Iranian hacker claims he acted alone in stealing digital SSL certificates

Hacker says theft of certificates used for online transactions was retribution for the joint authorship by the US and Israel of the Stuxnet worm

Hacker says theft of certificates used for online transactions was retribution for the joint authorship by the US and Israel of the Stuxnet worm

An Iranian hacker has claimed he acted alone in stealing digital security certificates used for online transactions by some of the web's largest sites, including Google, Microsoft, Skype and Yahoo.

He said the act had been a form of retribution for the joint authorship by the US and Israel of the Stuxnet worm, which was allegedly designed by government-sponsored teams to target Iran's nuclear reprocessing facilities.

The claim follows suspicions last week that the hack was sponsored by the Iranian government and was an attempt to destabilise online transactions and erode trust in online security. The "SSL" certificates are used to confirm the identity of a site to the user – typically by displaying a padlock icon in the browser bar (on addresses beginning with https:).

The hacker posted detailed information, including names, accounts and passwords, about how he broke into the systems of InstantSSL.it, an Italian company that resold certificates supplied by a US-based company called Comodo.

He also insisted, in a posting on Pastebin.com – a code-sharing site which is frequently used by hackers and the Anonymous group to send messages to the world – that "we have no relation to Iranian Cyber Army ... we just hack and own ... I'm a single hacker with [the] experience of 1,000 hackers."

He said he began by trying to hack the SSL protocol and then discovered a weakness in InstantSSL.it, and exploited it.

Mikko Hypponen, a security expert at F-Secure, said the hacker's postings on Pastebin "look convincing" but added "whether they were posted by a 21-year-old lone gunman or the Iranian government PR department, I don't know".

Comodo had acknowledged the attack on 23 March, and said that eight days earlier an unknown hacker or hackers had acquired nine fake certificates for logon sites for Hotmail, Gmail, the internet phone service Skype and for Yahoo Mail. The hack also acquired a certificate for the add-on site for Mozilla's Firefox browser.

Acquiring those certificates would mean the hacker could set up other fake websites and would be able to persuade a browser they were in fact one of those sites, which could be disastrous for the security of those using them.

Microsoft confirmed the theft last Wednesday.

Comodo's chief executive, Melih Abdulhayoglu, said last week that "circumstantial evidence" pointed to a state-backed attack by Iranian hackers: "We believe these are politically motivated, state-driven/funded attacks," he said. He suggested that the Iranian government planned to create fake sites that would fool activists inside the country into thinking they were on a secure site which could not be tapped, but instead would collect their details.

The hacker denies this emphatically, insisting his actions were to point up what he called duplicitous behaviour by companies such as Microsoft in allowing the security holes exploited by Stuxnet to remain open for so long, to the advantage of the US and Israeli governments:

"Anyone inside Iran with problems, from fake green movement to all MKO members and two-faced terrorists, should afraid of me personally. I won't let anyone inside Iran harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you won't be able to do so. as I live, you don't have privacy in internet, you don't have security in digital world, just wait and see ... By the way, you already have seen it or you are blind, is there any larger target than a CA [Certificate Authority] in internet?"

Hypponen pointed out that it was odd for a lone hacker apparently acting at random to have created fake certificates for nine principal sites or systems used for communication – hinting that it would be very convenient for the Iranian government to have those faked certificates available if it wanted to monitor dissidents inside its borders.