A major cyber-attack in Europe that apparently was launched from Iran has revealed significant vulnerabilities in the Internet security systems used to authenticate websites for banking, email and e-commerce around the world.
The attack this summer wreaked havoc in the Netherlands, where the justice minister on Sunday warned the public that the only secure way to communicate with the Dutch government was with pen, paper and fax machine.
The digital assault compromised a Dutch company called DigiNotar, which issues digital certificates, computer code that assures browsers that a website is what it appears to be. The certificates also encrypt communications between the user and the site so they can't be intercepted.
The attackers produced 531 fake DigiNotar certificates for heavily used websites, including Google, Microsoft, Twitter and Facebook, as well as the public websites for the CIA and the spy services for Britain and Israel, according to an interim audit by Fox-IT, a Dutch security company.
The rogue certificates would have allowed the attacker to intercept communications with the legitimate sites, or steer users to counterfeit versions of the sites, provided it was able to redirect Internet traffic, something governments easily can do.
A hacker who said he was a 21-year-old Iranian acting alone posted comments claiming responsibility for the attack.
But experts who examined the evidence believe the Iranian government sent users to counterfeit versions of the websites in an effort to ferret out political dissidents. In this scenario, the government would have been able to watch web browsing and email.
It is unclear whether that actually happened. But the audit showed that nearly all the 300,000 IP addresses using the bogus certificates to visit Google in a single day originated in Iran. On Thursday, Google instructed Iranians to change their gmail passwords.
In addition to the prospect of a government spying on its Internet users, experts said that if the companies that verify transactions can be compromised, secure transactions on the Internet may not be as safe as people think they are.
In April, the same hacker claimed responsibility for an attack on Comodo, an Internet security company based in Jersey City, N.J. In that case, nine certificates were forged, the company said.
The company said the perpetrator had "executed its attacks with clinical accuracy," and that "circumstantial evidence" suggests the attack originated in Iran and probably was "a state-driven attack."
Communications, rather than financial domains, were targeted in both the April attack and the latest cyber-invasion, said Roel Schouwenberg, a security specialist with Kaspersky Lab, a Russian-based computer security firm with regional offices in Woburn, Mass.
"It's all very clearly aimed towards intelligence, and this has all the hallmarks of a government operation," he said.
Whatever the motivation, the Dutch government, which uses DigiNotar certificates, announced last week that it could no longer trust the security of its own websites, a move that threw communications in the Netherlands into chaos.
The Dutch government has seized control of DigiNotar, which was recently purchased by Vasco Data Security, a Chicago-based company that specializes in web authentication. Vasco said in a statement that it had not integrated DigiNotar's products with its own. The Fox-IT audit accused DigiNotar of lax security procedures.
"What somebody has figured out — and if it's the Iranians, that means the Chinese and the Russians have figured it out too — is that if you can compromise this infrastructure, you immediately get access to all sorts of cool things and people don't necessarily know about it," said James Lewis, a cyber-security expert at the Washington-based Center for Strategic and International Studies.
Iran's uranium enrichment program was targeted in 2009 by Stuxnet, a cyber-weapon that sent nuclear centrifuges spinning out of control. Outside experts who have studied the case believe U.S. and Israeli engineers designed the worm to derail Iran's nuclear program, but neither government has acknowledged responsibility.
DigiNotar's certificates were not widely used in the U.S. But experts worry that some of the 500 other providers of certificates also may be compromised.
A Belgium-based company, GlobalSign, suspended production of new certificates Monday after the hacker claimed to have penetrated it as well. The company said it plans to restore service Monday, saying it had been the victim of "an industrywide attack."
VeriSign, which is the largest certificate provider in the U.S. and is owned by security software giant Symantec Corp., based in Mountain View, Calif., says it is confident it can withstand a cyber-attack.
"Not all certificate authorities are created equal," said Michael Lin, senior director of product management at Symantec. "We've invested heavily in what we feel is a very secure, very robust infrastructure that protects us from these types of attacks."
But hackers have broken into some of the most trusted names in computer security.
In March, the company RSA was the victim of a attack that stole information related to its SecurID, which adds an extra layer of protection to a log-in process by requiring users to enter a secret code number displayed on a key fob.
Attacks against three major U.S. defense contractors that used the compromised technology — Lockheed Martin, L-3 Communications, and Northrop Grumman — were later discovered and traced to servers in China.