
21-year-old Iranian who is sympathetic to his country's government, posted a file
that was signed with the private key of the fraudulent Google
certificate, proving he had close contact with the people who
perpetrated the hack.
Comodohacker previously confirmed his involvement in a hack on a reseller of the Comodo certificate authority that also forged counterfeit credentials for sensitive websites.
In Thursday's post, he went on to provide details into the breach on
DigiNotar, claiming its HSM, or hardware security module, ran on the
OpenBSD operating system and had only a single port open that was
protected with RSA SecurID and SafeSign Token management systems. It's
unclear if that description matches the systems used by DigiNotar.
Given the track record of Comodohacker, and the previous attacks on
the PK, or public key, infrastructure, which some observers believe is
sponsored by the Iranian government, the claims should be thoroughly
investigated, said Comodo CEO Melih Abdulhayoglu.
"This is totally a state-sponsored attack on the PK infrastructure so you have to take it seriously,” he told The Register. "You have to immediately turn everything into emergency mode, whatever that is in your company.”
In addition to temporarily ceasing certificate issuance during its
investigation, GlobalSign has hired Dutch security firm Fox IT to assist
in the probe. It's unclear what steps StartCom has taken in response to
the claims. Representatives from both companies didn't respond to
emails seeking comment for this post. ®