Iranian government may be behind hack of Dutch security firm

The cyberattack, which affected hundreds of thousands of users in Iran, may have been meant to allow the Iranian government to eavesdrop on its citizens via Google, Yahoo, Facebook, and other sites.

Exterior view of the building housing Internet security firm DigiNotar in Beverwijk, north-western Netherlands, Tuesday Sept. 6. Dutch prosecutors say they are investigating DigiNotar for possible criminal negligence after it was slow to disclose a hacking incident that compromised dozens of websites and likely helped the Iranian government spy on dissidents for a month.

Peter Dejong/AP

September 6, 2011

• A daily summary of global reports on security issues.

A hacker's breach of a Dutch online security firm may have allowed the Iranian government to monitor hundreds of thousands of its citizens' e-mail accounts.

According to a statement from the Dutch government on Monday, a hacker broke into Dutch company DigiNotar, which provides security certificates to authenticate websites as safe for Internet users. The hacker then created hundreds of fraudulent certificates for Google, Yahoo, Facebook, and other major communication sites, as well as for the websites of the CIA, MI6, and Mossad.

With the fake certificates, the hacker could eavesdrop on Internet users' communications with these sites by rerouting their traffic through falsely authorized network paths while appearing to be secure.

According to an audit performed for the government by Dutch company Fox-IT, the fake Google certificate was used 300,000 times between Aug. 4 and Aug. 29, almost all of that usage coming from Iran. Al Jazeera writes that technology experts say the evidence suggests that the hackers were working with the Iranian government.

"The list of domains and the fact that 99 per cent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," it concluded.

Roel Schouwenberg of Internet security firm Kaspersky said, "a government operation is the most plausible scenario."

An Iranian hacker claimed responsibility Monday for the DigiNotar breach, reports PC World. "Comodohacker" wrote on Pastebin.com that he attacked DigiNotar to punish the Dutch government, apparently for what he sees as its failure to prevent the death of 8,000 Muslims in Srebrenica during the Bosnian War in 1995.

Comodohacker, who describes himself as a 21-year-old Iranian student, had claimed he was behind an attack earlier this year on another certificate authority, Comodo. Mikko Hypponen of security vendor F-Secure says that it appears likely that Comodohacker was behind both attacks.

Technology news site The Register reports that the hack, which investigators are calling Operation Black Tulip, appeared to be a result of "DigiNotar's shocking ineptness in securing its system, compounded with its failure to come clean on its problems in a timely fashion."

The audit reveals a catalogue of security shortcomings at the small and previously obscure Dutch certificate authority that allowed the hack to take place. DigiNotar's servers were running out-of-date software. Its network was poorly segmented, so problems if they arose would not be contained. Passwords in play at the time of the hack might easily have been guessed via brute-force attack. In addition, there was no secure logging and an absence of any server-side anti-virus protection.

In response to the attack, the Dutch government revoked all of DigiNotar's certificates, which it had been using for Dutch citizens' online tax filings, and are in the midst of finding an alternative certificate authority. The New York Times notes that the Dutch government is expanding its probe to determine if any of its citizens' private data was compromised.

Mr. Schouwenberg of Kaspersky writes on his blog that while the DigiNotar hack may not be as complex as the Stuxnet attack on Iran's nuclear network, its consequences "will far outweigh those of Stuxnet." In particular, he says that the attack has caused "quite significant" damage to the Dutch government's IT infrastructure, and will "put cyberwar on or near the top of the political agenda of Western governments."

He also adds that the attack will likely drive DigiNotar out of business, and will put pressure on certificate authorities to quickly go public with any future security breaches.

The Amsterdam-based group Arseh Sevom, founded in 2010 to promote civil society in Iran, suggests that the current Internet security regime needs an overhaul. It compares a security certificate from a firm like DigiNotar as a lone guard who can be "bribed, compromised, blackmailed, circumvented, or asleep on the job."

Indeed, the Electronic Frontier Foundation says the system leaves too many Internet users vulnerable in today's world.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

But while Google was one of the main sites compromised, it also ultimately provided the clue that alerted others that DigiNotar had been hacked, EFF reports. That's because as of May this year, Google introduced a new feature in its Chrome browser that would override false certificates. An Iranian using Chrome discovered the hack when the browser warned the user of the fraudulent certificate.

Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site – as this attacker did – newer versions of the Chrome browser would not be fooled.