September 5, 2011
Dutch Websites Hit With Cyberattack
The Dutch government this weekend said it could not guarantee the security of its websites, and said it was investigating whether Iran may have been involved in hacking state websites after digital certificates were found to be stolen.
The announcement affects millions of people who use the Netherlands government´s online services. The people rely on certificate authenticator DigiNotar to confirm the sites they are visiting are the correct sites. To date there have been no reports of stolen identities or other specific security breaches.
Vincent van Steen, Dutch interior ministry spokesman, did not say whether Iranian authorities in the Netherlands or Iran had been contacted, but did say that more details would be published in a letter to the Dutch parliament early next week.
He did confirm the authenticity of a report by the Dutch news agency ANP saying the cabinet was looking into whether Iran had a part in the security breach of Dutch government websites.
While officials stopped short of telling people not to use government Websites, they did say people should heed warnings posted on the sites from their browsers. Google and other browser providers have already begun rejecting certificates issued by DigiNotar.
While it remains unclear who is behind the attack, Google said last week that those affected “were primarily located in Iran.”
Piet Hein Donner, the Dutch interior minister, said that, for now, a user of Dutch government sites could not be certain “that he is on the site where he wanted to be.”
DigiNotar confirmed last week that it had been hacked in July, though it did not disclose it at that time. It said that as late as Tuesday its security certificates for government sites had not been compromised.
But Donner said a review by an external security company had found DigiNotar´s government certificates were in fact compromised, and that the government was now taking control of the company´s operations.
Donner said the company is cooperating in a professional manner.
DigiNotar said Iranian hackers managed to sign forged certificates for the domains of spy agencies CIA, Mossad and MI6. Certification authorities including VeriSign and Thawte were also targeted.
The attack on DigiNotar, a Dutch subsidiary of VASCO Data Security International Inc., is much more serious than previously thought. Once hackers gained access to the network and infrastructure of several of DigiNotar´s CAs, they generated hundreds of forged certificates for third-party domains.
With possession of these stolen DigiNotar certificates hackers can potentially siphon off user login credentials by spoofing a legitimate site, complete with a functioning, albeit forged, SSL-certificate.
In its security blog (http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html) on August 29, Google said it had received reports of attacks on Google users, that “the people affected were primarily located in Iran,” and that the attacker used forged certificates issues by DigiNotar.
A Mozilla programmer released a partial list of domains with forged certificates on Saturday, which was later confirmed to be an authentic list. Adam Langley, a Google Chrome programmer, also said his company had the same list.
Dutch public broadcaster NOS later published the full list (http://nos.nl/artikel/269899-cia-mossad-providers-protestsites-doelwit-hack.html) containing more than fifty domains with false certificates. Among them are Google, Yahoo, Skype and Microsoft, as well as numerous sites popular among Iranian dissidents.
The cyber attackers even created fake certificates with messages praising the Iranian Revolutionary Guard, NOS reported.
Chris Soghoian, security and privacy researcher at Indiana University and Graduate Fellow at the Center for Applied Cybersecurity Research, said the list is a “very interesting set of sites.” He remained skeptical, however, that the hackers could have gained access into spy agency networks with the forged certificates.
“Actually I think the secret service domains are the least alarming part. It's sexy, and will probably lead to a lot of questions and interest from government agencies. Of course, nobody wants to get caught with their pants down, but there's really no classified information on these domains. Those are on separate, secured internal networks. So the practical security impact of the Iranian government getting a certificate for the CIA is nil. It's really just very embarrassing, that's all,” Soghoian told Dutch Web news agency Webwereld in an interview.
Still, the cyber attack on DigiNotar has a very high profile. “What is alarming is that they forged certificates for other CAs, like VeriSign and Thawte. But the most problematic are sites like Google and Facebook. And also Walla, which is one the biggest mail providers in Israel,” he said.
Google has already updated its Chrome browser so it blocks access to any site which uses certificates from DigiNotar. Mozilla and Microsoft are also expected to issue patches for their browsers soon.
“We´re in the process of moving all DigiNotar CAs to the Untrusted Root Store which will deny access to any website using DigiNotar CAs,” said the Microsoft Security Response team in tweet.
This translates to hundreds of Dutch government sites that will become inaccessible by browsers in the coming days if the agencies do not switch to another certificate issuer soon.
A certificate is meant to guarantee that a web surfer is securely connected with a website and not being monitored by another party. Breaking into a secure link is known as a “man-in-the-middle attack.”
“This is the second batch of fraudulent security certificates in the last six months with questionable links to Iranian actors,” said John Bumgarner, a cyber researcher and chief technology officer for the non-profit US Cyber Consequences Unit.
“The certificates in question would not only allow a state actor to access the email and Skype accounts of dissenters, but also install monitoring software on their computers,” said Bumgarner.
Experts use the “cui bono test” to know who could benefit from an act and be the perpetrator. “The ℠cui bono´ test suggests Iranian state involvement. No doubt the government of Iran will try to blame some hacker group, if they say anything at all,” Ross Anderson, Professor in Security Engineering at Cambridge University, told the Telegraph.
Anderson said it was possible that a government used hacker groups as secondaries and it was unlikely that a small group would do a man-in-the-middle attack on its own.
“To use the forged certificate to do a man-in-the-middle attack on Gmail, you need to be in a position to be the man in the middle, which means you usually have to be an internet service provider (ISP), or in a position to compel an ISP to do your bidding. That means proximity to government,” said Anderson.
U.S.-listed VASCO said in a statement on Saturday that it had invited the Dutch government to “jointly solve the DigiNotar incident” and offered staff to solve the problem.
Relations between Iran and the Netherlands worsened earlier this year when a Dutch-Iranian woman was hanged in Iran in January and buried without her relatives being present. She had been arrested for taking part in demonstrations and accused of drug smuggling.
In April, the Iranian embassy in The Hague criticized the Dutch government after an Iranian asylum seeker who was being extradited set himself on fire in Amsterdam and died.
On the Net: