Wednesday, March 23, 2011

Cyber Attack From Iran

A well prepared attacker with an IP address originating in Tehran, Iran (212.95.136.18) compromised a user account in an RA (Registration Authority) at comodo.com, created themselves a new userID, and quickly generated CSRs (Certificate Signing Requests) for nine certificates.  Comodo is a certification authority present in the Trusted Root Certification Authorities Store on Microsoft Windows, as well as all modern web browsers such as Mozilla Firefox and Google's Chrome.

Given proper circumstances, the resulting certificates could be used to spoof content, conduct phishing attacks, and/or perform man-in-the-middle attacks against all popular browsers, across many platforms.  Using these certificates, the attacker could redirect a victim to a forged Firefox plug-in download page, and deliver them malicious add-ons to install.  The certificate would appear valid to the the browser, so there would be no warning to the user that something was amiss.  At that point, the attacker could control the lion's share of computer's in American homes.

However, upon discovery, all certificates were revoked.  This will make using the forged certificates much more difficult, and much less far reaching (unless other key components of our Internet infrastructure are also compromised, namely our DNS systems).  Comodo could only verify that one of the certificates generated was actually received by the attacker.  Comodo reported, "Our systems indicate that when this one certificate was first tested it received a 'revoked' response from our OCSP responders.  The site in Iran on which the certificate was tested quickly became unavailable."


It is believed that "this was likely to be a state-driven attack".

At least it looks that way.  Of course - in cyberspace - things aren't always what they seem.  The attack could have just as easily been conducted by an American Warhawk, who compromised a system in Iran, and launched the attack from there.  However, Comodo reported that, "The Iranian government has recently attacked other encrypted methods of communication."

In order to use these certificates maliciously, there would have to be additional DNS tom-foolery.  Do the attackers already have that piece of the attack 'in the bag'? 

You may recognize some of these domain names.  It looks like this was an attack against communications, as opposed to banks or online-shopping sites, as a criminal might attempt.


In any event - even though the certificates in question were revoked, Microsoft released a patch.  If you are running windows, you should apply that patch.


From the comodo release:

Fraudulently issued certificates

9 certificates were issued as follows:
Domain:  mail.google.com    [NOT seen live on the internet]
Serial:  047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain:  www.google.com  [NOT seen live on the internet]
Serial:  00F5C86AF36162F13A64F54F6DC9587C06

Domain:  login.yahoo.com  [Seen live on the internet]
Serial:  00D7558FDAF5F1105BB213282B707729A3

Domain:  login.yahoo.com    [NOT seen live on the internet]
Serial:  392A434F0E07DF1F8AA305DE34E0C229

Domain:  login.yahoo.com     [NOT seen live on the internet]
Serial:  3E75CED46B693021218830AE86A82A71

Domain:  login.skype.com     [NOT seen live on the internet]
Serial:  00E9028B9578E415DC1A710A2B88154447

Domain:  addons.mozilla.org     [NOT seen live on the internet]
Serial:  009239D5348F40D1695A745470E1F23F43

Domain:  login.live.com     [NOT seen live on the internet]
Serial:  00B0B7133ED096F9B56FAE91C874BD3AC0

Domain:  global trustee     [NOT seen live on the internet]
Serial:  00D8F35F4EB7872B2DAB0692E315382FB0

Thursday, March 10, 2011

New Definition: TMH is Too Much Help

 TMH:  Too Much Help

Every now and again we need to come up with new words to describe something in our ever-changing world.  In the Digital Age, we often use abbreviations.  Some abbreviations, such as "LOL", for "Laughing out Loud" and "BRB", for "Be Right Back" have moved from what we might call "geek-space" into everyday use.  Cell phones, and their ability to send text messages have spread these sort of practices far and wide.  This new abbreviation is derived from an already popular abbreviation used in verbal communications: "TMI", which stands for "Too Much Information".

Because many of us have become very impatient, as well as very reliant upon spell checkers, some "auto-correct" features have been built into many mobile phone text message clients.  The "auto-correct" features, as anyone who has used them will attest, sometimes offer "too much help". 

It is because of this shortcoming that I have the distinct honor of bringing you a new abbreviation.  TMH

TMH stands for too much help.  The reason it is a useful abbreviation is because the person who has become a victim of the helpful auto-correct feature is often oblivious to the fact that their text messages was auto-corrected into obscurity.

Here is an example text message session to illustrate the point:

Bridget:  we'd paper

Metajunkie: tmh

Bridget:  We need paper

Metajunkie: OK, I'll pick some up on way home

Here is another example text message:


Bridget:  Innuendo and her husband can't come out on Friday
Metajunkie:  Who is innuendo?
Bridget:  Bonnie
Metajunkie:  why do you call her innuendo?
Bridget:  tmh
Metajukie: oic

and one last one for good measure:

Bridget:  pick up milk
Metajunkie:  tmh?
Bridget: ha ha. no - really - pick up milk

I think we will all be able to put the abbreviation "tmh" to good use.

Happy texting!

Metajunkie