=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN253
_____________________________________________________________________

DATE                      : 24/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems using SSL certificates.

======================================================================
http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
______________________________________________________________________

The Recent RA Compromise

March 23, 2011 | By Phillip Hallam-Baker


On March 15th 2011, a Comodo affiliate RA was compromised resulting in
the fraudulent issue of 9 SSL certificates to sites in 7 domains.
Although the compromise was detected within hours and the certificates
revoked immediately, the attack and the suspected motivation require
urgent attention of the entire security field.

At no time were any Comodo root keys, intermediate CAs or secure hardware
compromised. The compromise occurred at an affiliate authorized to perform
primary validation of certificate requests. The compromise was promptly
reported to the owners of the domains affected and the major browser
providers and to the relevant government authorities.

In this blog post I will set out the relevant events as they are currently
understood. More detailed information can be found in the incident report.
The following post will consider what the events imply for the threat model
for Internet security and the posts after that will set out specific
remediation actions required.

An attacker obtained the username and password of a Comodo Trusted Partner
in Southern Europe.  We are not yet clear about the nature or the details
of the breach suffered by that partner other than knowing that other online
accounts (not with Comodo) held by that partner were also compromised at
about the same time.

The attacker used the username and password to login to the particular
Comodo RA account and effect the fraudulent issue of the certificates.

The attacker was still using the account when the breach was identified and
the account suspended. The attacker may have intended to target additional
domains had they had the opportunity.

Remediation efforts began immediately the breach was discovered. The
ertificates have all been revoked and no Web browser should now accept the
fraudulently issued certificates if revocation checking is enabled. Additional
audits and controls have been deployed as described in the detailed incident report.

The IP address of the initial attack was recorded and has been determined
to be assigned to an ISP in Iran. A web survey revealed one of the
ertificates deployed on another IP address assigned to an Iranian ISP.
The server in question stopped responding to requests shortly after the
certificate was revoked.

While the involvement of two IP addresses assigned to Iranian ISPs is
suggestive of an origin, this may be the result of an attacker attempting
to lay a false trail.

It does not escape notice that the domains targeted would be of
greatest use to a government attempting surveillance of Internet use
by dissident groups. The attack comes at a time when many countries
in North Africa and the Gulf region are facing popular protests and
many commentators have identified the Internet and in particular social
networking sites as a major organizing tool for the protests.

Government attacks against social networking sites are not a new phenomenon.
In the wake of the 2009 protests, Twitter was disabled for an hour by a
group calling itself the Iranian Cyber Army. In recent months we have
seen a complete shutdown of the Internet in Egypt and in Libya. The
Tunisian government authorities also attempted an attack against login
credentials at social networking sites but through a JavaScript attack.
A recent article in the London Daily Telegraph describes measures taken
against the Tor onion routing infrastructure by Iran.

The new threat model evidenced by these attacks will be considered in
greater detail in the next post.
======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================