Tag Archives: Internet privacy

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

Wikipedia: Important enough to whitewash

This is an edited version of my weekly column for Loose Wire Service, a service providing print publications with technology writing designed for the general reader. Email me if you’re interested in learning more.

Wikipedia has gone through some interesting times, good and bad, but I think the last couple of weeks has proved just how powerful it is.

Powerful enough for those who feel denigrated by it to have been trying to spin, airbrush and generally rewrite how history — or at least Wikipedia — remembers them.

Take WikiScanner, cooked up by a young student, Virgil Griffith. WikiScanner does something very simple: It searches the Internet addresses of an organization — government, private, company or whatever — and matches them with any anonymous edit of a Wikipedia entry.

This means that while the edits themselves may be anonymous, the organization where the person is based is not. We may not know who did it, in other words, but we’ve got a pretty good idea of whom they work for.

The results have been surprising. Users of WikiScanner have come up with dozens of cases of companies, organizations and government departments apparently changing entries to either delete stuff they may not like, or making the text more palatable.

Some examples of apparent — none of these is confirmed but the Internet addresses match — self-interested alterations that have hit the news in the last few weeks:

* Diebold removes sections critical of the company’s electronic voting machines

* Apple and Microsoft trade negative comments about each other

* Amnesty International removes negative comments about itself, according to the Malta Star

(My own searches threw up no examples at all of institutions in my current home of Indonesia spinning on Wikipedia. Shame on them. What have they been doing with their time? One Indonesian embassy official seems to have spent most of his day editing an entry on rude finger gestures, but that’s about it. Clearly these people are not working hard enough for their country.)

The point about all this: Wikipedia is often derided as irrelevant and unworthy. Clearly, though, it’s important enough for these people, either officially or unofficially, on their own initiative or at the behest of higher-ups, to rewrite stuff to make themselves or their employer look better.

You might conclude from this that Wikipedia is not reliable as a result. I would argue the opposite: These edits have nearly all been undone by alert Wikipedians, usually very quickly.

(Wikipedia automatically stores all previous versions of a page and keeps a record of all the edits, and the Internet address from where they originate.)

The truth is that Wikipedia has come of age. Wikipedia is now important enough for ExxonMobil, The Church of Scientology, the U.S. Defense Department and the Australian government to spend time and effort trying to get their version of events across. If it was so irrelevant or unreliable, why would these people bother?

Of course, coming of age isn’t always a good thing. A recent conference on Wikipedia in Taiwan highlighted how Wikipedia is no longer an anarchic, free-for-all, but has somehow miraculously produced a golden egg.

It is now a bureaucracy, run by the kind of people who like to post “Don’t … ” notices on pantry walls. I’m not saying this is necessarily a bad thing. We all hate such people until our sandwich goes missing. Then we turn to them — or turn into them.

WikiScanner reveals that it’s probably good that such people take an interest in Wikipedia, because it’s clear that the site is under threat from people who would censor history and whitewash the truth to suit them.

Thanks to Virgil and the Wikipedians, that’s not going to happen anytime soon.

The Jakarta Post – The Journal of Indonesia Today

TRUSTe’s Own Phishing Hole

We all know about phishing websites that look like real banking sites. Usually, to the informed layperson, there’s something in the site to inform the wary that it’s not kosher. But what happens when there’s something in the site that confirms that it is kosher?

First some background: TRUSTe is an independent body whose “services support online business growth by allowing companies to communicate their commitment to privacy, and letting consumers know which businesses they can trust.” A TRUSTe seal on a website allows the user to check whether the website is kosher (and whether it supports privacy and other consumer issues). Nearly 1,500 websites use the service, including 28 Fortune 500 companies. In short, as TRUSTe’s own website puts it: “People trust the familiar TRUSTe seal. They know our sites comply with strict standards of online privacy.”

[A seal from the MSN privacy page http://privacy.msn.com/]

But what if that’s not true? What if someone can fake the TRUSTe seal to make it look like their website is TRUSTe-approved? Andrew Smith of Where’s The Beef has shown that it’s possible, using cross-site scripting, to open up the TRUSTe web site to attack and allows a scammer also to use TRUSTe as a phishing source (via addict3d.org).

Now, this shouldn’t be confused with the widespread practice of scammers to simply put a TRUSTe seal and link on their phishing page. That might fool some people into thinking the page is legit, but they will stop thinking that if they click on the link, because it will, in most cases, merely take them to the TRUSTe webpage, which verifies nothing. (In fact, the TRUSTe homepage contains a warning about ‘Seal Spoofers’ — “Did you arrive here by clicking on a TRUSTe seal? If so, you might have found a company that is using the TRUSTe seal illegally” — and invites the user to alert TRUSTe to the scam.)

But this vulnerability is different. It allows the phisher to set up an entire page that, to everyone who visits it, looks as if it is a TRUSTe webpage (correct URL address and all) verifying the scammer’s page as legitimate. As Andrew puts it himself: “This could be quite serious because a phisher could use TRUSTe to just plain scam people or convince them that their site is ‘TRUSTe Verified’.”

This is a serious issue, and I’ve asked TRUSTe for comment. I’m guessing they’ll be alarmed. After all, TRUSTe itself is all too familiar with phishing: It recently sponsored a survey on the subject. Its conclusion: Three quarters of consumers are experiencing an increase in spoofing and phishing incidents and that a third receive fake e-mails at least once a week. Total monetary loss in the U.S. to victims: approximately $500 million.

Of course, the holes that Andrew can be plugged, but that will just be the start. It’s further illustration, if it were needed that

  • phishing is not just about fake emails. It’s about impersonating authenticity.
  • phishing is a war, not a battle. Scammers will keep probing every defence for a vulnerability, forcing both sides to get increasingly sophisticated.
  • users need to get smarter, because the people supposedly protecting them cannot be relied on to be the smartest people on the block. If you use online banking, you need to be more alert than if you just use the Internet for email and checking the weather.
  • folk like Andrew Smith should be thanked for their work in exposing these flaws. If people like him have spotted them, it’s fair to say the bad guys are not far behind, and companies and banks should recognise this.

Finally, one can’t help but wonder whether verification services like TRUSTe may at some point cause more problems than they solve. If the appearance of an official looking seal on a website lulls the user into a false sense of security, then what good is it?

What Katie.com Did Next

Can someone be turfed off their domain by someone bigger?

The experience of Katie Jones, recent mother and owner of an online chat site in the UK, has been well documented elsewhere. (Katie.com is the name of a book about the ordeal of a teenager sexually molested by a man she met in an Internet chatroom. Katie Jones is nothing to do with the book, but has been the owner of the address katie.com since 1996.) Jones’ latest report on her website suggests that she is being unfairly pressured by the publishers of the book that carries her website’s name to donate the website to them. (It is not entirely clear in the posting as to whether the lawyer who contacted her was working on behalf of the author or the publisher, or both.) Anyway, if true, this does seem to take things too far.

I’m no lawyer, but one can’t help wondered how things would look were the roles reversed. If a big player owned the website address, would there not be large amounts of money changing hands by now? Or at least, would not the publishers have changed the name of the book, and not been trying to browbeat her into handing over the domain name?

For Jones herself, I can well imagine the discomfort caused by receiving hundreds of emails, either from individuals detailing their traumas in the mistaken belief they are talking to a fellow victim, or from folks abusing her. It’s nothing compared to what the Katie of the book endured, but that is not the point. It’s easy enough to say, ‘why don’t you just change your email address and drop the domain name?’ but why should she? Why should an individual be hounded from her sentimental slice of online real estate if she doesn’t want to?

I sought a comment from the lawyer linked to in Ms Jones’ latest posting, Parry Aftab, who is described in her online bio as ‘is one of the leading experts, worldwide, on cybercrime, Internet privacy and cyber-abuse issues’ as well as ‘being called “The Angel of the Internet” for her extensive work in Internet safety and cybercrime and abuse prevention around the world’.

Aftab had posted a message to her blog on Thursday saying she was working with Katie Tarbox, the author of the original book, and an organisation called WiredSafety to “help create a place where children who have been victimized by Internet sexual predators can go for help and support”. The program will be called Katie’s Place. A logo of the new, as yet unlaunched site, is prominently displayed at the top of the WiredSafety homepage. Aftab is executive director of WiredSafety, ‘the world’s largest Internet safety, help & education organization’.

Aftab declined to respond in detail to Jones’ account of the telephone conversation or the case, writing: “Katie Jones’ statements are either false or misleading. She obviously has an agenda. And I frankly don’t have the time or energy to be part of it.”