Cyberwar & Certified Lies: 531 Spy Certs target CIA, Google, Microsoft, Mozilla

DigiNotar was blacklisted by Microsoft, Google and Mozilla browsers, but the attack targeted 531 rogue digital certificates including domains for the CIA, the UK's MI6, and the Israeli Mossad. Pretty much if you use the web, then a site you accessed had been targeted. . . . possibly by the Iranian government.

It's been a big weekend in the spoofed spy cert arena which has guaranteed that Internet giants have not had a long, fun weekend - thanks to DigiNotar which is now and should be blacklisted to hell. It's not just regular Joes in the crosshairs of this attack either, since Intelligence agencies like the CIA, the UK's MI6 and the Israeli Mossad were also targeted by 531 rogue digital certificates. Pretty much if you use the web, then a site you accessed had been targeted. Microsoft, Google and Mozilla have brought down the browser ban hammer on DigiNotar Certificate Authority and revoked access to any DigiNotar digital certificates.

Most folks feel pretty safe when they see the padlock in their browser window which indicates a secure connection for private communications like email or banking. An eavesdropper who has obtained a fake digital certificate can impersonate the encrypted website that you are visiting and negotiate a man-in-the-middle (MITM) attack. Your browser silently makes these decisions based on digital certificates that are established between a client and server to verify "trusted" identity between the two. These certificates are issued by supposedly trusted Certificate Authorities (CA). In theory, HTTPS (SSL) and TLS are supposed to insure your privacy so that no third party snoops on or manipulates your conversations between a client and server. However, if a trusted CA is compromised and issues fakes certificates, then an attacker can eavesdrops or tamper with the contents of an HTTPS conversation. We discussed this in the past in terms of Big Brother in your browser by using spy certs.

The 531 rogue certificates that are currently known include the domains of *.microsoft.com, *.windowsupdate.com, www.update.microsoft.com, *.android.com, *.aol.com, *.google.com, *.mozilla.org, addons.mozilla.org, *.skype.com, *.torproject.org, www.facebook.com, *.wordpress.com, login.live.com, login.yahoo.com, twitter.com. See the DigiNotar Debacle list (CSV text) for the rest or via this spreadsheet.

ABC News reported a government is "most likely" behind the fake DigiNotar certificates which could potentially "monitor users' communications with those sites without them noticing."

DigiNotar was hacked in July but failed to immediately announce the intrusion which resulted in fraudulent digital certificates for a wide variety of domains. The rogue SSL certificate was issued for .google.com on July 10th, 2011. You know it's serious when the Dutch minister of international affairs holds an urgent press conference at 1:15am during the weekend. The Tor posting which published the "531 entries on the currently known bad DigiNotar related certificates" said the author left a "calling card" in Farsi which translates to:

"RamzShekaneBozorg" is "great cracker"

"Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption"

"Sare Toro Ham Mishkanam" translates to "i hate/break your head"

Microsoft was first aware of these MITM attacks using spoofed certificates issued by DigiNotar for *.google.com" before becoming aware of "fraudulent certificates issued for *.microsoft.com, *.windowsupdate.com, www.update.microsoft.com, and a number of other domains for which conversation privacy is extremely important." Microsoft security research and defense posted tips to protect yourself. It includes steps on how to delete DigiNotar root manually and is currently preparing an update to add DigiNotar to the Untrusted Certificate Store for Windows XP and Windows Server 2003 platform. Microsoft stated that attackers were not able to leverage a "fraudulent Windows Update certificate to install malware via the Windows Update servers. The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft. Also, Windows Update itself is not at risk, even to an attacker with a fraudulent certificate."

Mozilla detailed how to delete the DigiNotar CA certificate and later posted that the revoked trust is not temporary but meant to be permanent. "All DigiNotar certificates will be untrusted by Mozilla products."

Microsoft said Windows mobile devices are unaffected, but *.android.com is one of the targeted domains. If you can access the web on your mobile device, then you should revoke the blacklisted CA. Apple is staying silent so far about if it will revoke the fraudulent certificates.

Kaspersky Lab Expert Roel suggested that Diginotar may turn out more important than Stuxnet because "This incident will clearly put cybersecurity and cyberwar on the political agenda." While it might appear as if the Iranian government was behind this attack, the post noted that the Dutch government is investigating. It is known that Google Gmail traffic in Iran was being spied upon.

This attack was huge! In comparison, the Comodo incident in March that was linked to Iran involved nine fraudulent certificates. The Inquirer noted, "The hackers also managed to issue what are known as wildcard certificates for *.*.com and *.*.org. This would have allowed them to spoof any SSL-protected second-level domain under those TLDs." Hackers also created rogue certificates for: Comodo Root CA, CyberTrust Root CA, DigiCert Root CA, DigiCert Root CA, Equifax Root CA, Equifax Root CA, GlobalSign Root CA, Thawte Root CA, VeriSign Root CA. DigiNotar chose not the disclose the breach in July and should not be trusted again.

Cybersecurity market research: Top 15 statistics for 2017