Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Iran IP addresses compromised by DigiNotar SSL hack

Security researchers say 300,000 Iranians accessed fake google domain

Article comments

Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch digital certificate authority DigiNotar, according to an interim report by security firm, Fox-IT, released. The rogue certificate, issued on July 10 by DigiNotar, was finally revoked on August 29.

"Around 300,000 unique requesting IPs to google.com have been identified," Fox-IT said. On August 4 the number of requests rose quickly until the certificate was revoked on Aug. 29. Of these IP addresses, more than 99 percent originated from Iran.

The list of IP addresses will be handed over to Google who can inform users that their email might have been intercepted during this period, Fox-IT said.

Spoofing login cookies

Not only the email itself but also a login cookie could have been intercepted, it added. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the user and other services from Google.

"The login cookie stays valid for a longer period," Fox-IT said. It would be wise for all users in Iran to at least logout and login, but even better change passwords, it added.

A sample of the IP addresses outside of Iran during the period were mainly Tor exit nodes, proxies and other VPN (virtual private network) servers, and almost no direct subscribers, according to the report which analysed OCSP (Online Certificate Status Protocol) request logs. Current browsers perform an OCSP check as soon as the browser connects to an SSL (secure sockets layer) website protected through the https protocol.

Tor is a distributed anonymous network used by people to prevent being tracked by websites or to connect to instant messaging services and other services when these are blocked by their local Internet service providers.

Private communication interception

The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers was to intercept private communications in Iran, Fox-IT said.

Google said that it received reports of "attempted SSL man-in-the-middle (MITM) attacks" against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar which has since been revoked, Google said.

Trend Micro claimed that the domain validation.diginotar.nl was mostly loaded by Dutch and Iranian Internet users until 30 August. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar.

DigiNotar is a small Dutch certification authority with customers mainly in the Netherlands. "We, therefore, expect this domain name to be mostly requested by Dutch Internet users and perhaps a handful of users from other countries but certainly not by a lot of Iranians," said Trend Micro's senior threat researcher, Feike Hacquebord.

From analysis of Trend Micro Smart Protection Network data, the company found that a significant part of Internet users who loaded the SSL certificate verification URL (uniform resource locator) of DigiNotar were from Iran on August 28. However, by August 30 most traffic from Iran disappeared, and on September 2 about all of the Iranian traffic was gone.

It became public on the evening of August 29 that a rogue *.google.com certificate was presented to a number of Internet users in Iran, according to the Fox-IT report. The false certificate had been issued by DigiNotar and was revoked that same evening.

Investigating the breach

The security firm was contacted the next day and asked to investigate the breach and report its findings before the end of the week.

Fox-IT's report indicates that the initial compromise at DigiNotar may have occurred on June 17. DigiNotar noticed the incident on June 19 in its daily audit procedure but doesn't appear to have done anything about it. The company could not be immediately reached for comment.

The first rogue certificate *.google.com, was issued on July 10. All the other rogue certificates were issued between July 10 and July 20.

The hack implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack, Fox-IT said. The most critical servers, for example, contain malicious software that can normally be detected by antivirus software. The separation of critical components was not functioning or was not in place, it added.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *