AMSTERDAM (AP) — Attackers who hacked into a Dutch Web
security firm have issued hundreds of fraudulent security
certificates for intelligence agency Web sites, including
the C.I.A., as well as for Internet giants like Google,
Microsoft and Twitter, the Dutch government said on Monday.
Experts say they suspect the hacker — or hackers —
operated with the cooperation of the Iranian government,
perhaps in attempts to spy on dissidents.
The latest versions of browsers including Microsoft’s
Internet Explorer, Google’s Chrome and Mozilla’s Firefox are
now rejecting certificates issued by the firm that was
hacked, DigiNotar.
But in a statement on Monday, the Dutch Justice Ministry
published a list of the fraudulent certificates that greatly
expands the scope of the July hacking attack that DigiNotar
acknowledged only last week. The list also includes
certificates that were sent to sites operated by Yahoo,
Facebook, Microsoft, Skype, AOL, the Tor Project, WordPress,
and by intelligence agencies like Israel’s Mossad and
Britain’s MI6.
DigiNotar is one of many companies that sell the
security certificates widely used to authenticate Web sites
and guarantee that communications between a user’s browser
and a site are secure.
In theory, a fraudulent certificate can be used to trick
a user into visiting a fake version of a Web site, or used
to monitor communications with the real sites without users
noticing.
But in order to pass off a fake certificate, a hacker
must be able to steer his target’s Internet traffic through
a server that he controls. That is something only an
Internet service provider, or a government that commands
one, can easily do.
Technology experts cite a number of reasons to believe
the attack is connected to Iran. Notably, several of the
certificates contain nationalist slogans in Farsi, the
language spoken by most Iranians.
“This, in combination with messages the hacker left
behind on DigiNotar’s Web site, definitely suggests that
Iran was involved,” said Ot van Daalen, director of Bits of
Freedom, an online civil liberties group.
So far, only a handful of users in Iran is known to have
been affected.
The attack on DigiNotar closely resembles one in March
of the United States security firm Comodo Inc., which was
also attributed to an Iranian.
Although no users in the Netherlands are known to have
been victimized directly, the breach has caused a major
headache for the Dutch government, which relied on DigiNotar
to authenticate most of its Web sites.
In a news conference on Saturday, the Dutch justice
minister, Piet Hein Donner, said the safety of Web sites —
including the country’s social security agency, police and
tax authorities — could no longer be guaranteed.
He advised users who wanted to be certain of secure
communication with the government to use pen and paper.
The Dutch government took over management of DigiNotar,
a subsidiary of Vasco Inc., which is based in Chicago, but
kept the Web sites operating as it scrambled to find
replacement security providers.