Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Having identified what happened, the next step we must take is to re-evaluate our threat model.
Internet security is much harder than other areas because the Internet is constantly changing and user tolerance of security controls is very low. Unlike the military, we cannot order people to follow security procedures. Acceptability must be a top priority in the design of a civilian security control or it will not be used.
The SSL security mechanism used in browsers was originally designed to enable use of credit cards to buy goods from online merchants. While other applications and use cases were discussed, these were not allowed to drive requirements. Over fifteen years later, the Internet is now seen as the driving force behind a wave of popular revolts across North Africa and the Gulf. The use cases have changed and so we must revise our threat model.
In academic research the tendency is to be skeptical and suggest the least surprising cause. What matters here is not determining the actual perpetrator or the actual motive for the attack but the plausible perpetrators and the plausible motives. We do not know with certainty who the perpetrator was, it is highly unlikely that we will ever know. What matters to prevent the next attack is to identify the range of plausible perpetrators and plausible motives.
Circumstantial evidence suggests that the attack originated in Iran. The original certificate requests were received from an Iranian IP address and one certificate was installed on a server with an Iranian IP address. While the circumstances strongly suggest an Iranian connection we do not know if this is because the attacker was from Iran or because this is the conclusion the attacker intended us to make.
Circumstances also suggest that the motive of the attack was not financial. While there are certainly ways in which the attack could have resulted in a financial gain, it is hard to see how the perpetrator could have expected the attack to provide an easier, safer or more profitable return for their effort. The hard part of bank fraud is extracting money from the account. Stolen credit card numbers and bank account details are a glut on the market.
To make use of the fraudulently issued certificates, the perpetrator would have to have the ability to direct Internet users to their fake sites rather than the legitimate ones. This in turn requires control of the DNS infrastructure which requires government level resources to achieve on a large scale or for an extended period.
Taken together with other recent attacks against other targets, both reported and unreported it appears likely that this incident forms part of a pattern of attacks on Internet authentication infrastructure and that it is at least highly likely that the perpetrator(s) are highly sophisticated and government directed.
It is quite possible to explain one or another of the incidents seen as being the work of independent ‘hactivists’. But taken as a whole the pattern suggests otherwise. If we are going to successfully address this threat we must assume that our adversaries are nationally funded information engagement teams and that the resources they bear will be significant.
In order to successfully defeat such a threat however, we need to adopt a defense in depth approach. We must reinforce the Internet trust infrastructure but we must also reinforce the means by which applications interact with it. The underlying weakness exposed here is the fact that gaining a fraudulent server credential allows an attacker to obtain end user access credentials. We need to make it more difficult for an attacker to obtain a fraudulent server credential, but we also need to address the underlying weaknesses in the applications and services that use them.
Efforts to reinforce the Internet trust infrastructure were already underway before this particular attack was discovered and these will be explained in the next post. In the post following that I will look at measures to address the underlying cause.
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats