SSL certificate debacle includes CIA, MI6, Mossad and Tor

SpyLast week I wrote about the compromise of digital certificate authority DigiNotar. While the idea of over 250 false certificates being issued was scary, the number has grown to 531, including what could be intermediate signing certificates.

This is really bad news. As DigiNotar is a “root” certificate, they can assign authority to intermediaries to sign and validate certificates on their behalf.

It appears the attackers signed 186 certificates that could have been intermediate certificates. These certificates masqueraded as well-known certificate authorities like Thawte, Verisign, Comodo and Equifax.

The expanded list of domains for which fraudulent certificates were issued includes Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. A complete list can be downloaded from the Tor website.

The attackers also issued themselves certificates for *.*.com and *.*.org. I am not sure if a multi-wildcard certificate like this is valid, but if so it could allow them to impersonate anything.

Tor logoAccording to the blog post on the Tor project’s website, they also left a message in Farsi. Loosely translated, it reads “great cracker, I will crack all encryption, i hate/break your head.”

This incident makes me feel more justified than ever in my distrust of the certificate system. While Mozilla, Google and others have been quick to permanently remove DigiNotar as a trusted authority, in this case it is too little, too late.

Currently computer users of IE and Safari on Windows 7/Vista/2008/2008R2, or Chrome and Firefox on any platform, are protected against exploitation as long as they are fully patched.

Mac OS X users using the latest Chrome and Firefox (6.0.1) versions are fine, but Safari and OS X itself have not been patched. There are instructions on doing so on the ps | Enable blog, although it is non-trivial.

More concerning is that mobile users are being left in the dark. There have been no updates, and no manual removal method for Android or iPhone/iPad/iPod Touch users who haven’t jailbroken/rooted their devices.

Tap, tap, tap… Hello, Apple? Are you there? Your competitors (Microsoft, Google, Mozilla) are protecting their customers promptly and openly. I know you don’t like to talk about security, but now would be a great time to show you care.

Correction: I mistakenly had noted Firefox 6.0.2 was current, when in fact 6.0.1 is the latest.

DNS hack hits popular websites: Daily Telegraph, The Register, UPS, etc

Popular websites including The Register, The Daily Telegraph, UPS, and others have fallen victim to a DNS hack that has resulted in visitors being redirected to third-party webpages.

Web security tester Paul Mutton managed to capture a screenshot of what visitors to The Register saw:

Message seen by visitors to www.theregister.co.uk. Image credit @paulmutton

Part of the message reads:

TurkGuvengligi

"Gel Babana"

HACKED

"h4ck1n9 is not a cr1m3"

"4 Sept. We TurkGuvenligi declare this day as World Hackers Day - Have fun 😉 h4ck y0u"

The phrase “Gel Babana” is Turkish for “Come to Papa”, and “Guvenligi” is Turkish for “Security”.

Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.

It’s important to note that the websites themselves have *not* been hacked, although to web visitors there is little difference in what they experience – a webpage under the control of hackers.

Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.

PhonebookDNS records work like a telephone book, converting human-readable website names like nakedsecurity.sophos.com into a sequence of numbers understandable by the internet. What seems to have happened is that someone changed the lookup, so when you entered telegraph.co.uk or theregister.co.uk into your browser you were instead taken to a website that wasn’t under the control of those websites.

Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours ahead. If you’re in the habit of visiting and logging into the affected sites, you might be wise to clear your cookies so the hackers aren’t able to steal any information from you.

In many ways we have to be grateful that the message displayed appears to be graffiti, rather than an attempt to phish information from users or install malware.

The question now is how did the hackers manage to change the DNS records for these sites?

Here’s a statement The Register published about the incident:

Statement from The Register

Image credit: @paulmutton.

Update: The Register has tweeted that its DNS records have been returned to normal.


The Register

So our DNS records have been restored to normality. Still no word from our provider.

As noted above, however, it may take some hours before the fix propagates around the net.