Thousands of Iranians hit by email monitoring attack

Up to 300,000 Iranians could have had their Google services intercepted as part of the DigiNotar attack, according to Dutch security company Fox-IT.

Around 300,000 Iranians could have had their Google services intercepted, after a hack on Dutch certificate authority DigiNotar.

Gmail accounts could still be vulnerable, as login cookies may have been compromised, Fox-IT said in a report to the Dutch government on Monday. Around 300,000 unique IPs in Iran were affected.

Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails.

– Fox-IT report

"Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails," said the report. "Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in Google Docs."

Hackers broke into Dutch certificate authority DigiNotar and succeeded in creating a fraudulent certificate for *.google.com on 10 July, said Fox-IT, in an attack it has called 'Operation Black Tulip'.

The Google certificate was only revoked on 29 August despite DigiNotar having known of problem since 19 June, according to the report. The hackers may have deleted traces of their activities, leaving a number of certificates with questionable trustworthiness, said Fox-IT.

"No secure central network logging is in place," the company said.

Digital certificates

Digital certificates are used for cryptographic identification. For example, web browsers use certificates to validate HTTPS-based websites, such as Gmail, to make sure users are not visiting malicious sites that merely look like Gmail.

DigiNotar provided digital certificate services by hosting a number of certificate authorities (CAs). It issued certificates for businesses, and certificates for the Dutch government public key infrastructure (PKI) called 'PKIoverheit'.

The Dutch government announced on Monday that DigiNotar certificates could no longer be trusted, including PKIoverheit certificates. Fox-IT said that false certificates may have been issued for the Dutch government, although there was no proof that this had happened.

Security deficiencies

Fox-IT identified a number of seeming security deficiencies at DigiNotar. All of the CA servers were members of one Windows domain, making it possible to access the servers using one weak username-and-password combination.

In addition, the CA servers were accessible over the management local area network (LAN), and that network was "severely breached", with some servers containing malware and no antivirus software. Software installed on public web servers was "outdated and not patched", said Fox-IT.

The identity of the hacker remained unverified at the time of writing. However, plain text left in the script to generate signatures on rogue certificates, which was detailed in an appendix of the Fox-IT report, used the same language as a hacker who claimed responsibility for an attack against certificate authority Comodo. "My signature as always: Janam Fadaye Rahbar," said the text.

'Janam Fadaye Rahbar' is Persian and loosely translates as 'I will sacrifice my soul for my leader'.

The suspected DigiNotar hacker may be the same person or people who hacked Comodo, security company F-Secure said in a blog post on Tuesday.

The hacker left a message in a Pastebin account claiming to have hacked four more unnamed CAs, as well as CA GlobalSign and Israeli CA StartCom.

The message claimed that the DigiNotar hack had been perpetrated to hurt the Dutch government in retaliation for Dutch UN troops failing to prevent the massacre of Muslims at Srebrenica by Serbian forces in 1995.