In a newsgroup posting by Robin Alden, CTO of Comodo, it has been confirmed that two further SSL Registration Authority (RA) accounts have been compromised since the original attack against GlobalTrust. Alden wrote: "Two further RA accounts have since been compromised and had RA privileges withdrawn. No further mis-issued certificates have resulted from those compromises."
It is not yet known which other RAs were compromised, or to what degree. In his latest Pastebin message, the Iranian ComodoHacker appears to claim responsibility for these other attacks:
"From listed resellers of Comodo, I owned 3 of them, not only Italian one, but I interested more in Italian brach because they had too many codes, works, domains, (globaltrust, cybertech, instantssl, etc.) so I thought they are more tied with Comodo."
According to an earlier message from ComodoHacker, the Italian attack was carried out by exploiting an SQL injection vulnerability on InstantSSL.it. The attacker subsequently escalated his privileges and caused the fraudulent certificates to be issued. The ComodoHacker unarguably proved his involvement in this attack by publishing a private key which corresponded to the fraudulently issued certificate for addons.mozilla.org. This private key has since been removed.
The whole of the BBC's public-facing network disappeared from the internet late last night. Although the outage only lasted for around an hour, the unavailability of popular sites such as BBC News and iPlayer caused an eruption of comments and complaints on Twitter and other social networking sites.
Tony Ageh, the Controller of BBC Archives, broke more than 4 months of silence on Twitter to express his frustration. Fellow employee Mo McRoberts responded, saying that "somebody responsible for our routers did something very silly indeed. took out the whole lot." He later confirmed that the outage was not caused by a denial of service (DoS) attack. (McRoberts' tweets are his own, and not necessarily those of his employer).
The BBC's technology correspondent, Rory Cellan-Jones, summarised the widespread impact: "Love the terse bulletin on last night's BBC web failure. Cause of issue: faulty switch. Services impacted: Everything.."
The BBC News website suffered similar outages back in 2007 when a routine software deployment caused some unforeseen performance issues.
To prove responsibility for the recent security breach at a Comodo affiliate Registration Authority, the "Comodo Hacker" has uploaded the private key for one of the fraudulently obtained SSL certificates.
Netcraft has verified that the private key does correspond to the fraudulently issued SSL certificate for addons.mozilla.org. Only Comodo, the affiliate, or the hacker could have known this secret key.
As the uploaded private key does not require a passphrase, it can readily be used by other attackers. Certificate revocation mechanisms have come under recent criticism for not working effectively, so the publication of the private key introduces a widespread risk of man-in-the-middle attacks against Mozilla Add-ons users.
To get around the revocation problems, most web browser software has been updated to explicitly blacklist the bogus certificates. Users can therefore protect themselves by upgrading to the latest versions.
Although Comodo did not name the compromised RA in its incident report, all of the fraudulently issued certificates refer to GTI Group Corporation in the organisational unit field. GlobalTrust is a division of this group, and has been issuing SSL certificates as a Comodo partner since 2006.
Over the weekend, an individual purporting to have carried out the attack revealed on Pastebin.com that Comodo was hacked via InstantSSL.it. According to meta tags, this site was owned by GlobalTrust, but now bears a Comodo logo with a "site under construction" placeholder. Many other websites run by GlobalTrust have also been shut down and replaced with GlobalTrust-branded "under construction" pages, presumably while forensic investigations continue.
Existing GlobalTrust customers may be affected by the temporary suspension of these sites; for instance, trust seals can no longer be served from https://trustseal.globaltrust.it because the site is no longer accepting any HTTPS connections.
Netcraft's Web Server Survey highlights several other websites which currently display the GlobalTrust "under construction" page, including www.banksafe.it, www.comodogroup.it, www.cybercrimeworkingroup.org and, ironically, www.riskmitigation.it. GlobalTrust's founder, Massimo Penco, has also had his personal website replaced with the same GlobalTrust "site under construction" page.
During a phone call with Netcraft last Thursday, Mr Penco denied that GlobalTrust was the unnamed RA cited in the original Comodo incident report.
Users of the Spotify Free music streaming software have been attacked by drive-by malware. At least one attack used a Java exploit to drop malicious executable code on a victim's computer, with AVG software identifying one of the malicious payloads as Trojan horse Generic_r.FZ. Another threat blocked by AVG was a Blackhole Exploit Kit hosted on the uev1.co.cc domain.
Several people have reported the problem to Spotify over the past 24 hours, and attacks are still being reported at the time of publication. It is believed that the attacks are being launched through malicious third-party adverts which are displayed in ad-supported versions of the Spotify software. By exploiting local software vulnerabilities, the attacker can then install malware on unprotected computers.
TripAdvisor is the latest company to announce a security breach of its customer email addresses. The travel advice company has published limited details of the incident at http://www.tripadvisor.com/vpages/more_information.html, but is still investigating when the breach actually occurred.
TripAdvisor's statement does not make it clear how many addresses have been compromised, but they note that the vulnerability has been identified and fixed:
"While we're still investigating the details, we've identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement. We are also are implementing additional security precautions to help prevent another incident in the future."
TripAdvisor was previously a client of Silverpop, which was blamed for a similar breach at Play.com earlier this week. However, Silverpop confirmed to Netcraft that TripAdvisor has not been a client of theirs since 2008, adding "Clearly this is an industry-wide issue".
TripAdvisor was unable to provide any further information to Netcraft at this stage, as their investigations are ongoing, but they did reiterate that no financial details have been compromised.