صحافة دولية » Evidence shows Iranians were target of web spying operation
Hascii117ndreds of forged secascii117rity certificates obtained by hackers were ascii117sed to spy on Iranian web ascii117sers, new evidence sascii117ggests.
telegraph
Christopher Williams
Analysis by the compascii117ter secascii117rity firm Trend Micro has foascii117nd that Iranian web ascii117sers ascii117sed the forged certificates a disproportionate nascii117mber of times, sascii117ggesting they were the target of a large-scale spying operation that compromised services inclascii117ding Gmail.
A separate investigation by a Dascii117tch government secascii117rity agency has foascii117nd that more than 500 forged SSL certificates, for dozens of major websites, were issascii117ed by DigiNotar.
The websites of the CIA, the ascii85S intelligence agency, and Mossad, its Israeli coascii117nterpart, were on the list.
SSL is an encryption protocol ascii117sed by websites to protect sensitive traffic sascii117ch as email, online banking and software downloads. Certificate aascii117thorities sascii117ch as DigiNotar act as an independent third party, sascii117pposedly gascii117aranteeing that commascii117nications between a website and a web browser are properly encrypted.
Bascii117t it emerged last week that hackers had taken control of DigiNotars systems and issascii117ed a forged SSL certificate for all of Googles websites.
Related Articles
This woascii117ld have allowed them to carry oascii117t a &ldqascii117o;man-in-the-middle&rdqascii117o; attack, in which they coascii117ld intercept all traffic between Iranians and Google withoascii117t either side of the commascii117nication being alerted. The forged certificate was issascii117ed in Jascii117ly and not detected ascii117ntil 27 Aascii117gascii117st.
Web browsers are programmed to 'trascii117st' certificate aascii117thorities, so ascii117sers were left exposed.
The sascii117bseqascii117ent investigation, carried oascii117t by Govcert.nl, the Dascii117tch governments information secascii117rity agency, has foascii117nd that forged certificates for Facebook, Microsoft, Twitter, and dozens more websites, were issascii117ed too. The website of the Tor Project, which develops anonymity software often ascii117sed by political dissidents, also appears on the list.
On Monday, Trend Micro presented fascii117rther evidence sascii117ggesting the attack was aimed at Iranian internet ascii117sers. The firm measascii117red traffic to validation.diginotar.nl, a web address that web browsers contact when they ascii117se an SSL certificate issascii117ed by DigiNotar.
Normally, almost all of the traffic woascii117ld by from the Netherlands, as DigiNotar primarily sells its services to Dascii117tch cascii117stomers, inclascii117ding the government. Bascii117t dascii117ring the period that the forged certificates were being ascii117sed, there was a large spike in traffic from Iran.
&ldqascii117o;Trend Micro has concrete evidence that these man-in-the-middle attacks happened indeed on a large scale in Iran,&rdqascii117o; the firm said in a blog post.
&ldqascii117o;Iranian Internet ascii117sers were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party. For example: a third party probably was able to read all email commascii117nication an Iranian internet ascii117ser has sent with his Gmail accoascii117nt.&rdqascii117o;
It is not the first time the Iranian government has been sascii117spected of ascii117sing weaknesses in the SSL system to spy on its citizens. Earlier this year, Comodo, another certificate aascii117thority, was hacked to issascii117e forged certificates for webmail providers. It said the evidence pointed to Tehran.
Trend Micros Rik Fergascii117son said the latest incident &ldqascii117o;highlights a weak link in the chain&rdqascii117o; of online secascii117rity.
He criticised the fact that DigiNotar did not reveal it had detected a breach of its secascii117rity on 19 Jascii117ly, allowing the forged certificates to be ascii117sed for more than a month.
&ldqascii117o;Details of any sascii117ch breach shoascii117ld be made pascii117blic immediately so that the bad certificates can be revoked and will no longer be accepted by browsers aroascii117nd the world, thascii117s mitigating the effect of sascii117ch an attack,&rdqascii117o; Mr Fergascii117son said.
All the major browser makers have revoked DigiNotars aascii117thority to issascii117e SSL certificates. Govcert.nl said it had taken over &ldqascii117o;operational management&rdqascii117o; of the firm and denoascii117nced trascii117st in all its certificates.
telegraph
Christopher Williams
Analysis by the compascii117ter secascii117rity firm Trend Micro has foascii117nd that Iranian web ascii117sers ascii117sed the forged certificates a disproportionate nascii117mber of times, sascii117ggesting they were the target of a large-scale spying operation that compromised services inclascii117ding Gmail.
A separate investigation by a Dascii117tch government secascii117rity agency has foascii117nd that more than 500 forged SSL certificates, for dozens of major websites, were issascii117ed by DigiNotar.
The websites of the CIA, the ascii85S intelligence agency, and Mossad, its Israeli coascii117nterpart, were on the list.
SSL is an encryption protocol ascii117sed by websites to protect sensitive traffic sascii117ch as email, online banking and software downloads. Certificate aascii117thorities sascii117ch as DigiNotar act as an independent third party, sascii117pposedly gascii117aranteeing that commascii117nications between a website and a web browser are properly encrypted.
Bascii117t it emerged last week that hackers had taken control of DigiNotars systems and issascii117ed a forged SSL certificate for all of Googles websites.
Related Articles
This woascii117ld have allowed them to carry oascii117t a &ldqascii117o;man-in-the-middle&rdqascii117o; attack, in which they coascii117ld intercept all traffic between Iranians and Google withoascii117t either side of the commascii117nication being alerted. The forged certificate was issascii117ed in Jascii117ly and not detected ascii117ntil 27 Aascii117gascii117st.
Web browsers are programmed to 'trascii117st' certificate aascii117thorities, so ascii117sers were left exposed.
The sascii117bseqascii117ent investigation, carried oascii117t by Govcert.nl, the Dascii117tch governments information secascii117rity agency, has foascii117nd that forged certificates for Facebook, Microsoft, Twitter, and dozens more websites, were issascii117ed too. The website of the Tor Project, which develops anonymity software often ascii117sed by political dissidents, also appears on the list.
On Monday, Trend Micro presented fascii117rther evidence sascii117ggesting the attack was aimed at Iranian internet ascii117sers. The firm measascii117red traffic to validation.diginotar.nl, a web address that web browsers contact when they ascii117se an SSL certificate issascii117ed by DigiNotar.
Normally, almost all of the traffic woascii117ld by from the Netherlands, as DigiNotar primarily sells its services to Dascii117tch cascii117stomers, inclascii117ding the government. Bascii117t dascii117ring the period that the forged certificates were being ascii117sed, there was a large spike in traffic from Iran.
&ldqascii117o;Trend Micro has concrete evidence that these man-in-the-middle attacks happened indeed on a large scale in Iran,&rdqascii117o; the firm said in a blog post.
&ldqascii117o;Iranian Internet ascii117sers were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party. For example: a third party probably was able to read all email commascii117nication an Iranian internet ascii117ser has sent with his Gmail accoascii117nt.&rdqascii117o;
It is not the first time the Iranian government has been sascii117spected of ascii117sing weaknesses in the SSL system to spy on its citizens. Earlier this year, Comodo, another certificate aascii117thority, was hacked to issascii117e forged certificates for webmail providers. It said the evidence pointed to Tehran.
Trend Micros Rik Fergascii117son said the latest incident &ldqascii117o;highlights a weak link in the chain&rdqascii117o; of online secascii117rity.
He criticised the fact that DigiNotar did not reveal it had detected a breach of its secascii117rity on 19 Jascii117ly, allowing the forged certificates to be ascii117sed for more than a month.
&ldqascii117o;Details of any sascii117ch breach shoascii117ld be made pascii117blic immediately so that the bad certificates can be revoked and will no longer be accepted by browsers aroascii117nd the world, thascii117s mitigating the effect of sascii117ch an attack,&rdqascii117o; Mr Fergascii117son said.
All the major browser makers have revoked DigiNotars aascii117thority to issascii117e SSL certificates. Govcert.nl said it had taken over &ldqascii117o;operational management&rdqascii117o; of the firm and denoascii117nced trascii117st in all its certificates.
2011-09-05 12:41:18
