Tag Archives: Internet traffic

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

Why Hasn’t China Cracked Down on Its Rainmen?

Another mainstream media look at the alleged “Titan Rain” cyberwar strategy of the Chinese, where organised, highly disciplined and experienced gangs ferret around in Western computers. This one is from today’s Guardian Unlimited — Smash and grab, the hi-tech way:

Sources involved in tracking down the gang say the Chinese group is just one of a number of organised groups around the world that are involved in a hi-tech crime wave, some working for governments, others highly organised criminal gangs. “We have seen three attacks a day from this group in the past week and there are a lot of other groups out there,” said the source. “You could say that the iceberg is now in view.”

That said, it seems clear that this kind of thing has some government sanction:

Privately, UK civil servants familiar with NISCC’s investigation agree that the attacks on the UK and US are coming from China. This almost certainly means some state sanction or involvement – perhaps even a “shopping list” of requirements. Some of the attacks have been aimed at parts of the UK government dealing with human rights issues – “a very odd target”, according to one UK security source.

The point is that Internet activity is heavily circumscribed in China:

There is another, more compelling reason. “Hacking in China carries the death penalty,” says Professor Neil Barrett, of the Royal Military College at Shrivenham. “You also have to sign on with the police if you want to use the internet. And then there is the Great Firewall of China, which lets very little through – and lets [the Chinese government] know exactly what is happening.” The internet traffic to the UK, and its origin, would all be visible to the Chinese government. Finding the culprits would, in theory, be a simple process.

So why are they still out there, and why can we narrow down their workplace to a single province?

The Price of Worms

How damaging are worms?

Very, says Sandvine Inc, a Canada based Internet security company. It says that the main damage is on ISPs who lose bandwidth to them, and face daily Denial of Service attacks. “In fact,” Sandvine says in one new report (PDF, registration required), ”Internet worms and the malicious, malformed data traffic they generate are wreaking havoc on European service provider networks of all sizes, degrading the broadband experience for residential subscribers and imposing hundreds of millions in unplanned hard costs directly related to thwarting attacks.”

Worms, Sandvine says, consume “massive amounts of bandwidth as they replicate. And depending on the number of vulnerable hosts in a given network environment, a worm can create hundreds of thousands of copies of itself in a matter of hours.” The company’s research shows that between 2 and 12% of all Internet traffic is malicious. Even on a well-run ISP network, that figure is about 5%. And if that doesn’t sound very much, consider the warped effect worms have on processor power, when they propagate and probe for weak spots.

All this means that residential subscribers are going to feel the hurt, partly because it’s their Internet connections that are being targeted by worms, and partly because their connections are going to slow down with all this extra traffic, Sandvine warns. Then of course there are infections: The dirty secret of worm infections is that if you’ve got one, the only sure way to get rid of it is to reinstall everything.

For now, ISPs keep quiet about these things; they don’t want to scare off subscribers, and they don’t want the bad guys to get any fresh ideas about their vulnerabilities. But it seems to me that worms and bots are a topic that needs to be researched, reported and resolved more than it is.

 

Viruses And The Russian Connection

As feared, MyDoom seems to come from Russia. Or does it?

The Moscow Times quotes Kaspersky Labs as saying they used location-sensing software to trace the first e-mails infected with MyDoom back to addresses with Russian Internet providers. “It’s scary, but most serious viruses are written in Russia,” said Denis Zenkov, spokesman for Kaspersky, the country’s largest anti-virus software company.

This is not the first. Russians have long been virus writers. Dumaru, Mimail and Stawin may have Russian origins.

But what has changed in the last year or so, it seems, is the commercialisation of Russian virus writing. These viruses are no longer the product of idle, alienated, out-of-work minds, but of folk working for professional spammers and scammers. Another Kaspersky expert, Alexander Gostiyev, is quoted by AFP as saying the creators of MyDoom were not aiming to disrupt Internet traffic but to use infected computers to distribute unsolicited junk mail. The attack “was very well planned and prepared, perhaps for several months, and at least 1,000 computers were infected in advance,” Gostiyev said. “The virus could be of use above all to criminal groups seeking to distribute spam,” he added.

Spam, however, may be the least of it. There’s not much money to be made from spam, whereas there is from theft. Stawin, for example, records keystrokes when infected victims access their bank accounts, and sends the results to a Russian email address. British police are investigating the possibility that a wave of extortion attempts against gambling sites may come from Russia or Eastern Europe, according to Reuters. These attacks are related to the Superbowl: Those who don’t pay up are brought down by massive traffic, called a Distributed Denial of Service attack, or DDOS. A site dedicated to online betting has recorded at least 20 sports betting sites appeared to have been brought down over the weekend. With all the work that went into something like MyDoom, I can’t believe it’s only spam the creators are after.

Of course, this could all be a feint.

Agence France Presse quotes Kaspersky as saying “there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia” as a ruse. And it’s not entirely clear what Kaspersky means by ‘location sensing software’. This could mean more or less anything, and, as some folk have pointed out, the fact that Kaspersky is based in Russia makes it likely they will receive copies of the virus from Russian email addresses.

And it still leaves us with the fact that the virus was in part tooled to launch an attack on the website SCO, a company that has riled the Open Source community by claiming copyright over parts of the Linux operating system. The virus was designed to launch an attack on their website starting February 1: The website is presently down, apparently overwhelmed by traffic.

One final thing: There seems to be some confusion between the first and second MyDoom virus: Variations often follow when folk get inspired by the success of a virus, but that doesn’t mean the same guy, or guys, wrote both viruses. The presence of a note in English inside the second version of the virus, — sync-1.01; andy; I’m just doing my job, nothing personal, sorry — appears to have confused some folk. The source, and purpose, of the first MyDoom remains a mystery.