Iran suspected in hack of web security firm

Internet users spied on last month by one or several hackers who stole certificates from an IT firm, says Dutch report.

Hundreds of thousands of private messages between Iranian internet users and Google were monitored [Reuters]

Experts suspect that hackers who broke into a web security firm and issued hundreds of bogus security certificates for spy agency websites and internet giants had ties to the Iranian government.

In a statement on Monday, the Dutch government released findings that greatly expand the scope of a hacking attack on securities firm DigiNotar. External IT experts reviewing DigiNotar’s computer systems said the hack may have begun in June, not July as DigiNotar had previously asserted.

The experts said it had affected access not only to Google, but included 531 fake certificates for about 344 domains including sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, Mozilla, TorProject, and WordPress, as well as spy agencies including the CIA, Israel’s Mossad and Britain’s MI6.

DigiNotar is one of many companies that sell the “SSL” security certificates widely used to authenticate websites and guarantee that communications between a user’s browser and a website are secure.

In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a website, or used to monitor communications with the real sites without users noticing.

But in order to actually pass off a fake certificate, a hacker must be able to steer his target’s internet traffic through a server he controls.

That is something that only an internet service provider can easily do – or a government that commands one.

Ties to Iran

Information technology experts said on Monday that they suspect the hackers were probably co-operating with the Iranian government.

The external review by Fox-IT, A Dutch company, found that one fake certificate for Google was used 300,000 times between its activation on August 4 and when it was revoked on August 29. Almost all usage came from Iran.

“The list of domains and the fact that 99 per cent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” it concluded.

Roel Schouwenberg of internet security firm Kaspersky said, “a government operation is the most plausible scenario.”

The hack of DigiNotar closely resembles one in March of the US security certificate issuer Comodo, which was also attributed to an Iranian hacker. The Fox-IT report said that the hackers erased some evidence of their break-in but purposefully left behind at least one message in one script: “My signature as always, Janam Fadaye Rabhar,” which means “I will sacrifice my soul for my leader” in the Farsi language spoken by Iranians.

The same signature line was used by the Comodo hacker, apparently in reference to Iran’s religious leader Ayatollah Ali Khamenei.

‘Massive’ attack

In a blog posting, US security firm Trend Micro described the attack as “massive,” writing that according to its data “internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar.”

Gervase Markham, a Mozilla developer who has been involved in the response to the DigiNotar failure, warned Iranian internet users to update their browsers, “log out of and back into every email and social media service you have” and change all passwords.

The latest versions of browsers such as Microsoft’s Internet Explorer, Google’s Chrome and Mozilla’s Firefox are now rejecting certificates issued by DigiNotar.

Ot van Daalen of Dutch online civil liberties group Bits of Freedom said he believed the DigiNotar incident would ultimately lead to a reform of authentication technology.

Although no users in the Netherlands are known to have been victimised directly by the hack, it has caused a major headache for the Dutch government, which relied on DigiNotar for authentication of many of its websites.

Dutch Interior Minister Piet Hein Donner announced in the early hours of Saturday morning that the safety of websites including the country’s social security agency, police and tax authorities could no longer be guaranteed.

The Dutch government took over management of DigiNotar, a subsidiary of Chicago-based Vasco, but kept the websites operating as it scrambles to find replacement security providers.

Donner said on Monday he had reached a deal with Microsoft under which the government will not block some of the web certificates in the Netherlands for the next week in order to prevent a widespread disruption of government services, which might prove worse than any potential hacking.

“The entire internet is not a phenomenon that lends itself well to government rules,” Donner said at a press conference.

Source: News Agencies