Google+ exploit could be bad news for Iran and Syria internet users



The key point that caused me to write this post has not changed – this issue can have serious negative implications for users in countries like Syria and Iran.

UPDATE 2: It had originally been reported that criminals had created a fake Google website by abusing security certificates. The BBC updated their news report at 22:00 on 4 January to say “criminals could have created a website that purported to be part of the Google+ social media network”.  Note: As Google Inc is now branding a bunch of its services as the Google+ social media network, this refers to *, for example

TurkTrust has said there was only one of the 2 certificates in use and they see no implication of any malicious usage. The information does seem to confirm that the client was using the * certificate for man-in-the-middle intercepts. I suggest reading the full discussion and content of the embedded links on the the Mozilla security list for more technical details, and the Mozilla Security Blog post for a non-technical overview and explanation.

UPDATE 1: TurkTrust has issued a Press Release concerning the security advisory by Microsoft, Google and other Internet browser producers published on the 3rd of January 2012, GMT 18:00 hours.

Related links:

The company maintains that the situation has no impact on customers at all and says it will continue to provide updates. I have commented in my original post about the coincidental similarities that seemed to exist between this issue and the DigiNotar scandal, so I was not at all comfortable to learn that the flawed system was given a clean bill of health in November 2011 after an audit by KPMG in the Netherlands, DigiNotar’s turf. I could write at length about the circumstances which led to this recent breach of trust and my remaining questions, but I don’t want to bore you senseless about it. I am much more concerned that our efforts are focused on alerting activists in countries with repressive regimes to the potential risks such events pose to their online  and offline security.

Web browser makers have rushed to fix a security lapse that cyber thieves abused [was used – see Update 2] to impersonate Google+.

Chrome has been updated, Firefox will be updated 8 January 2013, and Internet Explorer has issued an update which will be applied automatically for users of Windows 8/RT/Server 2012. Anyone using older versions of Windows will need to use Windows Update. Since Opera requires a successful revocation check in order to show a site as secure, Opera explained that  users were immediately protected, and there was no urgent need to update. As usual, Apple has not commented on when or if they will take action to protect Safari and iOS users.

By using the fake credentials, criminals created a website that pretended to be part of the Google+ social media network. [See Update 2] The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be.

So someone was attempting to perform a man-in-the-middle attack against secure communications intended for Google, but there is no information about who that is or where they are based. [See Update 1]

The fake ID credentials have been traced back to August 2011, when Turkish Certificate Authority (CA) TurkTrust mistakenly issued two “master keys” – higher level certificates used to certify website validity. The issue was not discovered by Google until late on 24 December 2012. Google issued two updates on 25 and 26 December and alerted other browser vendors.

You may recall that August 2011 saw a report from Google about man in the middle attacks linked to the DigiNotar CA which they said mainly affected users in Iran.

So the dates coincide, as does the methodology and the target site, except this time TurkTrust is much closer to Iran and Syria (on many levels, not only geographically) whereas DigiNotar was in the Netherlands.

Google’s post notes that Google “may also decide to take additional action after further discussion and careful consideration,” which hints that the Chrome team are considering the exclusion of  TurkTrust’s root certificates. Mozilla will temporarily revoke  it from 8 January when the patch is released. However, if this CA is removed, it could force many sites in countries like Syria and Iran to use national, not-trusted and completely compromised CA’s like ParsSign.

Nothing is sacred. Amnesty International UK website hacked


Not-AI (Photo credit: Wikipedia)

The thrill of seeing Amnesty introduce easy online petitioning has evaporated after reading this WebSense Security Labs report:

Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

read the full report on WebSense- Security Labs.

Mauritania News Summary 21 Apr 2012

  • More controversy in Mauritania over slavery – this time it’s whether local Imam Sheikh Dedew denied the existence of slavery or not. The anger aroused after a Saudi cleric suggested buying slaves in order to free them is still smouldering.
  • Still (almost) on the subject of slavery, allegations of divisions in the ranks of Mauritanian anti-slavery campaign IRA continue, with the latest statement claiming they are becoming more politicised. I assume most observers are seeing this as yet another clumsy ploy to diminish the influence of Birame Ould Obeida and IRA in the country, and above all to discourage black African citizens from joining the current political protests in large numbers.
  • New Mauritania housing project manager’s first act: sack 20 low-paid workers. Looks great on paper. Who’s building homes? Source [Ar]
  • The editor of Al-Akhbar News is in Timbuktu – the only sure way to get real information about what is happening on the ground in northern Mali, but incredibly risky.
  • Two drug traffickers from Mauritania have each been sentenced to 10 years hard labour and CFA30 million fines in Senegal. Source
  • 25 year-old Mauritania break dance performer Taleb Usher has died after a short illness.A tribute is in process of being organised.  Source
Taleb Usher

Taleb Usher

  • Mauritania hacker collective H@kEr^^R.I.M has defaced an Israel-based IT specialist website

  • Residents of a rural village in Mauritania are protesting to demand provision for education, which has been neglected for many years despite renewed appeals. Source


20 Jan 2012 Interesting LOIC Download Stats

2012-01-20 24,717
2012-01-19 5,789
2012-01-18 1,176
2012-01-17 1,170
2012-01-16 972
2012-01-15 884
2012-01-14 934

Download Statistics: loic.

If yesterday’s attack was the ‘largest ever’, what is in the works after an extra 24,000 copies of LOIC have been downloaded? Oh by the way, if you visit the SourceForge link and look at the locations map for downloads, don’t get carried away imagining that there are people in every far-flung corner of the globe downloading – it’s just location masking via private proxy or relay.