Monday, September 5, 2011

Fake certificate risk to Iranians

Fresh evidence has emerged that stolen web security certificates may have been used to spy on people in Iran.

Analysis by Trend Micro suggests a spike in the number of compromised DigiNotar certificates being issued to the Islamic Republic.

It is believed the digital IDs were being used to trick computers into thinking they were directly accessing sites such as Google.

In reality, someone else may have been monitoring the communications.

Hundreds of bogus certificates are thought to have been generated following a hack on Netherlands-based DigiNotar.

The company is owned by US firm Vasco Data Security.

Web passport

Authentication certificates are used by many websites to give their users secure access.

Typically these take the form of a TLS or SSL connection - which can be identified by the appearance of a padlock logo and "https" prefix.

Together, they are supposed to guarantee that the site is what it appears to be, and that the user's session is not being monitored.

Hundreds of bodies - known as certificate authorities (CAs) - are allowed to provide such authentication.

Web browsers, such as Safari, Chrome, Firefox and Internet Explorer have a built-in list of which CAs they can trust.

However, if a third-party was able to steal certificate details or generate their own, they may be able to launch a "man-in-the-middle" attack, similar to tapping a phone line.

The presence of an apparently genuine certificate means browser security would be unlikely to detect the surveillance.

Issued and revoked

On 19 July, Dutch CA DigiNotar detected an unauthorised intrusion into its systems.

The company immediately revoked a number of bogus certificates that had been created as a result.

It emerged later that some were missed, and other new ones generated, after the initial attack.

Unconfirmed information published online suggested that more than 500 false DigiNotar certificates exist.

Among the domains listed are Google, Facebook, Twitter and Skype.

At the same time, it was noticed that a sizeable portion of the Dutch company's certificates were mysteriously going to users in Iran.

By August, 76.5% of DigiNotar validations were in the Netherlands. 18.7% were in Iran and 4.8% elsewhere in the world, according to security firm Trend Micro.

Iranian activity dropped off after the certificates were revoked.

DigiNotar eventually went public about the intrusion on 30 August, at which time most web browsers stopped recognising DigiNotar certificates altogether.

Soft target

There are many reasons why Iran may have been targeted using the bogus certificates, according to security experts.

The republic's tight controls on dissent mean that monitoring web traffic could yield useful information.

Iran's internet setup also makes some types of interception easier, according to Rik Ferguson, Trend Micro's director of security research and communications.

"All the internet traffic has to go through an Iranian government proxy before it goes out to the final destination.

"If you want to spy on normal HTTP traffic, that is not a problem - you get to see all the outbound requests and all the inbound responses," he explained.

For secure websites, attempts to intercept would ring alarm bells with the web browser and therefore the user.

One option is to make the Iranian national proxy server look like it is the target website - using a fake DigiNotar certificate.

The proxy then relays information to and from the real website, e.g. Google.com, but there is no indication that the secure chain has been broken.

Government involvement?

While much online debate has centred around the role of the Iranian authorities, there is no firm evidence to support such a theory.

However, a spokesman for the Dutch Interior Ministry, Vincent van Steen told the Netherland's-based ANP news agency that the cabinet was looking into claims of Iranian government involvement.

Iran has previously been on the receiving end of cyber attacks, including the elaborate Stuxnet conspiracy which enabled a computer worm to take control of machinery in a uranium enrichment plant.

The DigiNotar incident has also raised broader concerns about the security of the global certificate authorisation system.

"The more there are, the more opportunities there are to attack the system," said Paul Mutton, a security analyst from Netcraft.

"Whenever there is a certificate authority that is trusted by all the mainstream web browsers, if someone was to compromise them it is just as bad as compromising the largest CA."

Alternatives to the current system have been suggested, including one by former hacker Moxie Marlinspike, known as Convergence, which verifies site authenticity by checking with multiple online "notaries".



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement | WordPress Tutorials

Hackers carry out website hijacks

Visitors to the websites of Vodafone, the Daily Telegraph, UPS and four others were re-directed to a site set up by Turkish hackers on Sunday night.

The divert was the result of the group's attack on computers that hold web address information.

Real URL names were deliberately mistranslated into the IP address of the hackers' site.

No data from the seven victims was lost or compromised as a result of the attack.

The hacking group, called Turkguvenligi, targeted the net's Domain Name System (DNS).

This acts as an address book for the web and turns the names that people use (e.g. bbc.co.uk) into IP address numbers that computers understand (e.g. 212.58.246.90).

DNS is consulted by a person's web browser when they want to visit a particular site.

In its attack, the Turkguvenligi group changed the records relating to seven sites in DNS databases run by NetNames and Ascio - two subsidiaries of domain name management firm Group NBT.

In an interview with The Guardian, Turkguvenligi revealed that it got access to the files using a well-established attack method known as SQL injection.

It said it had targeted the sites and found that attacking their DNS records was the easiest way to achieve their ends.

"The hardest one is reaching the domain company but if you can succeed there will be a treasure for you," Turkguvenligi told The Guardian.

According to Zone-H, which logs website defacements and hack attacks, Turkguvenligi has carried out 186 defacements since late 2008.

In a DNS attack, the sites targeted are not affected at all. The only impact is for visitors who will be re-directed to a site they were not expecting.

A statement by The Register about the attack suggests the re-direct was active for about three hours.

Writing on the blog of security company Sophos, Graham Cluley said: "We have to be grateful that the message displayed appears to be graffiti, rather than an attempt to phish information from users or install malware."

When contacted by the BBC, a spokesperson for Group NBT said it would release an official statement soon.



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement | WordPress Tutorials

Samsung's Galaxy pulled from show

Samsung Electronics will not promote its new tablet computer at one of the world's largest electronics shows after sales of the product were blocked in Germany.

The new Galaxy Tab 7.7 was pulled out of the IFA electronics fair in Berlin.

On Friday a Dusseldorf court granted a request from Apple to ban Samsung from selling the product in Germany.

The two rivals are locked in a global patent war over their smartphone and tablet products.

The new court injunction comes after a temporary ban on sales in Germany of another Samsung product - the Galaxy Tab 10.1 - by the court in August.

Ongoing battle

Apple claims that South Korea's Samsung has infringed on its patents with the Galaxy line of smartphones and tablet computers.

It argues Samsung copied the design, look and feel of Apple's popular iPhone and iPad devices.

Samsung has counter-sued Apple, saying it infringed on Samsung's wireless patents.

The two companies have been fighting legal battles in the US, Europe, South Korea and Australia since April.

In Australia, Samsung has already been forced to delay the introduction of the Galaxy Tab 10.1 twice.

Galaxy Tab

Samsung was planning on displaying its Galaxy Tab 7.7, as well as other new devices, at this year's IFA.

The electronics fair is one of the most important showcases for companies looking to attract European consumers.

However, the injunction means it will miss out on the opportunity.

"The product is not on sale yet, but we've decided to respect the court order," said Samsung spokesman James Chung.



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement | WordPress Tutorials