Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Tunisian government hacks into gmail and Facebook accounts

Terry Winograd winograd at cs.stanford.edu
Wed Jan 12 16:33:28 PST 2011


http://www.fastcompany.com/1715575/tunisian-government-hacking-facebook-gmail-anonymous

Tunisian Government Allegedly Hacking Facebook, Gmail Accounts of
Dissidents and Journalists
BY Neal UngerleiderMon Jan 10, 2011

> A strange bit of JavaScript has found its way onto Tunisian Internet users' internet login screens. Some are now in jail in a country known for torture. But they've been adopted by an unlikely ally: Anonymous.

Massive riots and protests have rocked Tunisia this past month. After
a 26-year-old street vendor named Mohammed Bouazizi attempted to kill
himself by self-immolation (he survived and later died of his burns),
hundreds of thousands took to the North African nation's streets. The
protesters complain of unemployment, economic woes, and an omnipresent
dictatorship. Tunisia's government has stumbled upon a new method of
combating the protesters: hacking into their social media accounts.

According to a report by the Committee to Protect Journalists, the
Tunisian government appears to be breaking into the Facebook, Google,
and Yahoo accounts of dissidents and journalists. Hackers with unusual
levels of access to Tunisia's state-control network infrastructure
have managed to gain access to Facebook accounts belonging to
individuals such as journalists Sofiene Chourabi of al-Tariq al-Jadid
(New Path; a newspaper affiliated with the opposition Movement
Ettajdid party) and independent video journalist Haythem El Mekki,
while gaining the passwords of others. Hack targets found that
Facebook groups they founded were deleted, as were pictures of
protests. In CPJ's words, "Their accounts and pictures of recent
protests have been deleted or otherwise compromised.” Blogs hosted on
Blogspot and elsewhere are also being targeted. Here is an excerpt
from a post by Lina Ben Mhenni of the A Tunisian Girl blog:

> Well, I can understand ... No I can't understand that some stupid person has hacked my e-mail then, my Facebook account. This stupid person has also deleted some pages in which I am an administrator. Pages like that of 7ellblog (launch a blog) which has been largely promoted even by official media, the page of the Tunisian singer Amel Mathlouthi, Reading Books is Better than Staring at others (yes they hate reading and culture uin my country), the Tunisian blogosphere, and may be a page against censorship ' la censure nuit à l 'image de mon pays' (I don't have the confirmation yet) and many other pages were deleted. What happened is so shameful because the internet police is again confirming its stupidity and useless stubbornness. Sofiene Chourabi and Azyz Amami are experiencing the same problem now. They have been hacked.

Already, in-depth information is surfacing on how the hacks were
committed. It appears that the Agence tunisienne d'Internet, a
government agency which supervises all of Tunisia's ISPs, or someone
with access to the agency committed them. Tunisian ISPs are running a
Java script that siphons off login credentials from users of Facebook,
Yahoo and Gmail. According to the Tech Herald's Steve Ragan:

> Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm. The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL. The random characters and encrypted user information are delivered in the form of a GET request to a non working URL.

The code only targeted users accessing HTTP sites instead of HTTPS,
which appears to be why Facebook was so heavily ravaged by the hack
plan. Facebook users default to using HTTP to access the site.

Much of this information has been released to the public by the
quasi-4Chan allied Anonymous group, which has launched an
anti-Tunisian government hacker campaign called Operation: Tunisia.

Amamou was taken into police custody this past week after authorities
apparently found his location via Foursquare. His current whereabouts
are unknown.

The Agence tunisienne d'Internet has long been one of the most
censorship-happy government agencies in all of Africa. Tunisia's net
firewalls and intricate IP tracking mechanisms have been compared to
China's, while popular sites like YouTube and DailyMotion were banned
due to hosting videos alleging human rights abuses in Tunisian
prisons. In one of the WikiLeaks cables on Tunisia, an anonymous
diplomat notes endemic government corruption and refers to the
government of President-for-life Zine al-Abidine Ben Ali as a
“quasi-mafia” and a police state.”

While Facebook, Google and Yahoo have not spoken publicly on the
alleged Tunisian government hacking campaign yet, the State Department
has. In a press conference on Friday, January 7, spokesperson Philip
Crowley stated:

> We are concerned about recent reports that Tunisian ISP providers, at the direction of the government, hacked into the accounts of Tunisian users of American companies including Facebook, and providers of email such as Yahoo and Google, and stealing passwords. This kind of interference threatens the ability of civil society to realize the benefits of new technologies. Cyber intrusions of all kinds, including reported attacks on government of Tunisia websites, disrupt the free flow of information and reduce overall confidence in the reliability and security of vital information networks.

During the past week, in addition to Amamou, at least three other
members of Tunisia's hacker and blogger communities were taken into
custody by Tunisian police.


----------------------------------

http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords

Tunisian government harvesting usernames and passwords
by Steve Ragan - Jan 4 2011, 20:08


The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is
being blamed for the presence of injected JavaScript that captures
usernames and passwords. The code has been discovered on login pages
for Gmail, Yahoo, and Facebook, and said to be the reason for the
recent rash of account hijackings reported by Tunisian protesters.

ATI is run by the Tunisian Ministry of Communications. They supply all
of the privately held Tunisian ISPs, making them the main source of
Internet access in the country. They’ve been under scrutiny for years,
due to the fact that they make use of their authority to regulate the
entire national network. Last April, ATI earned international
attention by blocking access to sites such as Flickr, YouTube, and
Vimeo.

According to Reporters Without Borders, authorities claim to target
only pornographic or terrorist websites. “However, censorship applies
above all to political opposition, independent news, and human rights
websites.”

“When an Internet user attempts to access a prohibited website, the
following automatic error message appears: “Error 404: page not
found,” without displaying the familiar “Error 403” more typical of a
blocked site...This strategy equates to a disguised form of
censorship.”

As for the JavaScript itself, The Tech Herald has seen examples of the
embedded script during live surfing sessions with sources in Tunisia,
and in posted source code made available to the Web. The source for
the GMail injection is here, the Yahoo injection is here, and Facebook
is here.

Four different experts consulted by The Tech Herald independently
confirmed our thoughts; the embedded code is siphoning off login
credentials.

On Twitter, security researcher Gerry Kavanagh and Errata Security CTO
David Maynor told us that you can tell the code is capturing login
information by how it references the login element for the form.

“Suffice to say, the code is definitely doing something
surreptitious,” Kavanagh noted.

Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s
Josh Abraham, broke the code down further. Crowley explained that the
JavaScript is customized for each site’s login form. It will pull the
username and password, and encode it with a weak crypto algorithm.

The newly encrypted data is placed into the URL, and a randomly
generated five character key is added. The randomly generated key is
meaningless, but it is assumed that it’s there to add a false sense of
legitimacy to the URL.

The random characters and encrypted user information are delivered in
the form of a GET request to a non working URL. In the Gmail example,
you see this URL listed as http://www.google.com/wo0dh3ad. Abraham
noted that the encryption makes it easy to capture usernames and
passwords that would include special characters such as ‘%’ or ‘/’.

Considering that the backbone of the Tunisian Internet is full of
state run filters and firewalls designed to block access, configuring
one to log the GET commands with the harvested data would be trivial.
But is this a government sponsored action?

The likelihood that a group of criminals compromised the entire
Tunisian infrastructure is virtually nonexistent. Code planting on
this scale could only originate form an ISP. With their history of
holding an iron grip on the Internet, ATI is the logical source of the
information harvesting.

There is an upside however, as the embedded JavaScript only appears
when one of the sites is accessed with HTTP instead of HTTPS. In each
test case, we were able to confirm that Gmail and Yahoo were only
compromised when HTTP was used. For Facebook on the other hand, the
default is access is HTTP, so users in Tunisia will need to visit the
HTTPS address manually.

Another interesting note is that it appears the embedded code has
targeted Tunisian users for several months. Slim Amamou, of the Global
Voices Advocacy blog, reported his findings on the code last July, and
at the time, ATI was blocking Google’s HTTPS port, forcing users to
default to HTTP.

The information surrounding the embedded JavaScript came to our
attention thanks to a user on the IRC server where supporters for
Anonymous’ Operation: Tunisia gathered to show support for Tunisian
protesters. When word spread of embedded code and account hijackings,
Anonymous offered Tunisian users help via Userscripts.org, with a
browser add-on that strips the added JavaScript code.

The ATI website has been offline for more than a day. The outage
started after Anonymous launched Operation: Tunisia. Our coverage on
their actions and the problems in Tunisia is here.

--



More information about the liberationtech mailing list