[liberationtech] Tunisian government hacks into gmail and Facebook accounts

[Danny O'Brien]

Sorry I didn't reply to this earlier, it's been a bit crazy. (As some of you know, Ben Ali made a major concessionary speech today, and among the reforms, announced all Internet censorship would be removed in Tunisia, and prisoners released. Slim Amamou, who did a lot of the original exposés and analysis on the Tunisian fishing,  and was detained earlier this week, tweeted "Je suis Libre" a few hours ago; journalists whose detention CPJ was tracking were also released today.)

Anyway, my very early take on the hacking is from here, and has links to the code the Tech Herald piece originally found:
<http://www.cpj.org/internet/2011/01/tunisia-invades-censors-facebook-other-accounts.php>

(There's some interesting discussion with Anonymous in the comments -- they were already concentrating on Tunisia due to its blocking of WikiLeaks stories in December, and some switched to supporting the protestors and getting the video out as the crackdown progressed.)

A few points of interest to liberation-tech readers that I couldn't really bring out in that piece without getting bogged down or just wandering off into truly unsubstantiated speculation.

I  believe the hack repurposes Tunisia's URL censorship system (the first of the Tunisian censorship systems worked out by Sami Ben Gharbia and Astrubal in this post: <http://advocacy.globalvoicesonline.org/2010/08/18/a-first-glimpse-on-the-internet-filtering-in-tunisia/> to conduct phishing, even for sites that protect their login form by SSL. All that's needed is a landing page in http -- the code is inserted into this page, and uses Ajax to squirt the login info to another, unencrypted URL on submit.

I don't have any concrete evidence, but judging from Slim Amamou's earlier analysis of Tunisia's previous phishing expeditions <http://advocacy.globalvoicesonline.org/2010/07/05/mass-gmail-phishing-in-tunisia/>, I don't actually think this is on-the-fly data injection. Instead, I think that the censorship system just redirects users attempting to reach, for example, http://www.facebook.com/ to a page that's actually served from within the Tunisian censorship system. Usually such censored pages just return a 404, but in Slim's previous example, http://www.gmail.com/ was redirected to a (clumsy) fake Gmail login page. I think that the code we saw in these more recent phishing attacks was not inserted into a legitimate page served by Facebook, but embedded in a static copy of Facebook's login page, loving replicated on a Tunisian server somewhere.

The code's naming scheme suggests a l33t haxx0r-speaker (the main function is called "hAAAQ3d", for instance; the URL where login data was dumped was called <http://www.facebook.com/wo0dh3ad> ). I have this vision of a single Tunisian hacker-gone-bad sitting in the middle of a byzantine but well-funded censoring system, and being given free reign to just cause as much trouble as he/she wants.

(As several people pointed out, that wo0dh3ad address almost certainly never reached Facebook's servers, so the company could not simply grab a log of violated user accounts, as I tentatively claimed in the piece. There were other ways that FB and Y! and Gmail could have identified phished accounts, though, not least of which was just assuming that everyone coming from a Tunisian netblock was compromised.)

We should note that SSL as it is usually implemented (when it is implemented) wouldn't have stopped this (which is why Tunisia was able to successfully attack Gmail accounts). If users are visiting a http: address initially and then being redirected, then the attack still works. This is exactly what HSTS <http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> is designed to prevent. But HSTS was only drafted last year, and is built into Chrome 4 and Firefox 4 betas only. In the race between fixing SSLs flaws and nation states exploiting them, we're losing ground. In fact, we're not even in the race, as we're still pushing companies to *begin* to implement https everywhere, and haven't even begun getting them to move onto systems which correctly force https.

Before we all get too despondent, though, let me also draw out a couple of positive -- well, sort of -- conclusions. Firstly, this attack was blatant and detectable. I'd much rather live in a world where the attacks on users privacy are, at least in principle, detectable by those users with technical help. We could all be being wiretapped right now, and without a whistleblower, we wouldn't know it: but if widespread encryption means that in order to be bugged, someone has to stick a keylogger on our PC, there is at least a chance that we'd be able to spot that. Same in this case. Tunisia's phishing was visible, because their technology -- we suppose -- wasn't sufficiently capable to conduct invisible phishing attacks. Or perhaps our state-sponsored haaq3r  mastermind didn't care about being invisible. Still, if we can move out of the space of Firesheep-style attacks and into pervasive online encryption, injected javascript and corrupt certificate-authorities , we may at least force state-level surveillance to become more blatant.

Finally, while ultimately the real action in Tunisia was on the streets, Internet censorship *was* an issue at play here. The regime was clearly spooked enough by the online use of video sharing and online reporting to sanction a widespread blocking and attacking of activists engaging in such behaviour. When your local autocratic President includes a declaration to end Net censorship as part of his concession list, that means that it was seen as a bargaining chip, either to the local people or to other governments. Channelling my inner Evgeny, perhaps dropping the filters and freeing the bloggers was an easier and lost costly concession to make than slashing food prices: but it doesn't appear to have been a power that Ben Ali gave up lightly.

d.

On Jan 12, 2011, at 4:33 PM, Terry Winograd wrote:

> http://www.fastcompany.com/1715575/tunisian-government-hacking-facebook-gmail-anonymous
>
> Tunisian Government Allegedly Hacking Facebook, Gmail Accounts of
> Dissidents and Journalists
> BY Neal UngerleiderMon Jan 10, 2011
>
>> A strange bit of JavaScript has found its way onto Tunisian Internet users' internet login screens. Some are now in jail in a country known for torture. But they've been adopted by an unlikely ally: Anonymous.
>
> Massive riots and protests have rocked Tunisia this past month. After
> a 26-year-old street vendor named Mohammed Bouazizi attempted to kill
> himself by self-immolation (he survived and later died of his burns),
> hundreds of thousands took to the North African nation's streets. The
> protesters complain of unemployment, economic woes, and an omnipresent
> dictatorship. Tunisia's government has stumbled upon a new method of
> combating the protesters: hacking into their social media accounts.
>
> According to a report by the Committee to Protect Journalists, the
> Tunisian government appears to be breaking into the Facebook, Google,
> and Yahoo accounts of dissidents and journalists. Hackers with unusual
> levels of access to Tunisia's state-control network infrastructure
> have managed to gain access to Facebook accounts belonging to
> individuals such as journalists Sofiene Chourabi of al-Tariq al-Jadid
> (New Path; a newspaper affiliated with the opposition Movement
> Ettajdid party) and independent video journalist Haythem El Mekki,
> while gaining the passwords of others. Hack targets found that
> Facebook groups they founded were deleted, as were pictures of
> protests. In CPJ's words, "Their accounts and pictures of recent
> protests have been deleted or otherwise compromised.” Blogs hosted on
> Blogspot and elsewhere are also being targeted. Here is an excerpt
> from a post by Lina Ben Mhenni of the A Tunisian Girl blog:
>
>> Well, I can understand ... No I can't understand that some stupid person has hacked my e-mail then, my Facebook account. This stupid person has also deleted some pages in which I am an administrator. Pages like that of 7ellblog (launch a blog) which has been largely promoted even by official media, the page of the Tunisian singer Amel Mathlouthi, Reading Books is Better than Staring at others (yes they hate reading and culture uin my country), the Tunisian blogosphere, and may be a page against censorship ' la censure nuit à l 'image de mon pays' (I don't have the confirmation yet) and many other pages were deleted. What happened is so shameful because the internet police is again confirming its stupidity and useless stubbornness. Sofiene Chourabi and Azyz Amami are experiencing the same problem now. They have been hacked.
>
> Already, in-depth information is surfacing on how the hacks were
> committed. It appears that the Agence tunisienne d'Internet, a
> government agency which supervises all of Tunisia's ISPs, or someone
> with access to the agency committed them. Tunisian ISPs are running a
> Java script that siphons off login credentials from users of Facebook,
> Yahoo and Gmail. According to the Tech Herald's Steve Ragan:
>
>> Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm. The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL. The random characters and encrypted user information are delivered in the form of a GET request to a non working URL.
>
> The code only targeted users accessing HTTP sites instead of HTTPS,
> which appears to be why Facebook was so heavily ravaged by the hack
> plan. Facebook users default to using HTTP to access the site.
>
> Much of this information has been released to the public by the
> quasi-4Chan allied Anonymous group, which has launched an
> anti-Tunisian government hacker campaign called Operation: Tunisia.
>
> Amamou was taken into police custody this past week after authorities
> apparently found his location via Foursquare. His current whereabouts
> are unknown.
>
> The Agence tunisienne d'Internet has long been one of the most
> censorship-happy government agencies in all of Africa. Tunisia's net
> firewalls and intricate IP tracking mechanisms have been compared to
> China's, while popular sites like YouTube and DailyMotion were banned
> due to hosting videos alleging human rights abuses in Tunisian
> prisons. In one of the WikiLeaks cables on Tunisia, an anonymous
> diplomat notes endemic government corruption and refers to the
> government of President-for-life Zine al-Abidine Ben Ali as a
> “quasi-mafia” and a police state.”
>
> While Facebook, Google and Yahoo have not spoken publicly on the
> alleged Tunisian government hacking campaign yet, the State Department
> has. In a press conference on Friday, January 7, spokesperson Philip
> Crowley stated:
>
>> We are concerned about recent reports that Tunisian ISP providers, at the direction of the government, hacked into the accounts of Tunisian users of American companies including Facebook, and providers of email such as Yahoo and Google, and stealing passwords. This kind of interference threatens the ability of civil society to realize the benefits of new technologies. Cyber intrusions of all kinds, including reported attacks on government of Tunisia websites, disrupt the free flow of information and reduce overall confidence in the reliability and security of vital information networks.
>
> During the past week, in addition to Amamou, at least three other
> members of Tunisia's hacker and blogger communities were taken into
> custody by Tunisian police.
>
>
> ----------------------------------
>
> http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords
>
> Tunisian government harvesting usernames and passwords
> by Steve Ragan - Jan 4 2011, 20:08
>
>
> The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is
> being blamed for the presence of injected JavaScript that captures
> usernames and passwords. The code has been discovered on login pages
> for Gmail, Yahoo, and Facebook, and said to be the reason for the
> recent rash of account hijackings reported by Tunisian protesters.
>
> ATI is run by the Tunisian Ministry of Communications. They supply all
> of the privately held Tunisian ISPs, making them the main source of
> Internet access in the country. They’ve been under scrutiny for years,
> due to the fact that they make use of their authority to regulate the
> entire national network. Last April, ATI earned international
> attention by blocking access to sites such as Flickr, YouTube, and
> Vimeo.
>
> According to Reporters Without Borders, authorities claim to target
> only pornographic or terrorist websites. “However, censorship applies
> above all to political opposition, independent news, and human rights
> websites.”
>
> “When an Internet user attempts to access a prohibited website, the
> following automatic error message appears: “Error 404: page not
> found,” without displaying the familiar “Error 403” more typical of a
> blocked site...This strategy equates to a disguised form of
> censorship.”
>
> As for the JavaScript itself, The Tech Herald has seen examples of the
> embedded script during live surfing sessions with sources in Tunisia,
> and in posted source code made available to the Web. The source for
> the GMail injection is here, the Yahoo injection is here, and Facebook
> is here.
>
> Four different experts consulted by The Tech Herald independently
> confirmed our thoughts; the embedded code is siphoning off login
> credentials.
>
> On Twitter, security researcher Gerry Kavanagh and Errata Security CTO
> David Maynor told us that you can tell the code is capturing login
> information by how it references the login element for the form.
>
> “Suffice to say, the code is definitely doing something
> surreptitious,” Kavanagh noted.
>
> Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s
> Josh Abraham, broke the code down further. Crowley explained that the
> JavaScript is customized for each site’s login form. It will pull the
> username and password, and encode it with a weak crypto algorithm.
>
> The newly encrypted data is placed into the URL, and a randomly
> generated five character key is added. The randomly generated key is
> meaningless, but it is assumed that it’s there to add a false sense of
> legitimacy to the URL.
>
> The random characters and encrypted user information are delivered in
> the form of a GET request to a non working URL. In the Gmail example,
> you see this URL listed as http://www.google.com/wo0dh3ad. Abraham
> noted that the encryption makes it easy to capture usernames and
> passwords that would include special characters such as ‘%’ or ‘/’.
>
> Considering that the backbone of the Tunisian Internet is full of
> state run filters and firewalls designed to block access, configuring
> one to log the GET commands with the harvested data would be trivial.
> But is this a government sponsored action?
>
> The likelihood that a group of criminals compromised the entire
> Tunisian infrastructure is virtually nonexistent. Code planting on
> this scale could only originate form an ISP. With their history of
> holding an iron grip on the Internet, ATI is the logical source of the
> information harvesting.
>
> There is an upside however, as the embedded JavaScript only appears
> when one of the sites is accessed with HTTP instead of HTTPS. In each
> test case, we were able to confirm that Gmail and Yahoo were only
> compromised when HTTP was used. For Facebook on the other hand, the
> default is access is HTTP, so users in Tunisia will need to visit the
> HTTPS address manually.
>
> Another interesting note is that it appears the embedded code has
> targeted Tunisian users for several months. Slim Amamou, of the Global
> Voices Advocacy blog, reported his findings on the code last July, and
> at the time, ATI was blocking Google’s HTTPS port, forcing users to
> default to HTTP.
>
> The information surrounding the embedded JavaScript came to our
> attention thanks to a user on the IRC server where supporters for
> Anonymous’ Operation: Tunisia gathered to show support for Tunisian
> protesters. When word spread of embedded code and account hijackings,
> Anonymous offered Tunisian users help via Userscripts.org, with a
> browser add-on that strips the added JavaScript code.
>
> The ATI website has been offline for more than a day. The outage
> started after Anonymous launched Operation: Tunisia. Our coverage on
> their actions and the problems in Tunisia is here.
>
> --
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.