NEWS FROM THE LAB - Tuesday, September 6, 2011

DigiNotar Hacker Comes Out Posted by Mikko @ 05:23 GMT

Almost from the beginning of the DigiNotar CA Disaster (report here), we had a reason to believe the case was connected to "ComodoGate" — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

This connection has now been confirmed.

After ComodoGate, the hacker — who called himself ComodoHacker — sent a series of messages via his Pastebin account. Then at the end of March 2011, it went silent. We've been keeping an eye on it, just in case the attacker will post something related to the Diginotar case.

And he just did.

Comodo Hacker

In his latest post, ComodoHacker claims that he is the one that hacked DigiNotar as well. He also claims he still has access to four other "high-profile" CAs and is still able to issue new rogue certificates (including code signing certificates).

As a proof to show that he really did infiltrate DigiNotar, he shares the domain administrator password of the CA network: Pr0d@dm1n. DigiNotar would be able to confirm if this was accurate or not.

The same hacker seems to be active on Twitter as well, under the nickname "ich sun" at @ichsunx2.


The Certificate Authority system is in bad shape indeed. For some answers on what we should do next, we recommend watching this video of Moxie Marlinspike's Black Hat 2011 talk.