- The notes posted by the DigiNotar hacker make him sound like a flake and a braggart, hardly the kind of postings you’d expect from the Iranian secret police. Maybe this is misdirection, or maybe he pulled off the exploit and then handed over his loot to the Iranian government, voluntarily or involuntarily. But the implementation of the man-in-the-middle attack was so quick and so smooth that it looks to me as though the hacker was working with the government from the start.
- The same hacker who compromised Diginotar claims to have carried out attacks on Comodo and Globalsign, two other certification authorities. Both companies agree that they were hacked, although Globalsign is not admitting that its credentials were compromised. Again, compromising certification authorities is a great idea if you’re in the business of man-in-the-middle attacks; otherwise it’s got mostly nihilistic look-at-me-trashing-your-infrastructure appeal, which might make you wonder why this hacker has specialized in such attacks if he doesn’t work for the government.
- If this were an Iranian government op, the websites for which fake credentials were issued should be an Iranian government wish list — all the places where it most wants to be in the middle between the site and Iranian users. If so, the point of the fake CIA certificate wasn’t help hackers break into the CIA’s network. The point was to impersonate the CIA on line – to lure dissidents into setting up an apparently secure communications channels with a foreign intelligence service. Iranian government paranoia about the CIA’s influence is so profound it’s almost flattering, and the Iranian government probably is kidding itself that the election protests were the result of foreign meddling, not the government’s unpopularity.
- In fact, the domains whose credentials were falsified do seem to be a kind of museum of Iranian government paranoia. Along with Google, Microsoft, and the CIA, the hacker made fake credentials for Mossad, MI6, Facebook, Skype, WordPress, Twitter, azadegi.com (an Iranian dissident site in Persian), Walla.co.il (a site in Hebrew), torproject.org, and Yahoo, along with others. The full list is here. In some ways, it’s an honor roll.
- It’s also a tell — more evidence that the attack on DigiNotar was government sponsored. After all, if the DigiNotar hacker was really acting on his own, without government guidance, how did he manage to create so many certificates that would have so much value for an Iranian government man-in-the-middle attack?
- If this is cyberwar, it’s an Iranian government war against its own people. And a very dangerous one. The flood of revocation checks coming from Iran continued all through August, meaning that anyone in that country who logged on to Gmail or Hotmail or the other honor-roll sites has probably lost control of everything – not just emails they sent in August but their passwords, their stored emails, their stored files, anything that could be accessed by passwords they used in August.
- As a result, DigiNotar’s security breakdown could foretell a new human rights disaster, with hundreds of thousands of victims. And, since we know the IP addresses that checked DigiNotar’s certificates, we could probably identify each victim individually.
- Which raises this question: We know from the online revocation checks that three hundred thousand Iranian users were fooled into using fake DigiNotar certificates for Google. The same information should be available for Microsoft, Facebook, and every other fake certificate that was issued by the hacker. Those numbers are the big story, and I don’t understand why reporters have dropped the ball on it, unless they don’t appreciate its significance.
- Mozilla has done a particularly good job of dealing with this issue, communicating more details earlier than most browser companies. Most recently, it called on the certification authorities it bakes into its browser to audit their security — and to put automatic blocks on some of the names, such as Google or Facebook, that are most likely to inspire man-in-the-middle attacks and least likely to change certificate authorities on short notice. In contrast, Apple handled the whole affair pretty badly, taking days longer than the other big browsers to announce that it was revoking DigiNotar’s credentials.
- Iranian dissidents probably could protect themselves from these attacks by installing a browser extension called CertPatrol, which warns you if a site you’ve visited before has suddenly changed its certificate authority. CertPatrol likely would have told all those Gmail users that, instead of going to a “Google” site that Google vouched for, they were instead going to a “Google” site that DigiNotar vouched for. They could also protect their Google account by turning on Google’s two-step verification process, which won’t let you log on from strange IP addresses until you’ve typed in a separate code sent directly to your phone.
For solutions : www.xcyss.in/