4

Iranian hacks call into question the stability of the whole web

An Iranian youth browses a political blog at an Internet cafe in the city of Hamadan, 360 kms southwest of Tehran, on May 27, 2009.

These maneuvers have been traced to IP addresses within Teheran and there is speculation that the Iranian government may be behind these efforts. It certainly would be one way of spying on dissidents by knowing what they were sending in emails they believed to be private.

So what is the significance of this hack on the rest of us users? It could be huge. Steve Schultze is associate director of the Center for Information Technology Policy at Princeton University. He says that it points out a fundamental problem in the very architecture of the Internet. There are hundreds of entities that have been given the authority to hand out these certificates. Some of them are official government institutions, but one of those was the former government of Tunisia (which, you'll recall, was tossed out a few months ago amid charges of corruption). There are also private companies, 100 German universities and even an observatory. All it really takes is for one of those entities to be compromised for those certificates to be hijacked.

So while it's a good thing to use a secured setting for your computing, the layer that establishes that security may itself be vulnerable to attack. In Iran, the hackers were essentially able to step between user and website and intercept all the information passing through.

Various Internet organizations and companies are working to correct this system. We'll keep you posted on their progress.

Also in this program, you can buy a Facebook greeting from an "American Idol" contestant for $1. If you want.

About the author

John Moe is the host of Marketplace Tech Report, where he provides an insightful overview of the latest tech news.
Log in to post4 Comments

I think this radio broadcast may seriously mislead your listeners into believing that email communication is secure. The broadcast inappropriately conflates a story about security certificate compromises with the subject of email security and concludes with assurances that most email is secure.

Securing email requires much more than uncompromised SSL certificates and certificate authority chains. Most email systems store and, frequently, transmit messages in clear text. There are numerous opportunities as an email travels from sender to recipient for the message to be intercepted by a third-party. Further, interception may occur well after a message has been delivered to the recipient. To keep messages from being accessible to third parties, users must encrypt their mail.

The inherent insecurity of email has nothing whatsoever to do with compromised security certificates, which is the actual subject of your story. Email users who care about the privacy and security of their communications should understand the differences.

Interested in further background reading? Wikipedia provides several good starting points:

(1) http://tinyurl.com/4dzxedu gives a pretty good overview of how modern email systems work and provides numerous references and background reading. My comments are primarily concerned with (a) the SMTP protocol and message formats, (b) the storage of messages on MTA and MX systems, and (c) the transport of messages between MTA and MX systems. Other useful articles are: http://tinyurl.com/yy2tr8 and http://tinyurl.com/4unzbjj.

(2) The article on remailers (http://tinyurl.com/leyy6) is a good starting point for learning about a common approach to email metadata security. Since most email users are interested in two-way communication, pseudonymous remailers are also of interest (http://tinyurl.com/yrwd9n).

@Patrick Boyd

Hey there I'm the commentator. You're correct. I meant to say that when your browser is indicating a secure connection, in the vast majority of cases this is true.

There is absolutely a need for more sites to enable HTTPS by default.

Your contributor stated that in "the vast majority of cases your communications are encrypted." This is an incorrect statement. Currently of the 3 major web mail services, only Gmail provides a secure connection by default. Hotmail provides an opt in secure interface (in other words you have to change a setting) and from what I can tell Yahoo mail still doesn't even provide the option. Additionally, Facebook and Twitter only just started to provide an opt in secure connection option. So in the vast majority of cases your online communication is as secure as you talking to a person across a crowded room full of strangers.

I believe I encountered just such a 'man-in-the-middle' type of attack last night (Thurs 3/24)

I took a look at Facebook News Feed page and noticed it contained two messages directed to me from a sister-in-law who is on my FB Friends list. Receiving one message from her would be unusual and two is unheard of. Yet there they were.

One message was a link to a "Find out Who's Stalking You" site. (Curious but skeptical, I took a look at it and it wanted me to Allow priviledges to access (and thereby harvest) my account's contacts (and likely harvest all my email contacts.) I didn't take the bait, but the page presented a long list of names (each conveniently blurred beyond legibility) of supposed 'stalkers' of my FB profile.

The other FB message to me from her was related, conveying a message that she apparently had fallen for this ruse. That message contained a topic headline plus a list of the three top people (with seemingly fabricated names) who had supposedly viewed my sister-in-law's FB profile page respectively 30, 33 and 147 times in the "past week".

Yeah, right. What was humorous about this (besides the 'vanilla' names and assuming one isn't taken in by the ruse) is that these three supposed stalkers where listed as #1, #2 and #3 in stalking activity (visits to her profile). Yet the 3rd ranked stalker had made the single *most* number (147) of views of my sister-in-law's FB profile. I'd hate to learn how many visits the #4 stalker had made.

I decided to close the browser session and then return to FB. When I returned, those two 'stalking' messages supposedly from my sister-in-law were now missing.

I can only speculate on how this happened. But Microsoft forced its way to my XP system with a Security Alert update (even though I try to keep Security Center Automatic Updates turned off.) The Microsoft Security Advisory (#2524375) referenced nine fraudulent digital certificates had been released, affecting several large Web properties including live.com, gmail, skype, yahoo, mozilla etc), so I decided to accept the security update from Microsoft. No strange FB messages from relatives have appeared since, though it's only been 12 hours or so.

Now, how was I 'found' and sent a message from my sister-in-law through Facebook? Not sure, but a couple of possibilities are these:

1. my sister-in-law's FB account may have been compromised somehow, possibly through some manner related to her daughter in college;

2. following from #1, the attacker 'connected' people with the same last name and sent these stalker warning messages, so to maximize the likelihood that the message would be taken seriously and the recipients would open their contact file to the attack; and

3. when the Iranian youth were protesting on the streets a year or so ago, I joined Twitter and set my location as Teheran. It's still set there, even though I don't use Twitter at all. Maybe the mullahs are trying to harvest Twitter accounts that are tuned to Teheran. I wouldn't be surprised at all.

With Generous Support From...