Comodo Hacker - "Comodogate" Iranian hacker claims all meshing is insecure
Message By Comodo Hacker :
Hello
I'm writing this to the world, too thus you'll know to a greater extent than almost me..
At outset I desire to give some points, too thus you'll live on certain I'm the hacker:
I hacked Comodo from InstantSSL.it, their CEO's e-mail address mfpenco@mfpenco.com
Their Comodo username/password was: user: gtadmin password: [trimmed]
Their DB holler was: globaltrust too instantsslcms
GlobalTrust.it had a dll called TrustDLL.dll for treatment Comodo requests, they had resellers too their url was:
http://www.globaltrust.it/reseller_admin/
Enough said, huh? Yes, plenty said, someone who should know already knows...Am I correct Mr. Abdulhayoglu?
Anyway, at outset I should holler nosotros conduct maintain no relation to Iranian Cyber Army, nosotros don't alter DNSes, we
just hack too own.
I encounter Comodo CEO too others wrote that it was a managed attack, it was a planned attack, a grouping of
cyber criminals did it, etc. etc. etc.
Let me explain:
a) I'm non a grouping of hacker, I'm unmarried hacker alongside sense of G hackers, I'm unmarried programmer with
experience of G programmers, I'm unmarried planner/project director alongside sense of G project
managers, too thus you lot are right, it's managed yesteryear a grouping of hackers, but it was solely I alongside sense of 1000
hackers.
b) It was non actually a managed hack. At outset I decided to hack RSA algorithm, I did besides much
investigation on SSL protocol, tried to detect an algorithm for factoring integer, analyzed existing algorithms, for at nowadays I was not
able to create so, at to the lowest degree non yet, but I know it's non impossible too I'll seek it, anyway... I saw
that at that topographic point is easier ways of doing it, similar hacking a CA. I was looking to hack some CAs similar Thawthe,
Verisign, Comodo, etc. I establish some pocket-sized vulnerabilities inwards their servers, but it wasn't plenty to
gain access to server too sign my CSRs. During my search almost InstantSSL of Comodo which signs CSRs straight off I found
InstantSSL.it which was doing it's task nether command of Comodo.
After a fiddling try, I analyzed their spider web server too easily (easy for me, too thus difficult for others) I got FULL access on the server, later on a fiddling investigation on their
server, I establish out that TrustDll.dll takes help of signing. It was coded inwards C# (ASP.NET).
I decompiled the DLL too I establish username/password of their GeoTrust too Comodo reseller account.
GeoTrust reseller URL was non working, it was inwards ADTP.cs. Then I establish out their Comodo concern human relationship works
and Comodo URL is active. I logged into Comodo concern human relationship too I saw I conduct maintain correct of signing using APIs. I
had no persuasion of APIs too how it works. I wrote a code for signing my CSRs using POST asking to those
APIs, I learned their APIs too thus FAST too their TrustDLL.DLL was besides sometime too was non working properly, it doesn't transportation all needed parameters,
it wasn't plenty for signing a CSR. As I said, I rewrote the code for !AutoApplySSL too !PickUpSSL
APIs, outset API returns OrderID of placed Order too 2nd API returns entire signed
certificate if you lot overstep OrderID from previous call. I learned all these stuff, re-wrote the code and
generated CSR for those sites all inwards almost 10-15 minutes. I wasn't create for these type of APIs, these
type of CSR generation, API calling, etc. But I did it really very fast.
Anyway, I know you lot are actually shocked almost my knowledge, my skill, my speed, my expertise too entire attack.
That's OK, all of it was too thus slow for me, I did to a greater extent than of import things I can't speak about, too thus if you lot conduct maintain to
worry, you lot tin worry... I should holler my historic menses is 21
Let's dorsum to argue of posting this message.
I'm talking to the world, too thus heed carefully:
When USA too State of Israel creates Stuxnet, nobody talks almost it, nobody blamed, zilch happened at all,
so when I sign certificates zilch should happen, I state that, when I sign certificates zilch should
happen. It's a uncomplicated deal.
I heard that some stupids tried to inquire almost it from Iran's ambassador inwards UN, really? How smartass you lot are?
Where were you lot when Stuxnet created yesteryear State of Israel too USA alongside millions of dollar budget, alongside access to SCADA systems too Nuclear softwares? Why no 1 asked a enquiry from State of Israel too USA ambassador to UN?
So you lot can't inquire almost SSL situtation from my ambassador, I reply your enquiry almost situtation: "Ask almost Stuxnet from USA too Israel", this is your answer, too thus don't waste materials my Iran's ambassador's worthy time.
When USA too Isrel tin read my emails inwards Yahoo, Hotmail, Skype, Gmail, etc. without whatever simple
little problem, when they tin spy using Echelon, I tin create anything I can. It's a uncomplicated rule. You do,
I do, that's all. You stop, I don't stop. It's a rule, dominion #1 (My Rules every bit I dominion to internet, you lot should know it
already...)
Rule#2: So why all the basis worried, meshing shocked too all writers write almost it, but nobody
writes almost Stuxnet anymore? Nobody writes almost HAARP, nobody writes almost Echelon... So nobody
should write almost SSL certificates.
Rule#3: Anyone within Islamic Republic of Iran alongside problems, from imitation greenish displace to all MKO members too 2 faced
terrorists, should afraid of me personally. I won't permit anyone within Iran, impairment people of Iran, harm
my country's Nuclear Scientists, impairment my Leader (which nobody can), impairment my President, every bit I live, you
won't live on able to create so. every bit I live, you lot don't conduct maintain privacy inwards internet, you lot don't conduct maintain safety in
digital world, simply hold off too see...By the way, you lot already conduct maintain seen it or you lot are blind, is at that topographic point whatever larger target than a CA inwards internet?
Rule#4: Comodo too other CAs inwards the world: Never mean value you lot are safe, never mean value you lot tin dominion the
internet, ruling the basis alongside a 256 digit publish which nobody tin detect it's 2 prime number factors (you mean value so), I'll show
you how someone inwards my historic menses tin dominion the digital world, how your assumptions are wrong, you lot already understood it, huh?
Rule#5: To microsoft, mozilla too chrome who updated their softwares every bit presently every bit instructions came from
CIA. You are my targets too. Why Stuxnet's Printer vulnerability patched later on 2 years? Because it was
needed inwards Stuxnet? So you'll larn sometimes you lot conduct maintain to unopen your eyes on some materials inwards internet,
you'll learn... You'll understand... I'll convey equality inwards internet. My orders volition equal to CIA orders,
lol ;)
Rule#6: I'm a GHOST
Rule#7: I'm unstoppable, too thus afraid if you lot should afraid, worry if you lot should worry.
My message to people who conduct maintain occupation alongside Islamic Republic of Iran, SSL too RSA certificates are broken, I did it 1 time, brand certain I'll create it again, but this fourth dimension nobody volition notice it.
I encounter some people suggests using VPNs, some people suggests TOR, another suggests UltraSurf, etc. Are you lot certain you lot are prophylactic using those? RSA 2048 was non able to resist inwards front end of me, create you lot mean value UltraSurf can?
If you lot was doing a muddied concern inwards meshing within Iran, I advise you lot to quit your job, heed to audio of most of people of Iran, otherwise you'll live on inwards a large trouble, also you lot tin acquire out digital world
and furnish to using abacus.
A message inwards Persian: Janam Fadaye Rahbar
[UPDATE 1]: Also depository fiscal establishment gibe this: http://pastebin.com/DBDqm6Km
Share This :
comment 0 Comments
more_vert