tehranbureau An independent source of news on Iran and the Iranian diaspora

Internet Security Attacks on Iran Google Users Went Undetected for 2 Months

05 Sep 2011 18:58Comments
security-compromised.jpg[ dispatch ] Update your browsers and change your passwords. A fake Internet security certificate issued in Google's name by a company in the Netherlands rendered the accounts of Google users in Iran vulnerable for nearly two months before one Google Chrome user noticed a funny warning and reported the problem to the Google message boards.

These attacks follow a hack on the Dutch company, DigiNotar, which destroyed a number of fraudulent certificates upon discovering the incident. The dummy Google certificate, however, went unnoticed for nearly two months.

"For users in Iran, this means that someone in Iran has had access to all of their secure Google information for almost two months: Google docs, Gmail, login information, username and password," said Tori Egherman of Arseh Sevom, an Iran-focused human rights nonprofit based in the Netherlands.

Arseh Sevom posted an article this week suggesting that these latest attacks came from a powerful source, likely within the Iranian government, in an attempt to spy on Iranian Internet users. The Dutch government announced on Saturday that it is investigating the possibility that the government of Iran was involved in the hack.

The industry dubs this type of security breach a "man-in-the-middle attack," meaning a hacker intercepts information traveling between a user and an intended receiver and continues to transmit information between the two. The user continues to send and receive information normally and therefore remains unaware of the attack. Meanwhile, the hacker has the power to read any information sent by the user, alter the information sent, and control what the user receives in response.

To prevent such attacks, browsers authorize companies called security authorities to issue encrypted keys that verify a server's authenticity. But a hack on any one of those companies means that imposters can create fake keys, tricking browsers into believing they are navigating secure servers when they are not.

The most recent versions of Google Chrome have an additional security feature built into the most recent versions of the browser. For Google sites, Chrome relies on internal Google authenticity screening rather than codes created by external certificate authorities and issues warnings when it detects a phony certificate.

"Chrome had this extra layer of protection. Firefox didn't know that, Internet Explorer didn't know that. If this had been Yahoo, we wouldn't know it," said Egherman.

Experts cite several reasons this most recent attack went unnoticed for so long.

"One possibility is that there aren't a lot of Chrome users in Iran," said Seth Schoen of the Electronic Frontier Foundation (EFF), an Internet security watchdog monitoring the situation closely. For Schoen and his EFF colleagues, this latest man-in-the-middle attack in Iran underscores "the dangerous weaknesses of certificate authorities."

Browsers began designating and relying on certificate authorities in the 1990s as demand grew for secure ways to buy and pay for goods and services online with credit cards. Today, Schoen points out, "for most users credit cards are not the most sensitive thing that they transmit over the Internet." In an age of webmail, shared documents, and cloud computing, the average information most users want to protect has become far more sophisticated. Internet security measures have not kept pace.

To address the problem, browsers like Google Chrome are experimenting with added features, such as the one that uncovered the threat in Iran. Similarly, EFF has created a plug-in for Firefox that directs users to secure (HTTPS) versions of many websites, even when the user types in insecure web addresses.

Both Egherman and Schoen recommend users in Iran download the latest versions of Firefox or Google Chrome, change their passwords often, and that users everywhere take care to use secure (HTTPS) versions of websites when transmitting sensitive information.


For more information, check out:

Part one and part two of Arseh Sevom's report on this latest hack.

• EFF's take on this latest attack and report on an earlier high-profile hack in Iran.

• Google's latest update on the fake certificate.

• EFF's HTTPS Everywhere campaign.

• Reuters' report on the Dutch investigation into Iranian government involvement in the hack.

Copyright © 2011 Tehran Bureau

SHAREtwitterfacebookSTUMBLEUPONbalatarin reddit digg del.icio.us
blog comments powered by Disqus

In order to foster a civil and literate discussion that respects all participants, FRONTLINE has the following guidelines for commentary. By submitting comments here, you are consenting to these rules:

Readers' comments that include profanity, obscenity, personal attacks, harassment, or are defamatory, sexist, racist, violate a third party's right to privacy, or are otherwise inappropriate, will be removed. Entries that are unsigned or are "signed" by someone other than the actual author will be removed. We reserve the right to not post comments that are more than 400 words. We will take steps to block users who repeatedly violate our commenting rules, terms of use, or privacy policies. You are fully responsible for your comments.