Go to page content

Information that makes security stakeholders better off

Article — by Alfonso De Gregorio, 25 January 2011

Country-wide keystroke logger on Tunisian versions of Facebook, Gmail and Yahoo! mail

A story of warrantless surveillance and trust anchors from a country undergoing rapid change.

The accounts of protestors, who began demanding the ouster of Zine el-Abidine Ben Ali in Tunisia, have been target of surveillance, censorship, and disruption. Government authorities appears to have injected a JavaScript based keylogger in the Tunisian versions of Facebook, Gmail, and Yahoo! mail, collecting the login credentials, later used to access the protestors' accounts.

Here is an excerpt of The Register take on this story:

Malicious code injected into Tunisian versions of Facebook, Gmail, and
Yahoo! stole login credentials of users critical of the North African
nation's authoritarian government, according to security experts and
news reports.

The rogue JavaScript, which was individually customized to steal
passwords for each site, worked when users tried to login without
availing themselves of the secure sockets layer protection designed to
prevent man-in-the-middle attacks. It was found injected into Tunisian
versions of Facebook, Gmail, and Yahoo! in late December, around the
same time that protestors began demanding the ouster of Zine
el-Abidine Ben Ali, the president who ruled the country from 1987
until his ouster 10 days ago.

Danny O'Brien, internet advocacy coordinator for the Committee to
Protect Journalists, told The Register that the script was most likely
planted using an internet censorship system that's long been in place
to control which pages Tunisian citizens can view. Under this theory,
people inside Tunisian borders were led to pages that were perfect
facsimiles of the targeted sites except that they included about 40
extra lines that siphoned users' login credentials.

For more technical details, here is a blog post.

Though, someone might argue for a wider adoption of HTTPS and this might be of help - see also HTTPS Everywhere, a Firefox extension by the EFF automating the encryption of web communications with a number of major websites - it is true also that cyber adversaries have a number of ways to mount impersonation attacks, in the mighty fortress of our PKIs. Misaligned incentives have led Certification Authorities to repeatedly fail to verify the identity of subjects requesting their certificates, and issued in the wild wildcard certificates for prominent companies. Over the last year, malware started to appear that was authenticated by signing keys belonging to major hardwareandsoftware vendors. In the end, those certificates were revoked, but the revocation was neither timely nor free from concerns for the issuing CAs and the vendors. Furthermore, even if the issuing and revocation procedures worked according to the PKI dogma, in Tunisia the government authorities would have had anyway the opportunity to self issue certificates named after the website they desire to snoop - as reported by the press:

Tunisia's government, with its control of The National Digital Certification Agency, already has the authority to generate valid SSL certificates. That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate.

Trust anchors and trust models - a debate could not be more timely.


  • avatar


    Posted 2 years, 4 months ago.

    Internet censorship is a debatable issue. Some are firmly opposing this move because they believe that censorship means termination of the freedom of expression. Others are in favor for Kapil Sibal's request which comes in reaction to disparaging comments made on Facebook about Sonia Gandhi, a top Indian politician. India officials today are meeting with representatives of Internet companies and social networks to request the companies to monitor its information from Indian consumers. It is part of an ongoing attempt by the country to limit Internet information. This brand new policy could influence everything on the internet including smartphone and webpage apps. Read more: http://www.appisaurus.com/1237-india-screen-content/

  • avatar


    Posted 8 months, 24 days ago.

    Many parents nowadays are concerning about children’s online safety, for the Internet bullying is lurking on the Internet and children are always the targets. Monitoring children doesn’t mean parents break in children’s private space or snoop their personal secrets, proper children computer monitoring can ensure the children’s online safety and parents can take actions to prevent their children from being hurt in time. For more information, please visit: http://www.anykeylogger.com/how-to-monitor-child-on-computer.html