A hacking scandal in the Netherlands has escalated, with Dutch government officials investigating whether a hacker who stole online security certificates also stole any sensitive information on Dutch citizens.
Last week, DigiNotar, a government security contractor, announced that a hacker had stolen several SSL certificates, which are used to validate the authenticity of Web sites and thus to protect people from hackers impersonating legitimate sites.
The Dutch government hired Fox-IT, a company based in Delft, to look into the security lapse, and Fox-IT issued a report indicating that the stolen certificates had been used to trick users in Iran into visiting fraudulent Web sites.
DigiNotar found evidence on July 28 that rogue certificates were verified by Internet addresses originating from Iran, the report said, according to The New York Times. The company reportedly found 333 fraudulent certificates in July and invalidated them.
A hacker calling himself Comodohacker claimed responsibility for the breach in a rambling post on Pastebin.com on Monday. I was sure if I issue those certificates for myself from a company, company will be closed and will not be able to issue certs anymore, Comodo was really really lucky! he wrote. I thought if I issue certs from Dutch Gov. CA, they'll lose a lot of money.
Comodo is a known hacker, and he has even spoken to the press on occasion. He has said he is a 21-year-old Iranian student, but there is no way to confirm that.
He said he attacked DigiNotar as retribution for the Dutch government's actions toward Muslims -- I wanted to let the world know that ANYTHING you do will have consequences, ANYTHING your country did in past, you have to pay for it, he wrote -- but his broken English made it unclear what exactly the offending actions were.
When Dutch government, exchanged 8,000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8,000 Muslims in same day, Dutch government have to pay for it, nothing is changed, just 16 years has been passed, he wrote. Dutch government's 13 million dollars which paid for DigiNotar will have to go DIRECTLY into trash, it's what I can do from KMs away! It's enough for Dutch government for now, to understand that 1 Muslim soldier worth 10,000 Dutch government.
Comodo also threatened to hack other high profile Web sites, which he did not name. He said that after his spree was complete, he would reveal how he had gotten past DigiNotar's security protections, and that his techniques could prove useful to infamous hacking groups like Anonymous and Lulz Security.
I'll talk technical details of hack later, I don't have time now, he wrote. How I got access to 6 layer network behind internet servers of DigiNotar, how I found passwords, how I got SYSTEM privilage in fully patched and up-to-date system, how I bypassed their nCipher NetHSM, their hardware keys, their RSA certificate manager, their 6th layer internal 'CERT NETWORK' which have no ANY connection to internet, how I got full remote desktop connection when there was firewalls that blocked all ports except 80 and 443 and doesn't allow Reverse or direct VNC connections, more and more and more... After I explain, you'll understand how sophisticated attack it was.
Vasco Data Security International, the parent company of DigiNotar, has been cooperating with the governmental investigation. However, DigiNotar has come under fire for not reporting the security breach as soon as it was known. The Associated Press reported that the company could face criminal negligence charges because it had used weak passwords, failed to update software on its public servers and had no antivirus protection on its internal servers -- charges that contradict Comodohacker's characterization of his attack as extremely difficult and sophisticated.