Facebook, Google, CIA, MI6 targeted in Dutch government certificate hack

Facebook, Google, CIA, MI6 targeted in Dutch government certificate hack

Summary: Over 500 stolen SSL certificates from a Dutch certificate authority also appear to have stung Facebook, Google and Windows Update, as well as MI6 and CIA websites.

SHARE:

The Dutch government said on Saturday it "cannot guarantee the security of its own websites", days after the company it uses to authenticate its sites was compromised.

It appears that in the aftermath of the hack, intelligence services including Israel's Mossad, Britain's MI6 and the United States' CIA have also fallen foul of the certificate hack.

Facebook, Twitter, along with Microsoft's Windows Update service, and Skype users could also be at risk, as browser makers hit the kill switch on an increasing number of rogue digital certificates.

Affecting millions across the Netherlands, certificate authority DigiNotar admitted it had been compromised late last week, which puts a wide range of the Dutch government's sites at risk.

Mozilla has already blocked the certificates, which could have been used to spoof websites, and direct users into visiting malware-ridden or phishing sites. Microsoft said that users of Internet Explorer, and Google with users running the latest version of Chrome, will also be warned if users appear to be accessing websites using the rogue certificates.

But while it was unclear who was initially behind the hacking, many are turning to Iran's government to spy on dissidents, such as security firm F-Secure. While Google also believes Iran may have been behind the hack, the Dutch interior minister, erring on the site of diplomatic caution, could not confirm that Tehran was behind the hack.

The extent became clearer today, as the tally of SSL certificates bubbled over the 500 mark.

Though it may be embarrassing for the intelligence services to be subject to site impersonation, it is more worrying for services such as Microsoft's Windows Update, Facebook and Twitter, with billions of users between them, who could have downloaded rogue updates or exposed personal data, for example.

Christopher Soghoian, known for his Dropbox expose earlier this year, said in a tweet: "Now that someone has obtained a legit HTTPS certificate for CIA.gov, I wonder if the U.S. government will pay attention to this mess".

While these certificates could be used to direct unsuspecting victims to clones of sites, such as Gmail and Facebook, it is not yet clear whether hackers were successful in these attempts.

Topics: Software Development, Browser, Government, Government US, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • RE: Facebook, Google, CIA, MI6 targeted in Dutch government certificate hack

    I've actually confirmed with sources inside Iran that the hackers hired/employed by Iranian government were successful in re-routing Gmail & Facebook sites for Iranian Internet subscribers to fake sites.
    The ISPs were told to cooperate or risk losing their operations license or getting shut down. Some of the ISP employees had warned their friends & families about this.
    aalborz
  • Diginotar is Vasco subsidiary

    Diginotar is a subsidiary of VASCO Data Security International.

    A company that has tried hard to avoid getting their names associated with this affair in de press.
    It is however very interesting to know how much the VASCO parent company is responsible for keeping the lid on informing the world of this very serious breach of internet security.
    IE11
  • ethical hacking institute

    Hi,<br>I would like to share some of my experience with you?ll so that you can also grab the opportunity. I am a student of BCA and had joined an ethical hacking institute ?Hacker Regiment? 2 months earlier. I was new in this field and have no knowledge about hacking. Today after being certified from Hacker Regiment I can bet that no one can hack me in any form. I know how to protect myself from any of the intruder. And I am feeling very happy to share that I am currently working with Hacker Regiment as a security analyst. Friends if you are planning to join any of the institute for ethical hacking, I suggest you to enroll yourself at Hacker Regiment as they are having limited seats. You can visit them @ http://hacker.do
    ashish3012
  • Platforms

    This is a really good site post, im delighted I came across it. track to check out other posts that
    Red Bottom heels
    http://www.redbottomheelscommunity.com/
    Li Lin