Using a “Man-in-the-Middle” to Target Activists
Given the civil unrest roiling the Middle East, Syria’s recent decision to unblock Facebook seemed…well, puzzling. After all that’s been made of the social network’s role in helping organize the Egyptian and Tunisian uprisings, why would Damascus choose this moment to open it up?
Perhaps now we have the answer.
Peter Eckersley with the Electronic Frontier Foundation reports it appears Syrian authorities have launched a cyber-attack against Facebook aimed at intercepting messages and targeting activists inside Syria. Calling it “very much an amateur attempt,” Eckersley says forensic data analysis makes clear that an unknown culprit – but one with Syrian fingerprints – has compromised Facebook’s security by using one of the oldest tricks in the spy-book: a “man-in-the-middle”, or MITM, attack.
In essence, an MITM hack is an electronic form of code-breaking between two people online who have been tricked into believing they’re communicating over a secure connection – such as https – but are actually passing messages through a third hidden party, where they can be recorded, blocked or altered. That may seem like a mouthful, but it’s actually a lot less complicated than it sounds. Let’s unpack it a bit.
Imagine you want to send messages back and forth with a friend, but don’t want anyone else to see what you’re saying. Chances are you’ll write out your note and then encrypt it, or put it in a secret code that only you and your friend know. You send your note, believing it to be secure, and when your friend gets it, she uses a shared key to decode your note. When she responds, she’ll do exactly the same – write, encode, send – for you to decode, and so on. To anyone else, your notes read like gibberish – only you can understand them. This is how secret messages have been encrypted for millennia, and the key is the key.
Secure Internet connections work in much the same way, just more precise. To send notes back and forth over the web, you’ll each use some shared form data encryption – in this case, Facebook’s “secure” servers – with a shared key. The only major difference is that every time you chat, you’ll use a different code with a different key, hopefully making it much more difficult for anyone trying to break your code. But to do this, each time you and your friend communicate you first have to swap electronic keys – and this is where the hackers stepped in.
By using a phony SSL security notice, someone – Syrian or otherwise – inserted themselves in between Facebook users, fooling them into sharing their encryption keys. Here’s how it works: users in Syria trying to access Facebook’s secure servers are greeted with a sham alert notice claiming that Facebook’s security certificate has expired. These notices are fairly common, and almost always give users the chance of clicking through to the site anyway. However in this case, users didn’t click through to Facebook, but went somewhere else entirely. Writes Eckersley:
“The attack is not extremely sophisticated: the certificate is invalid in user’s browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users’ only line of defense.”
Anas Qtiesh with the nonprofit advocacy group Global Voices compared a screen-grab of the phony SSL certificate with a legitimate one, noting the different Internet servers users who click-through were directed to. While not conclusive proof – the fraudulent servers are located outside of Syria – the attack bears Damascus’ fingerprints largely because only Syria has control of the security certificates.
For Facebook users in Syria there is a relatively easy way to fight back – outside proxy servers like Tor, Psiphon or Freegate*. By connecting first to these sites, Syrians can hide their digital identity, and erase most tracks of where they’ve been online. And users aren’t the only ones fighting back – so is Facebook.
The Arabic daily newspaper Asharq al-Awsat reports that Facebook officials have removed a pro-government fan page, dubbed “Syria’s E-Army”, due to high levels of propaganda and incitements to spam opponents. The website Digital Trends also reports:
“The site also noted that an administrator of the page said he has a ‘surprise’ planned in retaliation for Facebook, and that the site has been added ‘to the list of accomplices against Syria’.”
What that surprise may be isn’t clear. But it’s just another reminder of the many ways social networks can be used both by social activists and the regimes they’re confronting.
*Full Disclosure: The U.S. Broadcasting Board of Governors – VOA’s parent organization – has been active in promoting circumvention technologies and has relationships with Tor, Freegate and other partners.