Thousands of Iranians hit by email monitoring attack
Up to 300,000 Iranian people may have had their Gmail and Google services accounts compromised as a result of an attack on Dutch digital certificate company DigiNotar, according to a report
Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails.
– Fox-IT report
"Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails," said the report. "Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in Google Docs."
The Google certificate was only revoked on 29 August despite DigiNotar having known of problem since 19 June, according to the report. The hackers may have deleted traces of their activities, leaving a number of certificates with questionable trustworthiness, said Fox-IT.
"No secure central network logging is in place," the company said.
Digital certificates
Digital certificates are used for cryptographic identification. For example, web browsers use certificates to validate HTTPS-based websites, such as Gmail, to make sure users are not visiting malicious sites that merely look like Gmail.
DigiNotar provided digital certificate services by hosting a number of certificate authorities (CAs). It issued certificates for businesses, and certificates for the Dutch government public key infrastructure (PKI) called 'PKIoverheit'.
The Dutch government announced on Monday that DigiNotar certificates could no longer be trusted, including PKIoverheit certificates. Fox-IT said that false certificates may have been issued for the Dutch government, although there was no proof that this had happened.
Security deficiencies
Fox-IT identified a number of seeming security deficiencies at DigiNotar. All of the CA servers were members of one Windows domain, making it possible to access the servers using one weak username-and-password combination.
In addition, the CA servers were accessible over the management local area network (LAN), and that network was "severely breached", with some servers containing malware and no antivirus software. Software installed on public web servers was "outdated and not patched", said Fox-IT.
The identity of the hacker remained unverified at the time of writing. However, plain text left in the script to generate signatures on rogue certificates, which was detailed in an appendix of the Fox-IT report, used the same language as a hacker who claimed responsibility for an attack against certificate authority Comodo. "My signature as always: Janam Fadaye Rahbar," said the text.
'Janam Fadaye Rahbar' is Persian and loosely translates as 'I will sacrifice my soul for my leader'.
The hacker left a message in a Pastebin account claiming to have hacked four more unnamed CAs, as well as CA GlobalSign and Israeli CA StartCom.
The message claimed that the DigiNotar hack had been perpetrated to hurt the Dutch government in retaliation for Dutch UN troops failing to prevent the massacre of Muslims at Srebrenica by Serbian forces in 1995.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.