The Internet security firm Comodo Group said it had been victim to a hacker attack that appeared to have been part of a larger scheme to eavesdrop on encrypted e-mail and chat communications that may have been sponsored by Iran.
Comodo, a digital certificate authority and security software maker, said on Wednesday that it unwittingly issued fraudulent digital certificates for Web sites operated by Google, Yahoo, Microsoft, Skype and Mozilla. Digital certificates are used to vouch for the authenticity of a site owner and facilitate encrypted communications between sites and their users. Comodo revoked all of the certificates immediately upon discovery of the incident and notified the site owners, the major browser makers and relevant government authorities, it said.
The firm described the attack as well-planned and deployed with "clinical accuracy" from computers located mainly in Iran, though it pointed out in a company blog post that those computers could have been used to "lay a false trail." But it said that the characteristics of the attack, and the fact that Iran has sought to penetrate online communication services in the past, led it to "one conclusion only" -- that the attack was likely to be "state-driven."
The Iranian government, like others in the Middle East facing opposition movements leveraging the Internet to organize protests and press for democratic change, has aggressively sought to restrict and monitor Internet access by its citizens.
With the certificates, a hacker would be able to set up server computers that would appear to work for the targeted Web sites. A government that controls Internet traffic inside its country would be able to use such a server to gain access to encrypted e-mail and chat conversations and collect user names and passwords for individuals' accounts, said Mikko H. Hypponen, chief research officer at the security firm F-Secure, in a blog post.
Even without a grip on Internet traffic, a hacker could lure dissidents or other Web users to the rogue server and then intercept their communications and account details, said Roel Schouwenberg, a senior researcher at the security firm Kaspersky. "You can 'own' a target without having to compromise anything at the target's end," he said. "It might not be easier, but it might be 'cleaner.'"
The fraudulent certificate for Mozilla, which was for its Firefox add-on site, might have allowed the attacker, posing as Mozilla, to install malware on targeted PCs or to block the installation of Firefox extensions that help users bypass government-imposed censorship filters, Mr. Hypponen said.
"Everything points to this being an intelligence operation," Mr. Schouwenberg said, noting that theft of certificates has become a favored tactic among governments.
The Stuxnet worm that targeted Iranian nuclear installations last year also made use of stolen certificates, though those certificates were stolen from hardware companies who owned and used them to "sign" their products, not the certificate authorities that issued them.
In this recent attack, Comodo, one of several companies with the authority to issue digital certificates to Web sites, said one of its partners in Southern Europe, a so-called registration authority, which acts as an intermediary between it and some Web-site customers, suffered a security breach on March 15. That breach allowed the hacker to set up a bogus account and quickly prompt Comodo to generate the nine certificates.
News of the breach led to calls for increased scrutiny of the entire certificate system.
"This should serve as a wake up call to the Internet," wrote Jacob Appelbaum in a blog post for Tor Project, a non profit group that makes free software that dissidents, journalists and other privacy-conscious people use to surf the Web anonymously and defeat online monitoring.
"We need to research, build, and share new methods for ensuring trust, identity, authenticity, and confidentiality on the Internet," he wrote.
Comodo said it has evidence that the hacker tried to use one bogus certificate for Yahoo, but no evidence of use for the other companies singled out. Yahoo said it was aware of the incident and "will continue to monitor this closely."
Skype also said it was monitoring the situation and had taken steps to mitigate an attack on its service. "We do not expect any issues as a result," Skype added in a statement.
Google said it had not detected any use of fraudulent Google certificates.
The major browser makers have all issued updates for their software to block the bogus
certificates. Google pushed out an update to users of its Chrome browser on March 17.
Mozilla said in a blog post Tuesday that it issued an update to its Firefox browser and urged users to download it. Microsoft did the same on Wednesday.