NY Times News Service, NEW YORK
He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country. He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure and then shared that bounty with people he declines to name.
The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.
Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on anti-government Iranians.
“I’m totally independent,” he said in an e-mail exchange with the New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”
In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize — an opponent with enough determination and resources just might find a way to track their every move.
It also calls into question the reliability of a basic system of trust that global Internet brands such as Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail and that the connection to the site is encrypted and difficult for an outsider to monitor.
Hundreds of companies and government authorities around the world, including in the US and China, have the power to issue the digital certificates that the system relies upon to verify a Web site’s identity. The same hacker is believed to be responsible for attacks on three such companies.
In March, he claimed credit for a breach of Comodo in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.
Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.
Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.
“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, chief security officer of Mandiant Security in Alexandria, Virgina. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure and you have results like this.”
Comodohacker said via e-mail that he began his explorations by scrolling through a list of certificate authority companies. DigiNotar sparked his interest because it was Dutch. He said he was motivated by the failure of Dutch peacekeepers to prevent the massacres of Muslims in Srebenica in 1995. He also said he chose the Dutch company because of a Dutch lawmaker Geert Wilders, who has built a political career out of criticizing Muslims in his country.
DigiNotar, which is owned by an Illinois company called Vasco Data Security International, did not make the attack particularly difficult, according to a report by Fox-IT, a security company that was commissioned by the Dutch government to investigate. The company’s critical servers contained malicious software that should have been spotted by anti-virus tools, the report said, and the servers related to certificates were all protected by just one weak password.
DigiNotar did not respond to requests for comment last week.
There was fallout in the Netherlands as well. The Dutch government said last week that it was widening its investigation into the breach in an effort to learn whether the private data of its citizens, many of whom file income tax returns online, had been compromised.
According to the investigation commissioned by the Dutch government, Comodohacker apparently began poking around DigiNotar’s systems in early June. He gained control of the server in about 10 days and generated 531 fake certificates, including some for well-known sites such as Google, Skype and Facebook, along with a few foreign intelligence sites. He shared them with a person or organization believed to have had control over dozens of Internet service providers and university networks in Iran — perhaps the government itself.
Fox-IT concluded that over the course of a month, 300,000 people were served up fake certificates produced by Comodohacker. E-mails, chats, user names and passwords could have been monitored, revealing who they were talking to and what they were planning.
Google on Thursday last week issued an unusual warning to its users in Iran, calling on them to change passwords and check if their e-mails were being forwarded to unfamiliar or suspicious addresses.
Word of the Google warning caught the attention of Jubeen Sharbaf, an Iranian in Toronto. He is not ignorant of the Iranian government’s attempts to spy on its people, he said via e-mail.
“This was alarming though, because Google is perceived to be very secure and beside Skype, it has been used for the line of communication within and outside Iran,” Sharbaf said.
Comodohacker was plainspoken about his motivations.
“My country should have control over Google, Skype, Yahoo, etc,” he said by e-mail. “I’m breaking all encryption algorithms and giving power to my country to control all of them.”
In the days since his attack was discovered, Comodohacker posted lengthy explanations on Pastebin, a sort of Internet bulletin board, of how he had penetrated the system of the Dutch firm and why, along with his e-mail address.
He has also boasted of his own skills, calling his work the “most sophisticated hack of all time,” and at one point exclaiming: “I’m really sharp, powerful, dangerous and smart.”
Mikko Hypponen, a security researcher with Helsinki-based F-Secure Labs, said the hacker was “somebody who has skills and he also has the old-school hacker mentality where he likes to boast.”
“If he were an intelligence analyst for the secret police he wouldn’t be doing this,” Hypponen added.
Asked whether he was paid for his services, the hacker replied in broken English: “I don’t fight for my belief for award in this world.”
The e-mail he sent appears to have come from a computer in Russia, according to an independent security analyst who reviewed it. Comodohacker has either remotely taken control of someone’s computer in Russia, or he may not be an Iranian software engineer at all.
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.
As Maldivian President Mohamed Muizzu’s party won by a landslide in Sunday’s parliamentary election, it is a good time to take another look at recent developments in the Maldivian foreign policy. While Muizzu has been promoting his “Maldives First” policy, the agenda seems to have lost sight of a number of factors. Contemporary Maldivian policy serves as a stark illustration of how a blend of missteps in public posturing, populist agendas and inattentive leadership can lead to diplomatic setbacks and damage a country’s long-term foreign policy priorities. Over the past few months, Maldivian foreign policy has entangled itself in playing
A group of Chinese Nationalist Party (KMT) lawmakers led by the party’s legislative caucus whip Fu Kun-chi (?) are to visit Beijing for four days this week, but some have questioned the timing and purpose of the visit, which demonstrates the KMT caucus’ increasing arrogance. Fu on Wednesday last week confirmed that following an invitation by Beijing, he would lead a group of lawmakers to China from Thursday to Sunday to discuss tourism and agricultural exports, but he refused to say whether they would meet with Chinese officials. That the visit is taking place during the legislative session and in the aftermath