Cyber Dissidents, Information Controls and Attacks
On Monday, it was reported that a documentary series airing on Cuba’s state TV accused prominent dissident bloggers of taking part in a “cyber war” launched by the United States to destabilize Castro’s regime. An engineer from the Ministry of Information and pro-government bloggers accuse the United States of launching a counter-revolution in Cuba through “cyber-dissident proxies.” On the other hand, dissidents in Cuba accuse the government of demonizing the Internet in light of the role of online technologies in revolutions. In this video, Cuban dissidents argue that the regime “is nervous because social networks like Twitter and Facebook can play the same role in Cuba they did in Egypt and Tunisia.” (For documentation and analysis of the role of the Net in uprisings across the Middle East and North Africa, check out the OpenNet Initiative’s MENA Watch).
Another country that has demonstrated a concern over mass uprisings is China. Calls for a Jasmine Revolution amid uprisings across MENA has led to an increase in Web censorship. For instance, amid the Egyptian uprising, the country’s biggest Web portals—sina.com and netease.com—were found to be blocking the word “Egypt” in keyword searches.
Against this backdrop, Chinese customers and advertisers have increasingly been complaining about their Gmail service in the past month. Attempts by users to send messages, mark messages as unread and use other services have generated problems for Gmail customers. A spokesperson said that, “Relating to Google there is no issue on our side. We have checked extensively. This is a government blockage carefully designed to look like the problem is with Gmail.” Last week, Google announced that it had noticed “highly targeted and apparently political motivated attacks” against activists. China has denied the allegations.
While China is suspected of tampering with Google’s e-mail service, it has been reported that Microsoft Hotmail is blocking users in all Arab countries from using HTTPS. The HTTPS error screenshot can be seen here.
The biggest news this week has been the attack on the Internet security firm, the Comodo Group. Comodo issues digital certificates, which are encrypted files that tell a user’s Web browser that it is connecting to a real authentic Web site securely. It was announced that Comodo’s European affiliate had issued nine fraudulent certificates to Mozilla, Global Trustee, Gmail, Google, Skype, Yahoo and Windows Live. Comodo’s incident report can be found here.
This blogpost by Christopher Parsons as well as Mikko Hypponen’s (chief research officer at F-Secure) blog explains the threats posed by fraudulent security certificates.
According to the New York Times, the attack appears to be a part of a larger state-sponsored plan to eavesdrop on encrypted communications. Quoting Mikko Hypponen (chief research officer at F-Secure) the New York Times notes that with these certificates, attackers can “set up server computers that would appear to work for the targeted Web sites. A government that controls Internet traffic inside its country would be able to use such a server to gain access to encrypted e-mail and chat conversations and collect user names and passwords for individuals’ accounts. Further, the New York Times also notes that certificate theft have become a tactic of governments, as in the case of the Stuxnet worm which used stolen certificates.
Two of the IP addresses of computers used in the attack were assigned to Iranian ISPs. However, attribution is difficult to make, and as a Comodo blogpost points out, “this may be the result of an attacker attempting to lay a false trail.” Comodo nonetheless added that, “It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.”
However, a lone Iranian hacker has claimed responsibility for the attack in posts on pastebin (statement here; decompiled code here; and account database here). Whether this is the case has been contested (the arguments are covered in this Computer World article). However, in his blogpost, Robert Graham of Erratta Security stated that: “As a pentester who does attacks similar to what the ComodoHacker did, I find it credible. I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he’s patriotic but not political.” Graham also argues that there is very little evidence of attribution to the Iranian government.
Finally, the European Union spotted a cyberattack against its officials and diplomatic services. Little details have been revealed, however, a spokesperson has stated that the threat on the EU’s computer system is being taken very seriously due to the targeted nature of the attack.