Iran suspected in hack of web security firm
Internet users spied on last month by one or several hackers who stole certificates from an IT firm, says Dutch report.
Last Modified: 06 Sep 2011 00:19
Hundreds of thousands of private messages between Iranian internet users and Google were monitored [Reuters]

Experts suspect that hackers who broke into a web security firm and issued hundreds of bogus security certificates for spy agency websites and internet giants had ties to the Iranian government.

In a statement on Monday, the Dutch government released findings that greatly expand the scope of a hacking attack on securities firm DigiNotar. External IT experts reviewing DigiNotar's computer systems said the hack may have begun in June, not July as DigiNotar had previously asserted.

The experts said it had affected access not only to Google, but included 531 fake certificates for about 344 domains including sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, Mozilla, TorProject, and WordPress, as well as spy agencies including the CIA, Israel's Mossad and Britain's MI6.

DigiNotar is one of many companies that sell the "SSL" security certificates widely used to authenticate websites and guarantee that communications between a user's browser and a website are secure.

In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a website, or used to monitor communications with the real sites without users noticing.

But in order to actually pass off a fake certificate, a hacker must be able to steer his target's internet traffic through a server he controls.

That is something that only an internet service provider can easily do - or a government that commands one.

Ties to Iran

Information technology experts said on Monday that they suspect the hackers were probably co-operating with the Iranian government.

The external review by Fox-IT, A Dutch company, found that one fake certificate for Google was used 300,000 times between its activation on August 4 and when it was revoked on August 29. Almost all usage came from Iran.

"The list of domains and the fact that 99 per cent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," it concluded.

Roel Schouwenberg of internet security firm Kaspersky said, "a government operation is the most plausible scenario."

The hack of DigiNotar closely resembles one in March of the US security certificate issuer Comodo, which was also attributed to an Iranian hacker. The Fox-IT report said that the hackers erased some evidence of their break-in but purposefully left behind at least one message in one script: "My signature as always, Janam Fadaye Rabhar," which means "I will sacrifice my soul for my leader" in the Farsi language spoken by Iranians.

The same signature line was used by the Comodo hacker, apparently in reference to Iran's religious leader Ayatollah Ali Khamenei.

'Massive' attack

In a blog posting, US security firm Trend Micro described the attack as "massive," writing that according to its data "internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar."

Gervase Markham, a Mozilla developer who has been involved in the response to the DigiNotar failure, warned Iranian internet users to update their browsers, "log out of and back into every email and social media service you have" and change all passwords.

The latest versions of browsers such as Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox are now rejecting certificates issued by DigiNotar.

Ot van Daalen of Dutch online civil liberties group Bits of Freedom said he believed the DigiNotar incident would ultimately lead to a reform of authentication technology.

Although no users in the Netherlands are known to have been victimised directly by the hack, it has caused a major headache for the Dutch government, which relied on DigiNotar for authentication of many of its websites.

Dutch Interior Minister Piet Hein Donner announced in the early hours of Saturday morning that the safety of websites including the country's social security agency, police and tax authorities could no longer be guaranteed.

The Dutch government took over management of DigiNotar, a subsidiary of Chicago-based Vasco, but kept the websites operating as it scrambles to find replacement security providers.

Donner said on Monday he had reached a deal with Microsoft under which the government will not block some of the web certificates in the Netherlands for the next week in order to prevent a widespread disruption of government services, which might prove worse than any potential hacking.

"The entire internet is not a phenomenon that lends itself well to government rules," Donner said at a press conference.

Topics in this article
Featured on Al Jazeera
The author argues that in the new economy, it's people, not skills or majors, that have lost value.
Colleagues of detained Al Jazeera journalists press demands for their release, 100 days after their arrest in Egypt.
Mehdi Hasan discusses online freedoms and the potential of the web with Wikipedia founder Jimmy Wales.
A tight race seems likely as 814 million voters elect leaders in world's largest democracy next week.
Venezuela's president lacks the charisma and cult of personality maintained by the late Hugo Chavez.
Despite the Geneva deal, anti-government protesters in Ukraine's eastern regions don't intend to leave any time soon.
Since independence, Zimbabwe has faced food shortages, hyperinflation - and several political crises.
After a sit-in protest at Poland's parliament, lawmakers are set to raise government aid to carers of disabled youth.
A vocal minority in Ukraine's east wants to join Russia, and Kiev has so far been unable to put down the separatists.
join our mailing list