[ISN] Comodo hacker claims another certificate authority

From: InfoSec News <alerts_at_private>
Date: Thu, 31 Mar 2011 00:10:09 -0600 (CST)
http://www.computerworld.com/s/article/9215360/Comodo_hacker_claims_another_certificate_authority

By Robert McMillan
IDG News Service
March 30, 2011

The hacker who claimed credit for breaking into systems belonging to 
digital certificate vendor Comodo said he has compromised another 
certificate authority, along with two more Comodo partners, a move that 
could further undermine trust in the system used to secure websites on 
the Internet.

In an e-mail interview Tuesday the hacker, who calls himself "Ich Sun," 
said he'd breached security at another certificate authority, but 
declined to provide details on the incident or any proof that he'd 
managed to pull off another attack. "Talking about second CA have no use 
for me, except giving away my work and corrupting it, sorry," he said in 
the broken English he's used in all public communications.

He may have succeeded by breaking into a Comodo partner who was also 
able to create digital certificates through another certificate 
authority (CA). Over the past weekend, Ich Sun tried to compromise two 
other Comodo partners, one of whom also partnered with a different 
certificate authority according to Comodo CEO Melih Abdulhayoglu. 
Neither of the attacks was successful against the Comodo system, thanks 
to newly introduced security measures, but Abdulhayoglu does not know 
whether the second CA was compromised, he said.

Certificate authorities like Comodo issue the trusted digital 
certificates used by SSL (Secure Sockets Layer) encryption to prove that 
a particular computer on the Internet is what it claims to be: that the 
computer you visit when you type Google.com actually belongs to Google, 
for example. Browsers use these digital certificates when they're 
connecting to secure Web pages, but they're also used to secure Internet 
mail and virtual private networks. CAs often work with partners, called 
registration authorities, who charge to confirm the identity of the 
company and then use the CA's system to generate a cryptographic 
signature for the company in question.

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Wed Mar 30 2011 - 23:10:09 PDT

This archive was generated by hypermail 2.2.0 : Wed Mar 30 2011 - 23:18:00 PDT