Tuesday, September 06, 2011

Iran hacked Dutch digital certificates to spy on Iranian citizens

From The Register:
The Google webmail of as many as 300,000 Iranians may have been intercepted using fraudulently issued security certificates made after a hack against Dutch certificate authority outfit DigiNotar, according to the preliminary findings of an official report into the megahack.

Fox-IT, the security consultancy hired to examine the breach against DigiNotar, reveals that DigiNotar was hacked on or around 6 June – a month before hackers begun publishing rogue certificates. Between 10 July and 20 July hackers used compromised access to DigiNotar's systems to issue rogue 531 SSL certificate for Google and other domains, including Skype, Mozilla add-ons, Microsoft update and others. DigiNotar only begun revoking rogue certificates on 19 July and waited more than a month later to go public about the problem. The fake *.google.com certificate – which was valid for code-signing – wasn't revoked until 29 July.

The compromise was used, in part, to spy on Iranian internet users, using the forged Google SSL certificate to run man-in-the-middle attacks.

"The list of domains and the fact that 99 per cent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," [Fox-IT] adds.
In English, this means that Iran apparently forged the certificates that are used to ensure that web traffic to various websites - like Google - is correctly encrypted. This means that Iran was able to spy on email and web traffic that even the most conscientious user would have assumed was safe from prying eyes.

Or, as Israel Hayom describes it:
In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a Web site, or used to monitor communications with the real sites without users noticing.

But in order to pass off a fake certificate, a hacker must be able to steer his target’s Internet traffic through a server that he controls. That is something only an Internet service provider, or a government that commands one, can easily do.

According to AP, technology experts cite a number of reasons to believe the attack is connected to Iran. Notably, several of the certificates contain nationalist slogans in Farsi, the language spoken by most Iranians.

“This, in combination with messages the hacker left behind on DigiNotar’s Web site, definitely suggests that Iran was involved,” Ot van Daalen, director of Bits of Freedom, an online civil liberties group, told AP.