devquotes,

A couple of days ago, certificats from comodo were stolen.

Here is the message from comodo hacker:

I, at first sight, tought it’s was a BIG fake. But that incredible guy with the highest ego i ever seen, really did it. I’m spreading here the rumors. Better for you to have your own advice :

 

———-

Hello

I’m writing this to the world, so you’ll know more about me..

At first I want to give some points, so you’ll be sure I’m the hacker:  I hacked Comodo from InstantSSL.it, their CEO’s e-mail address [email protected]
Their Comodo username/password was: user: gtadmin password: [trimmed]
Their DB name was: globaltrust and instantsslcms

GlobalTrust.it had a dll called TrustDLL.dll for handling Comodo requests, they had resellers and their url was:
http://www.globaltrust.it/reseller_admin/

Enough said, huh? Yes, enough said, someone who should know already knows…Am I right Mr. Abdulhayoglu? Anyway, at first I should mention we have no relation to Iranian Cyber Army, we don’t change DNSes, we  just hack and own.
I see Comodo CEO and others wrote that it was a managed attack, it was a planned attack, a group of  cyber criminals did it, etc. etc. etc.
Let me explain:

a) I’m not a group of hacker, I’m single hacker with experience of 1000 hackers, I’m single programmer with experience of 1000 programmers, I’m single planner/project manager with experience of 1000 project managers, so you are right, it’s managed by a group of hackers, but it was only I with experience of 1000 h ackers.

b) It was not really a managed hack. At first I decided to hack RSA algorithm, I did too much investigation on SSL protocol, tried to find an algorithm for factoring integer, analyzed existing algorithms, for now I was not able to do so, at least not yet, but I know it’s not impossible and I’ll prove it, anyway… I saw that there is easier ways of doing it, like hacking a CA. I was looking to hack some CAs like Thawthe, Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn’t enough to gain access to server and sign my CSRs. During my search about InstantSSL of Comodo which signs CSRs immediately I found InstantSSL.it which was doing it’s job under control of Comodo.

After a little try, I analyzed their web server and easily (easy for me, so hard for others) I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing. It was coded in C# (ASP.NET). I decompiled the DLL and I found username/password of their GeoTrust and Comodo reseller account.
GeoTrust reseller URL was not working, it was in ADTP.cs. Then I found out their Comodo account works  and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs. I  had no idea of APIs and how it works. I wrote a code for signing my CSRs using POST request to those APIs, I learned their APIs so FAST and their TrustDLL.DLL was too old and was not working properly, it doesn’t send all needed parameters, it wasn’t enough for signing a CSR. As I said, I rewrote the code for !AutoApplySSL and !PickUpSSL APIs, first API returns OrderID of placed Order and second API returns entire signed certificate if you pass OrderID from previous call. I learned all these stuff, re-wrote the code and generated CSR for those sites all in about 10-15 minutes. I wasn’t ready for these type of APIs, these  type of CSR generation, API calling, etc. But I did it very very fast.
Anyway, I know you are really shocked about my knowledge, my skill, my speed, my expertise and entire attack. That’s OK, all of it was so easy for me, I did more important things I can’t talk about, so if you have to  worry, you can worry… I should mention my age is 21 .

Let’s back to reason of posting this message. I’m talking to the world, so listen carefully:
When USA and Israel creates Stuxnet, nobody talks about it, nobody blamed, nothing happened at all,  so when I sign certificates nothing should happen, I say that, when I sign certificates nothing should  happen. It’s a simple deal.
I heard that some stupids tried to ask about it from Iran’s ambassador in UN, really? How smartass you are?
Where were you when Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA systems and Nuclear softwares? Why no one asked a question from Israel and USA ambassador to UN? So you can’t ask about SSL situtation from my ambassador, I answer your question about situtation: « Ask about Stuxnet from USA and Israel », this is your answer, so don’t waste my Iran’s ambassador’s worthy time.
When USA and Isrel can read my emails in Yahoo, Hotmail, Skype, Gmail, etc. without any simple  little problem, when they can spy using Echelon, I can do anything I can. It’s a simple rule. You do, I do, that’s all. You stop, I don’t stop. It’s a rule, rule #1 (My Rules as I rule to internet, you should know it already…)

Rule#2: So why all the world worried, internet shocked and all writers write about it, but nobody writes about Stuxnet anymore? Nobody writes about HAARP, nobody writes about Echelon… So nobody should write about SSL certificates.

Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced terrorists, should afraid of me personally. I won’t let anyone inside Iran, harm people of Iran, harm my country’s Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you won’t be able to do so. as I live, you don’t have privacy in internet, you don’t have security in  digital world, just wait and see…By the way, you already have seen it or you are blind, is there any larger target than a CA in internet?

Rule#4: Comodo and other CAs in the world: Never think you are safe, never think you can rule the internet, ruling the world with a 256 digit number which nobody can find it’s 2 prime factors (you think so), I’ll show you how someone in my age can rule the digital world, how your assumptions are wrong, you already understood it, huh?

Rule#5: To microsoft, mozilla and chrome who updated their softwares as soon as instructions came from  CIA. You are my targets too. Why Stuxnet’s Printer vulnerability patched after 2 years? Because it was  needed in Stuxnet? So you’ll learn sometimes you have to close your eyes on some stuff in internet, you’ll learn… You’ll understand… I’ll bring equality in internet. My orders will equal to CIA orders,  lol ;)

Rule#6: I’m a GHOST

Rule#7: I’m unstoppable, so afraid if you should afraid, worry if you should worry. My message to people who have problem with Islamic Republic of Iran, SSL and RSA certificates are broken, I did it one time, make sure I’ll do it again, but this time nobody will notice it. I see some people suggests using VPNs, some people suggests TOR, some other suggests UltraSurf, etc. Are you sure you are safe using those? RSA 2048 was not able to resist in front of me, do you think UltraSurf can? If you was doing a dirty business in internet inside Iran, I suggest you to quit your job, listen to sound of most of people of Iran, otherwise you’ll be in a big trouble, also you can leave digital world
and return to using abacus.

A message in Persian: Janam Fadaye Rahbar

 

 

 

Source : http://pastebin.com/74KXCaEZ

 

 

——————-

 

Some stupids in internet still cannot understand I’m behind the attack on SSL, talks about their small understandings about my hack and makes me nervous.

Why you can’t understand? What’s your problem? If you have Psychological or mental problems, don’t write your ideas in internet, just surf, ok?

Here is another proof:
http://rapidshare.com/files/454806052/GlobalTrustTable.rar

I uploaded JUST 1 table of their ENTIRE database which I own.

Also ask Comodo about my hack, ask them what I did to them. Let me tell you what I did:

I was logged in into their server via RDP (remote desktop), they detected me and via hardware firewall, they added allowed IP for RDP, so I was no longer able to login via RDP.

But I got UI control in their server just 2 days later, then I logged in via roberto franchini’s user/pass, then I formatted their external backup HDD, it was LG with backup of all files inside it. I formatted it.

Then I stopped IIS, deleted all logs, not normal delete which could be recovered with recovery tools, I deleted it with secure delete method and infact I wiped them.

Then I noticed another backup in another drive, I deleted ALL files of it with secure wiping method also and I left this session open with a notepad message in their desktop with this text: « SURPRISE! »

What more I should say?

Stop talking about who was behind it, it’s already proven.

Some people says, Microsoft wasn’t aware of issue to patch Printer vulnerability. It’s simply wrong, it was in a security magazine, you never saw this:
http://www.computerworld.com/s/article/9187300/Microsoft_confirms_it_missed_Stuxnet_print_spooler_zero_day_

Some others said I don’t know about RSA, it’s impossible to hack RSA, etc. etc. etc.
Never judge so fast, never write anything you think in your head in internet, most of my daily work focuses on encryption algorithms, differential cryptanalysis, inventing new methods of attacks on encryption algorithms, creating new secure encryption algorithms (symmetric and asymmetric), creating secure hash algorithm, I told you, I can’t talk about other things I did, I don’t see any use for it just giving away my work and causing more updates. So simply keep your mouth shut and wait. I already created my own encryption protocol, from asymmetric algorithm (for key exchange) to symmetric algorithm for encrypting data to my own hash algorithm to sign encrypted algorithms. You are so far from knowing about me…

Some others says APIs was easy, it was all documented, everything was inside DLL so what I did about re-writing APIs, a person with experience of 1000 programmers had problems with APIs, LOL.
Do you know how many codes I wrote in C++ and Assembly language? Do you know how much work I did in reversing Skype and it’s undisclosed protocol? Man! I create my own APIs, from web SOAP XML APIs to windows DLLs with exports.
I said I wasn’t aware of !ApplySSL API and other needed APIs like PickUpSSL and others.
I found that out when I was already logged into Comodo Partner’s account and I was sure they’ll notice me soon, so I had to do my job fast.
TrustDLL.dll was too old, it’s last modify date was end of 2007, APIs of Comodo was changed and a lot of more crucial parameters was added, they wasn’t using TrustDLL anymore, as far as I understood, they was doing processing and authenticating orders and signing CSRs manually. They had not too much order in last years, about 1 order per 4-5 days for example. So don’t worry, I’m aware of APIs ;)

Some other said I’m not religious, « Janam Fadaye Rahbar » is political, not religious, you are simply wrong. No need to explain more.

Some others said I said too much about myself and enjoyed myself too much, if you were did same thing, wouldn’t you enjoy like me? :))

Again my message to green movement (so little part of Iran) and two faced terrorists like MKO members inside Iran, never think UltraSurf, VPNs, SSLs, TOR will rescue you… My name will be your curse. You are all in a big trouble if you don’t exit your job. Don’t believe, try it. From now, just try it. Your friend will post about you in balatarin as you’ll not be able to do so after being caught.

Enough said, huh? Let’s think more before writing stuff…

 

Source : http://pastebin.com/CvGXyfiJ

 

—————————-

Comodo Hacker Released Mozilla Certificate

For some real dumbs, I bet they don’t have IQ above 75, WHO STILL thinks I’m not the hacker, here is mozilla addon’s certificate, check it’s serial with one published on all the internet:

http://www.multiupload.com/J9I8NFWPT0

I really worry about you guys (people who still have doubts) even for surfing in internet, have you ever visited a doctor?

Source : http://pastebin.com/X8znzPWH

 

—————————————-

Comodo Mozilla Private key

—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEAq8ZtNvMVc3iDc850hdWu7LLw4CQfE4O4IKy7mv6Iu6uhHQsf
RQCqSbc1Nwxq70dMudG+41cSBI2Sx7bsAby22seBOCCtcoXmDvyBbAetaHY4xUTX
zMZKxZc+ZPRR5vB+suxW9yWCTUmYyxaY3SPxiZHRF5dAmSbW4qIrXt+9ifIbGlMt
zFBBetA9KgxVcBQB6VhJEHoLk4KL4R7tOoAQgs6WijTwzNfTubRQh1VUCbidQihV
AOWMNVS/3SWRRrcN5V2DqOWL+4TkPK522sRDK1t0C/i+XWjxeFu1zn3xXZlA2sru
OIFQvpihbLgkrfOvjA/XESgshBhMfbXZjzC1GwIDAQABAoIBAQCJoijaEXWLmvFA
thiZL7jEATCNd4PK4AyFacG8E9w8+uzR15qLcFgBTqF95R49cNSiQtP/VkGikkkc
ao25aprcu2PnNA+lpnHKajnM9G3WOHuOXHXIps08es3MmBKTxvjNph6cUlqQULrz
Zry+29DpmIN/snpY/EzLNIMptn4o6xnsjAIgJDpQfFKQztxdmZU6S6eVVn0mJ5cx
q+8TTjStaMbh+Yy73s+rcaCXzL7yqWDb1l5oQJ/DMYNfufY6lcLgZUMwFxYKjCFN
ScAPCiXFUKTzY3Hy1Z4tLndFxipyEPywDep1TB2nMb+F3OOXUs3z+kKVjGFaGnLZ
591n3x3hAoGBAOOgsb4QybjHh9+CxhUkfsqcztGGdaiI3U5R1qefXL7R47qCWfGc
FKdoJh3JwJzHEDX68ZmHz9dPhSXw6YrlLblCi6U/3g7BOMme5KRZKBTjHFo7O9II
B0laE5ISRH4OccsOC3XUf9XBkm8szzEBj95DgzB0QydPL4jp7NY0h0QrAoGBAMEv
jEFkr/JCRe2RWUSx/a1WT/DHnVLMnDb/FryN2M1fAerpMYNUc2rnndjp2cYbsGLs
cSF6Xecm3mUGqn8Y5r8QqBwxCp5OunCFCXEJvkiU3NSs8oskCsB8QJ6vk3qmauUK
jClX91heSCigwhC2t+1txnF290m/y0T46EfqOSrRAoGAUlyVk4D9jEdeCWiHBaVj
3ynnx3ZQYj/LW4hPE+2coErPjG+X3c0sx/nuOL8EW3XHjtCS1IuIj45tTfIifqg3
6B2E67D1Rv9w7br5XeIIl64pVxixp2hSQp8+D49eiwHs+JzHVsYhzxUwR9u9yCyZ
gsGI2WJn3fRP7ck+ca8l9msCgYB4B2Hec3+6RqEKBSfwvaI+44TRtkSyYDyjEwT+
bCeLGn+ng/Hmhj8b6gKx9kH/i86g+AUmZtAXQZgmLukaBM/BYMkCkxnk2EeQh6gh
Goumrw8x+K7N8rvXcpv3vGEmcGW0H0SMn4In3pR44cER/2Tx2SXV87Obl9Xk6b3w
iL+yMQKBgFjXcmiBW8lw3l2CaVckd/1SzrT80AfRpMT9vafurxe+iAhl9SDAdoZe
3RlshoItDQLW1ROlkLhM7Pdq/XZvLRm128hiIGKTDBnxtfN8TKAg+V7V+/TTfdqv
8jq7epvZsq5vjOC1FZh2gOhf50QwpqDJktjdyka1sPiBKQSoxfbZ
—–END RSA PRIVATE KEY—–