Hackers target Google, Skype with rogue SSL certificates

In root authority breach, fraudulent Comodo SSL certificates were created in a suspected state-sponsored attack by Iran

Comodo's tag line is "creating trust online." That may be true most of the time, but after an attack resulted in nine fraudulent SSL certificates -- targeting domains like Google, Yahoo, Skype, and Windows Live -- it might be wise to trust Comodo a little less.

A statement from Comodo explains that a root authority (RA) was breached. The attacker created a user account and used the fraudulent account to issue nine rogue SSL certificates spanning seven different domains. The Comodo statement reads, "The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the [requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

Comodo stresses that all nine certificates were revoked immediately upon discovery of the attack, and it has not detected any attempts to use the certificates after they were revoked. Comodo believes the attack originated in Iran, and based on the target domains, it may be a state-sponsored attempt to hack Web mail accounts of political dissidents.

Oliver Lavery, director of security research at nCircle, shared some thoughts about the attack. "What I find fascinating about this attack is the choice of domains because they aren't useful unless you have control of the DNS infrastructure." Lavery goes on to explain that a country like Iran does have control of the DNS infrastructure within its boundaries to an extent and speculates that this attack could have been executed with the intent to intercept encrypted Internet communications.

The login.live.com domain used for logging in to Windows Live accounts was one of the domains compromised by the rogue Comodo certificates. Microsoft has issued a security advisory and released a mitigation update to update the certificate revocation list on Windows PCs and prevent them from accepting the fake SSL certificates as legitimate.

In the wake of the hack against the RSA network, which breached sensitive information related to the SecurID tokens used by millions to provide two-factor authentication and prevent unauthorized access, the compromise of Comodo SSL certificates is concerning. We all know attackers are out there and must take steps to protect our PCs and our data. But if two of the most trusted names in providing that security get compromised in the same week, it leaves you feeling a little hopeless and outgunned.

nCircle's director of security operations, Andrew Storms, added, "There will be a lot of critical people watching to see how Comodo responds as this incident unfolds. The security community in particular will demand a lot of transparency in order to rebuild their trust in Comodo."

This story, "Hackers target Google, Skype with rogue SSL certificates" was originally published by PCWorld.

Copyright © 2011 IDG Communications, Inc.