Hackers acquire Google certificate, could hijack Gmail accounts

Discussion in 'other security issues & news' started by ronjor, Aug 29, 2011.

Thread Status:
Not open for further replies.
  1. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Man-in-the-Middle attack defined
     
  2. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Hi, no I don't mind at all, on a second read I saw some duplicate facts, and since I don't understand Dutch, I decided to remove post.

    Next time I will not remove post before forum consideration (your expertise). Thanks ;)
     
  3. x942

    x942 Guest

    I am hopping that is not in response to my post. I know what a MITM attack is. I perform them almost daily as part of my job (ITSEC/Pentesting). Wikipedia's definition is somewhat off:

    A MITM Attack is any attack in which an attacker or attackers place them self in between the client and the destination (server). They become the server for the client and the client for the server. This can occur with a compromised Cert or without one. There are many types of MITM attacks:

    -DNS Poisoning
    -ARP Poisoning
    -Rouge AP

    If someone (Iran for example) has a Cert for Google they can now (at the ISP level) perform a MITM attack. They can do this by controlling what happens when Google is loaded. If the attacker sees a connection to https://www.gmail.com now all he has to do is convince the client he is Google (He has the right Cert now) and connect to Google as the client. This allows the attacker to take what the victim passes on (password, emails, etc.) intercept it and log it, and THAN pass it on to Google. The user wont notice this because the cert is "legit". This can be done with out a Cert too on a much smaller scale with a lot less financial cost. The only difference is the user will get a warning from their browser.

    Also if you are using perspectives or certificate Patrol you will be alerted if the Cert has not been seen by you (CP) or in the wild (Perspectives). This helps build a defense against this type of attack.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ x942 et al

    I'd love to see someone post a Real example of a MITM attack, with screenies of their security/privacy software/plugins etc alerting them etc :thumb: :thumb: :thumb:
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Exactly. They basically pretend to be the other side of the conversation each time, while listening in or even changing information that the other sides recieve.

    And as you said, they need to be in control of some part of the "conversation" where they can sit and work.

    Yeah, if you're on a public wifi it is WAY easier to use any of the tools created (all for linux that I know of) to do this. But if you're trying to hit as many people as possible and you have control of, say, a DNS server... a falsified cert can be helpful.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    CloneRanger. I don't know of any defense against a MITM attack from programs like sslstripper except to secure your network - once the network is breached your host computer can't do anything to protect itself.

    If there's a way to do it... I don't know of it.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ Hungry Man

    Hi, well i hope someone can show us something, before too long :thumb:

    Prevx said they could/can with PSOL !
     
  8. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    My MITM definition from Wikipedia was simply throwing it out there and not pointed at any particular person within this thread. The Wikipedia article can be edited as your information certainly bests theirs.

     
  9. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Google might shun Dutch gov certificates from DigiNotar

    More at above Link
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm not sure what PSOL is.

    The way SSLStripper works is that (example:GMAIL) when you're logging into gmail, it tries to go through https. SSLStripper will stop play MITM, stop that request, force http://gmail.com, which is not secured, and then relay info back and forth all the while telling you that you've got https.

    At no point does the attack occur on your host computer and at no point does the attack occur on Gmail servers - therefor it's incredibly difficult to detect or prevent and I don't know of any way to do it.

    Of course, again, this attack is based on the idea that your network has been compromised.
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    I think Online Armor can protect against this. It's been a while since I used it, but when I used it one of it's features was a secondary secure DNS, which would double-check with your normal DNS.

    Prevx's SafeOnline ;)
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Not a DNS issue though.

    There's probably a way to do some kinda extra verification but I don't know.
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638

    Thanks siljaline.

    ===

    Finally, finally the news about DigiNotar and the government certs has been on the news on TV here today in Holland.

    ===

    It has been confirmed that indeed all local and semi-government organisations have to look at possible consequences (as if the central government shouldn't have a overview on that - :ouch: ).

    ===

    More and more questions are rising about the safety of the PKIoverheid certs.

    ===

    There is a discussion at Dutch site webwereld about the Path Length Constraint of the certs of the sub CAs under PKIoverheid.

    ===

    We're still waiting for the results of the second audit.

    ===

    Questions has been raised whether DigiNotar didn't committed a punishable act by not or too late informing about what happened.

    ===

    The whole evening (and we're already in the night here) there is a crisis meeting at the Interior Department with the Minister.
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    And the news is now that the Dutch government has ended the co-operation with DigiNotar!
    See Dutch site Nu.nl :
    http://www.nu.nl/internet/2605914/donner-zegt-samenwerking-met-diginotar.html

    There will be used other PKIoverheid certs. How and when, I don't know yet.
    I guess that this was the only possible result of this "issue" 'ough'.

    Users of Dutch government sites will get a warning that those sites are not trusted. Well, I might hope that the new certs will come quickly.....
    And I do hope that the Dutch government did learn a lesson and that things will get better.......

    And most of all, I can only hope that citizins in another country did not fell victim by this whole mess....... (Baserk did worded that better than me)
     
  15. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Please see my post on Chrome Hoping it will clarify where Google Chrome is in this mess.

     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    PSOL does indeed mention MITM, amongst other things, but says "looks to protect" rather prevent !

    Se also,

     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/

    Mozilla: Diginotar mishandled their breach, & thus removal of Diginotar from Firefox is permanent.


     
  18. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Pardon any duplication of effort if already posted within this thread

    Dutch CA banished for life from Chrome, Firefox

    More at link
     
  19. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Thanks for the article.
     
  21. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Blog by Gervase Markham (Mozilla):
    DigiNotar Compromise
    http://blog.gerv.net/2011/09/diginotar-compromise/


    TOR blog:
    DigiNotar Damage Disclosure
    https://blog.torproject.org/blog/diginotar-damage-disclosure

    Read more at that TOR blog link.

    Both that spreadsheet and CSV text file can be found here:
    https://svn.torproject.org/svn/projects/misc/diginotar/
    (or by going to the direct download links in that TOR blog)
     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Besides of the already known ones, the following one is important for Dutchies:
    Koninklijke Notariele Beroepsorganisatie CA
    We're talking here about Notaries. Nothing can be done in this country without a Notary like for example buying/selling a house, making a Last Will, a possible Last Will being checked when someone passes away, etc. :'( :'(
     
    Last edited: Sep 4, 2011
  23. x942

    x942 Guest

    Thank you. I was not taking it as an attack. I only said that because it came right after my post. ;)

    Their is SOME protection at least against ARP poising. It's called DeCaffinateID made by IronGeek. http://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-windows. For SSLStrip just watch the browser, if there is no https:// than something is wrong. If you get a warning something is wrong. Use perspectives as a helper and you should be fine.


    Oh and encrypt or WiFi and use a VPN!
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    SSLStrip adds a little "lock" and everything to your browser. It's very convincing. I'm not sure if it can make it look like you're on https:// and replace the http:// idk.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.