Country-wide keystroke logger on Tunisian versions of Facebook, Gmail and Yahoo! mail
A story of warrantless surveillance and trust anchors from a country undergoing rapid change.
Here is an excerpt of The Register take on this story:
Malicious code injected into Tunisian versions of Facebook, Gmail, and
Yahoo! stole login credentials of users critical of the North African
nation's authoritarian government, according to security experts and
passwords for each site, worked when users tried to login without
availing themselves of the secure sockets layer protection designed to
prevent man-in-the-middle attacks. It was found injected into Tunisian
versions of Facebook, Gmail, and Yahoo! in late December, around the
same time that protestors began demanding the ouster of Zine
el-Abidine Ben Ali, the president who ruled the country from 1987
until his ouster 10 days ago.
Danny O'Brien, internet advocacy coordinator for the Committee to
Protect Journalists, told The Register that the script was most likely
planted using an internet censorship system that's long been in place
to control which pages Tunisian citizens can view. Under this theory,
people inside Tunisian borders were led to pages that were perfect
facsimiles of the targeted sites except that they included about 40
extra lines that siphoned users' login credentials.
For more technical details, here is a blog post.
Though, someone might argue for a wider adoption of HTTPS and this might be of help - see also HTTPS Everywhere, a Firefox extension by the EFF automating the encryption of web communications with a number of major websites - it is true also that cyber adversaries have a number of ways to mount impersonation attacks, in the mighty fortress of our PKIs. Misaligned incentives have led Certification Authorities to repeatedly fail to verify the identity of subjects requesting their certificates, and issued in the wild wildcard certificates for prominent companies. Over the last year, malware started to appear that was authenticated by signing keys belonging to major hardwareandsoftware vendors. In the end, those certificates were revoked, but the revocation was neither timely nor free from concerns for the issuing CAs and the vendors. Furthermore, even if the issuing and revocation procedures worked according to the PKI dogma, in Tunisia the government authorities would have had anyway the opportunity to self issue certificates named after the website they desire to snoop - as reported by the press:
Tunisia's government, with its control of The National Digital Certification Agency, already has the authority to generate valid SSL certificates. That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate.
Trust anchors and trust models - a debate could not be more timely.