Wednesday, July 8, 2009

It's all fun and games until someone loses an eye!

Since a large portion of the Iran protests are using Internet technologies as it's driving force, there has obviously been a concern over security. Anonymity for the protesters is a must and not everyone is a "techie". I think it is thus important for those of us who can, to try and make sure that things are as safe as possible.

Threats to the protesters can include interception of their messages, whether it be email or SMS - we already know that Nokia/Siemens sold the Iranian regime the technology to monitor their cellular traffic. Once their telephone numbers are identified, it's probably easy enough to then locate them - not withstanding more sophisticated real-time triangulation or GPS tracking techniques if available. While I am unfamiliar with the Internet service in Iran, it's possible that protesters can also be similarly tracked using their IP addresses.

To bypass blocking and to provide a certain level of anonymity to protesters, many enterprising users setup proxies using freely available technology such as Tor. While that has proven to be invaluable, I've been worrying about the safety of all the anonymous linka since I've also seen spamming sites being posted (and warned
against), one that rightly received a lot of negative attention was r.ieves.com, users were lured there by fake news posts on Twitter with a link to the site. The posts seem to have been made by bots or even Iranian government agents - the random three letter three number combination in the username suggests bots but the threat might be greater if they are able to harvest information automatically. Since
the ieves.com site undoubtedly grabs browser info, it could get useful information such as the IP address of the user, the registered name, and even a registered email address. It could also then pass a tracking cookie to the user. Needless to say, all of this would be bad for anonymity.

The Iranian regime's own web sites as well as loyal supporting sites also pose a direct threat to the protesters. Gerdab.ir has pictures of protesters circled in red, asking for help in identifying them.
Needless to say, that's a bad thing for the protesters. While I am unable to read Farsi, I got it on good authority that's what they were doing, and Google's translation tool seemed to back that up. Besides this direct threat, the regime's websites also pose an indirect threat to the protesters and the movement in general - with the media blackout, the only news is that which is provided by sites such as
PressTV - and if we are to believe what they write then everything is hunky dory except for the machinations of the evil western powers.

Lastly, if we are to try and connect the dots, as flimsy as the threads may be, there could be something even more sinister afoot. The news today is peppered with reports of cyber attacks against US government websites, speculations abound as to whether the attacks originated in China or North Korea. The problem is that both of those governments are friendly to the current Iranian regime, birds of a feather and all that. Ahmadinejad/Khatemei have been trying to stomp out a cyber-revolution using heavy handed but antiquated methods. Their friends could however provide them with a whole slew of effective tools - the Chinese have been at it for years - just Google "Ghostnet" for the most recently detected evidence of it. Even a simple PDF file could prove dangerous.

And so, what do I hope to accomplish? Well I am new to this, and two heads are better than one, I think we need a group that can advise on and counter the possible threats the protesters face. I haven't seen one, but if one exists then sign me up - if not then sign up here. We'll need to be vigilant about sites and or programs that can harvest private data. Websites like Gerdab.ir need to be taken down, but in such as way as to not deny the free flow of information coming out of Iran which constant DDOS attacks would do. And finally, we need a place where we can collate useful advice on security for all involved.

I can't do this alone, any one segment is a monumental task. For all I know this is already being done, if so, great. My concern is that if it is not, the tide could slowly turn - it's all fun and games until someone loses an eye - in this case most might lose a lot more. And so, I ask that anyone out there who thinks they can lend a hand here then please do so - if you can manage this better than I can - so do
too. I'm sure there must be a few Persians at Symantec and the like - join up - remain anonymous if you so choose - if you want to establish your credentials do so too. Just lets keep helping in any way we can.

Addendum

The specific link in the previous post was offline for an instant; however, http://www.gerdab.ir/ is still online and while my knowledge of Farsi is nonexistent, the post with the circled faces of protesters was still active. In addition to security experts, we'll need enough reliable sources who can understand Farsi to provide valid targets.

Proposal for targeted hacks

...in support of the Iranian protesters, #IranElection and a free Iran

While still in a preliminary setup phase I'm hoping we can use here as a base to plan hacks on specific Iranian web sites, especially those that directly threaten the safety of protesters.

At the top of that list is:

http://www.gerdab.ir/fa/pages/?cid=422

This site is asking for people to identify the protesters shown in the pics and is an immediate threat to those individuals.

I've already done a preliminary scan of that site with Acunetix. The results are here

A Distributed Denial of Service attack (DDOS) could temporarily block access to that site but based on their infrastructure that's also liable to bog the Internet for all, including the protesters.

The site boasts an impressive uptime and the automated Acunetix scans detected no immediate vulnerabilities but if the OS and Webserver fingerprints are accurate there may be exploits that would allow us to seize control of the site and take it down from the inside. This will take considerable work and I thus can use all the help I can get.

I've setup an accompanying Google Group where interested persons may join to collaborate. I'll post more specific details on sites as well as possible approaches, exploits and vulnerabilities, tools to use, etc.

While I am committed to helping in any way I can, my own time is limited, as most professionals are; as such, I am looking for like minded individuals to assist or even offer more insight. As an exercise it can prove to be a solid exercise in cyber security, penetration testing and specifically web site hacking but with a very specific goal, that of assisting all those who have been protesting and dying in Iran in an attempt to have a basic human right - the right to freedom.

Of course, I am in no way the final say on this matter. I am open to all suggestions and any assistance, I have set the Group to invite only since much of what will be discussed should probably not be publicly posted, to protect all parties involved and to keep out the script kiddies.

Val