Google the victim of an Internet attack, false SSL certificates
Aug. 30, 2011
It looks like Google has been victimized on its own domain. A company based in the Netherlands appears to have issued a digital certificate for Google.com to someone other than Google itself who may be using it to try to re-direct Internet traffic of users based in Iran (of all places).
On Sunday, someone reported on a Google support site that when attempting to log in to Gmail the browser issued a warning for the digital certificate used as proof that the site is legitimate, according to a thread on a Google support forum site.
"Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," someone using the screen name "alibo" wrote. "I think my ISP or my government did this attack because I live in Iran and you may hear something about the story of a Comodo hacker!"
Alibo then posted a screenshot and the text of the SSL certificate. The screenshot page was not accessible, however.
In this particular case, the browser of the person reporting the issue warned that there was a problem with the digital certificate. But it's unclear what triggered the warning in the first place while other browsers may not trigger anything.
In such an event, a user could end up on a site that purports to be google.com but isn't. The digital certificate definitely is fraudulent. This posting details how to verify that a certificate is real and notes that it was issued in mid-July.
The SSL certificate was issued by DigiNotar, based in the Netherlands. Representatives from the company did not immediately respond to an email seeking comment yesterday, and an automated message said the offices were closed for the evening and offered no voice-mail option.
A phone call and email to Vasco Data Security, parent company of DigiNotar, were not immediately returned either.
The situation is similar to one that happened last March in which spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites and they were traced back to Iran. In that incident, the fraudulent digital certificates were acquired through reseller partners of certificate authority Comodo.
These attacks further illustrate a fundamental weakness with the current website authentication system in which third parties issue certificates that prove that a site is legitimate when making an "https://" connection. And yes, the 'padlock' is closed, signaling a secure internet connection.
The list of rogue certificate issuers has increased significantly over the past few years to approximately 650 organizations, which may not always follow the strictest security procedures. Furthermore, each one has a copy of the Webmaster's keys.
There is no automated process to revoke fraudulent certificates either, nor is there a public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys.
Worse, there are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance.
Today's flawed system gives browser makers a large amount of responsibility towards end users. Any list of so-called 'certificate authorities' they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings.
In other internet security news
A suspect has been charged by police investigating various Internet attacks allegedly carried out by hacking collective Anonymous against companies and organizations deemed to have acted against the whistleblower website Wikileaks.
Scotland Yard has named 22-year-old student Peter Gibson of Castleton Road, Hartlepool, Cleveland as one of the suspects alleged to have orchestrated DDoS (distributed denial of service) attacks on PayPal, Amazon, Mastercard and Bank of America in December of last year.
Gibson has been charged with conspiracy to do an unauthorised act in relation to a computer, with intent to impair the operation of a computer system or prevent or hinder access to a program or data held in a computer or to impair the operation of any such program or the reliability of such data, said Scotland Yard.
Those are actions that are contrary to Section 1(1) of the Criminal Law Act of 1977, it added.
The Computer Misuse Act, which carries maximum jail sentences of ten years, was not cited by the police.
Gibson is expected to appear at the City of Westminster Magistrates' Court on September 7, 2011.
Detectives at the specialist computer-crime unit quizzed Gibson in April this year. He was one of six people arrested in connection to a U.K. police probe into "Operation Avenge Assange". The five other UK-based men – aged, 15, 16, 19, 20 and 26 were also arrested, following coordinated police raids in the West Midlands, Northants, Herts, Surrey and London, under the Computer Misuse Act in January 2011.
It is alleged that the suspects set off Distributed Denial of Service attacks using a modified piece of open source software known as the Low Orbit Ion Cannon.
The software was used to send a constant stream of data to targeted websites in an effort to greatly slow down or to completely shut down the affected sites.
In July of this year, federal law-enforcement personnel in the U.S. also arrested 16 people accused of carrying out computer crimes that damaged or breached protected systems. Fourteen of these suspects, from ten states across the U.S., were alleged to have been involved in "Operation Avenge Assange".
Anonymous's assault against PayPal, MasterCard, Visa, Amazon, and others was mounted after those companies cut off services to WikiLeaks, following publication by the whistle-blower site of classified U.S. diplomatic memos.
In other internet security news
A police investigator working on Scotland Yard's inquiry into alleged phone-hacking at the now-defunct Sunday tabloid the News of the World was arrested by senior officers from the anti-corruption unit of London's Metropolitan police late last week.
The police said that on Thursday, August 18 they arrested a serving MPS officer from Operation Weeting on suspicion of misconduct in a public office relating to unauthorized disclosure of information as a result of a proactive operation.
They didn't release the name of the officer, who was described as a 51-year-old male detective constable, and Scotland Yard only confirmed he had been arrested after releasing the man on bail until September 29, pending further investigation.
As is customary in such incidents, the officer was suspended from his job the next day. "I made it very clear when I took on this investigation the need for operational and information security. It is hugely disappointing that this may not have been adhered to," said Deputy Assistant Commissioner Sue Akers, who is in charge of Operation Weeting.
"The MPS takes the unauthorized disclosure of information extremely seriously and has acted rapidly in making this arrest," she added.
Meanwhile, a thirty-five-year-old man was also released the next day, after being in police custody on suspicion of conspiring to unlawfully intercept voicemails.
He was bailed to return at a yet-to-be-determined date in October. Reports suggest that former NotW features writer Dan Evans was the man arrested then bailed by police on Friday.
James Desborough, who joined the Sunday tabloid as a reporter in 2005 before being promoted to Hollywood editor in 2009, was also arrested last Thursday as part of the Operation Weeting probe.
In other internet security news
On August 15, and after reporting on Anonymous' hacking of BART's Web site and after the leak of user information from mybart.org, some in the Internet security community started receiving messages on Twitter and elsewhere from sources purporting to be tied to Anonymous.
They were all critical of the leak of personal info from mybart.org, pointing to dissent on Twitter and Anonymous IRC channels. "Just wanted you to know not all of Anon approves!" read one of the messages. Then today, it seems to have all become too much for one former Anonymous hacker.
Until now, he's gone by the handle "SparkyBlaze" and now he officially resigned as a Manchester, U.K., resident named Matthew who has had enough of what he calls a lot of nonsense from a group that claims to do good and no evil.
He goes on to say that "higher-up" Anons have thrown other members of the collective "to the lions," claiming that Anonymous' campaigns and leadership have been ineffective and prey on "kids" to do their dirty work and risk arrest.
Some inside the internet security community contacted SparkyBlaze and asked if the BART operation was the last straw for him. He says "That was one factor, mainly it was because I was just fed up with anon putting people's data on-line and then claiming to be the big heroes."
SparkyBlaze adds that he did find it hypocritical that Anonymous claimed to be fighting for BART users by putting their data online.
With regard to his own involvement with Anonymous, SparkyBlaze says he supported a number of operations, "and some un-ethical ones that I am not proud of but, I never exposed people's data-- and of that, I can be proud of. I want to be clear on that."
He says he was proud to be involved in attacks on sites run by Iran's government, but not so proud to have been involved in the Sony attacks a few months ago.
"If I get arrested with this I will have to deal with it. I don't care about what anon do now and I just want to say that not all anon's are bad-- just a few. Some do want change. They are just going about it in the wrong way," said SparkyBlaze.
SparkyBlaze's defection from Anonymous has made at least minor waves within the organization. A post by Commander X, purported to have led a number of recent hacks, including last week's BART operation, suggests SparkyBlaze should be considered persona non grata:
SparkyBlaze says that that posting was in response to his calling Commander X an "idiot for exposing people's data and supporting it" coupled with his Pastebin.
In other internet security news
Internet security researchers have discovered a method to break the Advanced Encryption Standard (AES) used to protect everything from top-secret government documents, confidential medical files, social insurance numbers, credit cards and online banking transactions.
The method, which was published in a paper presented Aug. 17 as part of the Crypto 2011 Conference in Santa Barbara, allows potential hackers to recover AES secret keys up to five times faster than previously possible.
This represents a major security issue to many organizations. The method introduces a technique known as 'biclique cryptanalysis' to delete just two bits of data from 128, 192 and 256-bit security encryption keys.
“This research is groundbreaking because it is the first technique discovered of actually breaking single-key AES that is slightly faster than brute force,” said Nate Lawson, a cryptographer and the principal security consultant at Root Labs. “But I must also tell you that it doesn't compromise AES in any practical way.”
Lawson also added that it would still take "trillions of years" to recover strong AES keys using the biclique technique, which is a variant of what's known as a meet-in-the-middle cryptographic attack. This method works both from the inputs and outputs of AES towards the middle, reusing partial computation results to speed up the brute-force key search.
The technique is designed to cut down on the time an attacker needs to fully recover the key.
Lawson added "This technique is a divide-and-conquer attack. To find an unknown key, they partition all the possible keys into a set of groups. This is possible because AES subkeys only have small differences between round numbers. They can then perform a smaller search for the full key since they can reuse partial bits of the key in later phases of the computation."
It's impressive work but there's still no better cipher to use than AES for now. And AES still remains the preferred cryptographic scheme of the U.S. government and a few others. The National Institute of Standards and Technology commissioned AES ten years ago as a replacement for the DES, or Digital Encryption Standard, which wasn't as secure and became obsolete.
The research is the work of Andrey Bogdanov of Katholieke Universiteit in Leuven; Microsoft Research's Dmitry Khovratovich; and Christian Rechberger of Ecole Normale Superieure in Paris.
Both Bogdanov and Rechberger took leave from their positions to work on the project for Microsoft Research that started in October 2010.
Source: Scotland Yard.
You can link to the Internet Security web site as much as you like.