Following the news that the infrastructure of Dutch certificate authority (CA) DigiNotar was attacked, the hacker responsible said he had accessed four other CAs.
After the issuing of a fraudulent Google certificate, internet giants including Microsoft and Mozilla have revoked access to DigiNotar's certificates, while CA GlobalSign said it is investigating claims that its infrastructure had been penetrated.
The attacker's Pastebin account is called ‘Comodo Hacker' and he has tweeted as 'ichsunx2'. This week, ‘Ich Sun' invited questions. Here are his responses, quoted in full and unedited, to SC magazine:
Why target this Dutch company if your grievance is with the government?
Dutch government involved 100 per cent with DigiNotar, I didn't hacked DigiNotar just to target Dutch government, I needed those certs which I got, but also to affect and corrupt Dutch government works.
A number of browser providers (Mozilla, Google, Microsoft) are now refusing to accept DigiNotar certificated traffic. Do you see this as a success for your actions?
It was not the goal, but that's good so far with me. They'll learn to think about each of their actions, specially Dutch gov. and Dutch parliament.
You called this a sophisticated attack and there have been parallels made to Stuxnet in terms of sophistication and impact. How do you view this?
I explained it in my Pastebin post: http://pastebin.com/85WV10EL
The Pastebin post reads: “This attack was really more sophisticated than simple Stuxnet worm. 0-days? I already have discovered similar bugs, Trojan? I already wrote most sophisticated undetectable ring0 and ring3 rootkit (works together). Signing certificates? huh, man! I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet."
Regarding this and the other four CAs you have targeted, have you encountered poor security?
I explained this in my other Pastebin post: http://pastebin.com/GkKUhu35
The Pastebin post reads: “You think I generated SSL and code signing certificates by sending some SQL queries or sending some requests or using some ready made in desktop applications with 1234 password default? Ahhh man! Stop taking people's work easy. There was netHSM with OpenBSD OS, only one port open, totally closed/protected with RSA SecurID and SafeSign Token management systems, they had around eight smart cards totally (a company with a lot of employees, only eight smart cards for SSL generation), you see? It's not 'simple DNN bug', ok? I had remote desktop access in last RSA Certificate Manager system which had no any connection to internet, all files was coded in XUDA (there is no reference to XUDA programming language, even a single line), no one can access those server via Remote desktop, there was enough firewalls and routers which even blocked their own employee to access that network. That network had different domain controller with different users."
Do you intend to undertake a prolonged attack against DigiNotar and other CAs?
Not for DigiNotar, but I'll do it all the time to all CAs.
Are you prepared to identify yourself?
Why should I?