WIRED:More facts have come to light regarding the mastermind behind an Iranian internet attack
I WROTE last week about the first intimations regarding a disturbing Iranian attack on the internet’s secure sockets layer (SSL) – the combination of protocols and agreements that help protect data such as credit card numbers and passwords against interception online, as well as sites such as banks and webmail from being faked by third parties.
More facts, as they say, have come to light: mostly from the enigmatic Iranian patriot who claims to have brought down the system in order to punish the west.
At the time, what we knew was Google Chrome users in Iran had noticed strange errors, and reported them to Google. The errors revealed that somebody had obtained fake credentials that let them pass themselves off as the search engine’s web sites, and were intercepting Gmail and other services – even when users were using the secure, encrypted versions of the websites served over “https” web addresses.
We now know that the credentials were obtained through a serious illegal computer break-in at DigiNotar, a Dutch computer security company; that the company remained silent for a period of weeks while they fought off their internet attacker, and that during that time hundreds of certificates for sites such as Microsoft, Facebook, Yahoo and Twitter were created and downloaded by some entity in Iran. A forensics report by Fox-IT, an external team of security auditors finally brought into analyse and control the attack, revealed that at least 200,000 IPs in Iran had been using these fake certificates. The loot taken from the cyber-attack was being used in a massive surveillance operation within the Iranian population.
This continues to be a major incident on a number of levels. DigiNotar broke the rules of how one of the internet’s trusted notaries should behave, which resulted in companies such as Microsoft and Firefox serving it the “internet death penalty” – refusing to trust its word when checking domains in their own browsers.
But for me, the most fascinating part of this has been the information released by the person claiming to be the mastermind behind the DigiNotar attack. He, she, or they have a Twitter account @ichsunx2, and provide occasional longer updates on pastebin, a site for displaying fragments of computer code that has frequently been repurposed for pseudonymous statements.
Some parts of what the Ich Sun account reports, others can easily confirm. The commenter definitely has insider information about the attacks, including the secret keys obtained from DigiNotar, and also an earlier attack on another security firm dealing with SSL certificates, Comodo.
The rest are trickier to ascertain. The Ich Sun account’s user claims to be a single young person, 21 years old, who is a patriotic Iranian. The attack on DigiNotar he says, was as vengeance for the Dutch military’s complicity in the 1995 Srebinica massacre of Bosnian Muslims.
It’s amazing how close to the bombastic style of western “hacktivists” the Comodo and DigiNotar’s crackers’ voice is. He revels (in English) in his notoriety. (“Do you know meaning of ‘Unstoppable Genius Digital Hacker?’,” he writes in one post.) He also claims to have broken into other certificate authorities. One company, GlobalCert, responded to a mention by the attacker by announcing that it was suspending all new certifications until its own systems were fully audited.
On the other hand, the Iranian attacker is also evasive about how his certificates were deployed throughout the Iranian internet’s infrastructure – and why it was acceptable to put all Iranian net users at risk of surveillance.
“I’m single person, do not again try to make an army out of me in Iran” one part of the message reads: “If someone in Iran used certs I have generated, I’m not one who should explain.” In response to questions on Twitter about why he had effectively provided government access to all Iranian’s private messages, he said: “Controlling my own country’s people, if someone is doing crime, will be detected, nothing to do with innocents, understand it”.
There’s strong commonalities between how Ich Sun speaks and acts, and the many other individuals online, such as Anonymous and Lulzsec who are taking advantage of computer security flaws, and the incredible individual power such vulnerabilities provide. But few independent actors elsewhere choose to work hand-in-hand with their own state. Or perhaps it would be truer to say that most that do are kept on a quieter, tighter leash by their handlers in the world’s governments.
So far, relationships between Iran and the majority of the rest of the world’s governments are so strained that these strange battles online have seen very little diplomatic consequences. But Ich Sun’s stated ambitions are high. He says he wants to show that he’s the master of the internet, and that he can spy on other countries’ users, not just
his own. He mentions, unsurprisingly, America and Israel in his shopping list. What would happen if an Iranian actor, closely connected with the government, really goes on the rampage in the Israeli internet? Would Israel believe Iran’s denials? Would Iran even bother to deny it?
We’ve often sent 21 year olds out to fight our wars. But is it a good idea for nation states to make them the strategic leaders of such battles too?
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)