Comodo Hacker releases Mozilla certificate

To prove responsibility for the recent security breach at a Comodo affiliate Registration Authority, the "Comodo Hacker" has uploaded the private key for one of the fraudulently obtained SSL certificates.

Netcraft has verified that the private key does correspond to the fraudulently issued SSL certificate for addons.mozilla.org. Only Comodo, the affiliate, or the hacker could have known this secret key.

As the uploaded private key does not require a passphrase, it can readily be used by other attackers. Certificate revocation mechanisms have come under recent criticism for not working effectively, so the publication of the private key introduces a widespread risk of man-in-the-middle attacks against Mozilla Add-ons users.

To get around the revocation problems, most web browser software has been updated to explicitly blacklist the bogus certificates. Users can therefore protect themselves by upgrading to the latest versions.

GlobalTrust websites offline after Comodo SSL breach

Dozens of websites run by GlobalTrust remain offline following the recent security breach at a Comodo affiliate Registration Authority.

Although Comodo did not name the compromised RA in its incident report, all of the fraudulently issued certificates refer to GTI Group Corporation in the organisational unit field. GlobalTrust is a division of this group, and has been issuing SSL certificates as a Comodo partner since 2006.

Over the weekend, an individual purporting to have carried out the attack revealed on Pastebin.com that Comodo was hacked via InstantSSL.it. According to meta tags, this site was owned by GlobalTrust, but now bears a Comodo logo with a "site under construction" placeholder. Many other websites run by GlobalTrust have also been shut down and replaced with GlobalTrust-branded "under construction" pages, presumably while forensic investigations continue.

Existing GlobalTrust customers may be affected by the temporary suspension of these sites; for instance, trust seals can no longer be served from https://trustseal.globaltrust.it because the site is no longer accepting any HTTPS connections.

Netcraft's Web Server Survey highlights several other websites which currently display the GlobalTrust "under construction" page, including www.banksafe.it, www.comodogroup.it, www.cybercrimeworkingroup.org and, ironically, www.riskmitigation.it. GlobalTrust's founder, Massimo Penco, has also had his personal website replaced with the same GlobalTrust "site under construction" page.

During a phone call with Netcraft last Thursday, Mr Penco denied that GlobalTrust was the unnamed RA cited in the original Comodo incident report.

Spotify Free users attacked by malware

Users of the Spotify Free music streaming software have been attacked by drive-by malware. At least one attack used a Java exploit to drop malicious executable code on a victim's computer, with AVG software identifying one of the malicious payloads as Trojan horse Generic_r.FZ. Another threat blocked by AVG was a Blackhole Exploit Kit hosted on the uev1.co.cc domain.

Several people have reported the problem to Spotify over the past 24 hours, and attacks are still being reported at the time of publication. It is believed that the attacks are being launched through malicious third-party adverts which are displayed in ad-supported versions of the Spotify software. By exploiting local software vulnerabilities, the attacker can then install malware on unprotected computers.

TripAdvisor email list stolen

TripAdvisor is the latest company to announce a security breach of its customer email addresses. The travel advice company has published limited details of the incident at http://www.tripadvisor.com/vpages/more_information.html, but is still investigating when the breach actually occurred.

TripAdvisor's statement does not make it clear how many addresses have been compromised, but they note that the vulnerability has been identified and fixed:

"While we're still investigating the details, we've identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement. We are also are implementing additional security precautions to help prevent another incident in the future."

TripAdvisor was previously a client of Silverpop, which was blamed for a similar breach at Play.com earlier this week. However, Silverpop confirmed to Netcraft that TripAdvisor has not been a client of theirs since 2008, adding "Clearly this is an industry-wide issue".

TripAdvisor was unable to provide any further information to Netcraft at this stage, as their investigations are ongoing, but they did reiterate that no financial details have been compromised.

Browsers vulnerable to fraudulent SSL certificates

Security researcher ioerror has discovered a suspected Certificate Authority compromise. This may allow an attacker to impersonate a high-value website by presenting a fraudulent SSL certificate which nonetheless satisfies a browser's validity checks:

"A Certification Authority appeared to be compromised in some capacity, and the attacker issued themselves valid HTTPS certificates for high-value web sites. With these certificates, the attacker could impersonate the identities of the victim web sites or other related systems, probably undetectably for the majority of users on the internet."

ioerror discovered the compromise last week, but responsibly offered to embargo his findings until the launch of Firefox 4. Mozilla yesterday announced that it had revoked these fraudulent certificates and updated Firefox 4.0, 3.6 and 3.5 to recognise the fraudulent certificates and block them automatically.

By examining recent source code revisions in Chromium and Firefox, ioerror discovered certificate revocation lists (CRLs) for certificates issued by The USERTRUST Network, which is part of Comodo.

ioerror found 11 revoked certificates, which he believes could indicate a compromise at USERTRUST:

"This is evidence of a rather serious event and one that cannot be ignored. If I had to make a bet, I'd wager that an attacker was able to issue high value certificates, probably by compromising USERTRUST in some manner"

Furthermore, ioerror suggests that many users are probably still updating and therefore remain vulnerable to "the failure that is the CRL and OCSP method for revocation."

Mozilla revealed that addons.mozilla.org was one of the certificates acquired by the attacker, and ioerror called upon Comodo to disclose which other sites had been targeted.

Two years ago, a Comodo reseller erroneously issued an SSL certificate to an unverified party. Eddy Nigg demonstrably exploited a lack of validation by Certstar in order to obtain a legitimate domain-validated certificate for mozilla.com – a domain he did not own.

Play.com believes security breach related to Silverpop hack

After confirming a security breach to its customers yesterday, Play.com today suggested that email marketing company Silverpop may have been responsible for the leak which resulted in spam being delivered to Play.com customers.

In a statement sent to Netcraft, John Perkins, CEO of Play.com, said:

"We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again."

Following the attacks in December 2010, Silverpop posted some details of its forensic investigation on its blog.

Several Play.com customers have speculated whether any other personal data may have been compromised, while the Sophos blog recommended that customers change their passwords. However, Play.com offered some reassurance by confirming that no other personal data has been compromised:

"We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue."

In a separate statement, Silverpop confirmed to Netcraft that it had notified all customers impacted by the cyber attack in 2010 and worked with the FBI to help identify those responsible.