Facebook, Google, CIA, MI6 targeted in Dutch government certificate hack

Summary:Over 500 stolen SSL certificates from a Dutch certificate authority also appear to have stung Facebook, Google and Windows Update, as well as MI6 and CIA websites.

The Dutch government said on Saturday it "cannot guarantee the security of its own websites", days after the company it uses to authenticate its sites was compromised.

It appears that in the aftermath of the hack, intelligence services including Israel's Mossad, Britain's MI6 and the United States' CIA have also fallen foul of the certificate hack.

Facebook, Twitter, along with Microsoft's Windows Update service, and Skype users could also be at risk, as browser makers hit the kill switch on an increasing number of rogue digital certificates.

Affecting millions across the Netherlands, certificate authority DigiNotar admitted it had been compromised late last week, which puts a wide range of the Dutch government's sites at risk.

Mozilla has already blocked the certificates, which could have been used to spoof websites, and direct users into visiting malware-ridden or phishing sites. Microsoft said that users of Internet Explorer, and Google with users running the latest version of Chrome, will also be warned if users appear to be accessing websites using the rogue certificates.

But while it was unclear who was initially behind the hacking, many are turning to Iran's government to spy on dissidents, such as security firm F-Secure. While Google also believes Iran may have been behind the hack, the Dutch interior minister, erring on the site of diplomatic caution, could not confirm that Tehran was behind the hack.

The extent became clearer today, as the tally of SSL certificates bubbled over the 500 mark.

Though it may be embarrassing for the intelligence services to be subject to site impersonation, it is more worrying for services such as Microsoft's Windows Update, Facebook and Twitter, with billions of users between them, who could have downloaded rogue updates or exposed personal data, for example.

Christopher Soghoian, known for his Dropbox expose earlier this year, said in a tweet: "Now that someone has obtained a legit HTTPS certificate for CIA.gov, I wonder if the U.S. government will pay attention to this mess".

While these certificates could be used to direct unsuspecting victims to clones of sites, such as Gmail and Facebook, it is not yet clear whether hackers were successful in these attempts.

Topics: Software Development, Browser, Government, Government : US, Security

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.