Iran targets Gmail and Skype with fake SSL hack
By Nicole Kobie
Posted on 24 Mar 2011 at 08:12
Iran has tricked a web firm into issuing fake security certificates for Gmail, Skype, Hotmail and more.
Comodo Group, a US-based certificate authority firm with 15% of the market, admitted that one of its affiliate's accounts in Southern Europe had been hacked, letting the attackers create fake SSL security certificates for six websites.
Such digital keys let websites offer secure services, and fake versions could be used to spoof sites, gather login details and watch user activity.
The fake certificates target Microsoft's Live platform, Gmail and Google, Skype, Yahoo, and Mozilla Firefox extensions. The attack was quickly discovered, with the attacker still using the account when it was shut down.
Even most geeks wouldn't notice this was going on
Comodo's CEO Melih Abdulhayogl said the attack appeared to originate in Iran, as it would have required access to the country's DNS infrastructure. "We believe these are politically motivated, state-driven/funded attacks," he said in a blog post, adding it was the first such state attack he'd seen against the authentication layer of the web.
Phillip Hallam-Baker, principal scientist for Comodo, said the timing of the attack was no coincidence.
"It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of internet use by dissident groups," he said in a blog post.
"The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the internet and in particular social-networking sites as a major organising tool for the protests," he added.
What it means
F-Secure's chief research officer Mikko Hypponen explained what a government could do with such a certificate. "If you are a government and able to control internet routing within your country, you can reroute all, say, Skype users to fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place," he said in a post on the F-Secure blog.
"Or you can read their email when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn't notice this was going on," he said.
Microsoft has issued a patch to block the fake certificates, after being alerted to the trouble on 16 March. The patch will go out immediately to anyone with automatic updates turned on.
"In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used," Microsoft said.
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords