💾 Archived View for gmi.noulin.net › mobileNews › 3359.gmi captured on 2022-06-11 at 23:15:17. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
Up to 300,000 Iranians may have had their Google email monitored using security
certificates stolen from Dutch firm DigiNotar.
The figure came from a report into the breach at DigiNotar which let attackers
generate hundreds of fake certificates.
The report suggests the certificates were used in Iran to eavesdrop on email
accounts.
The list has been passed to Google so it can tell victims they may have come
under government scrutiny.
On 30 August, security firm Fox-IT was called in to analyse the sequence of
events at DigiNotar that led to the security breach. It published its interim
report late on 5 September.
DigiNotar is one of many firms which help to ensure that no-one is
eavesdropping on secure communications between users and the sites they visit.
It does this via security certificates which act as a guarantee of identity so
people can be sure they are connecting to the site they think they are.
Anyone armed with a rogue certificate for a web firm or service can impersonate
that organisation and get at communications that would otherwise be impossible
to read because they are encrypted.
DigiNotar first took action to revoke fake security certificates on 19 July
when it found that hackers had got access to its internal network.
The Fox-IT report suggests that the hackers were able to access those internal
systems for a month before DigiNotar took action.
The first exploration by the hackers took place on 6 June, suggests the report,
and the first rogue certificates were issued on 10 July.
"The network has been severely breached," said the report. It said security
procedures at DigiNotar were clearly lacking because the tools the hackers used
and installed on network computers can be detected by standard anti-virus
software.
All evidence gathered by Fox-IT suggests that the attacks were carried out to
help surveillance of Iranian net users. More than 99% of the 300,000 IP
addresses known to have connected to Google's email service with the help of a
fake security certificate are in Iran.
Fox-IT noted that the use of the fake certificates would also have given
attackers access to small text files known as cookies that Google and many
others use to recognise regular visitors.
As a result, Fox-IT said: "It would be wise for all users in Iran to at least
logout and login but even better change passwords."
DigiNotar has called on the Dutch government to help it recover following the
attack. In its wake Google and many others have issued updates to ensure that
the fake certificates are no longer recognised.
DigiNotar is the second security certificate firm to suffer at the hands of
hackers. In March 2011, Comodo revealed that it had been hit and pointed the
finger at Iran.
Now evidence is emerging that the same hackers were behind both attacks
according to a message posted to the pastebin website. In the message, the
hacker or hackers claim to have access to four other security certificate
firms.