This is bad news and apparently has been in the wild for a while, some people are linking to deaths in Iran as the cert could be used to hijack Gmail accounts using a MITM attack.

If you want to check out the cert directly, you can do so here:

Gmail.com SSL MITM ATTACK BY Iranian Government – 27/8/2011

The story seems to originate here where a user in Iran noticed a MITM was being perpetrated on him – probably by his own ISP or government.

Is This MITM Attack to Gmail’s SSL ?

Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider, a security researcher said today. Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service operated by the Mountain View, Calif. company.

“This is a wildcard for any of the Google domains,” said Roel Schouwenberg, senior malware researcher with Kaspersky Lab, in an email interview Monday.

“[Attackers] could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials,” said Andrew Storms, director of security operations at nCircle Security.

Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked. Details of the certificate were posted on Pastebin.com last Saturday. Pastebin.com is a public site where developers — including hackers — often post source code samples.

According to Schouwenberg, the SSL (secure socket layer) certificate is valid, and was issued by DigiNotar, a Dutch certificate authority, or CA. DigiNotar was acquired earlier this year by Chicago-based Vasco, which bills itself on its site as “a world leader in strong authentication.”

Vasco did not reply to a request for comment.

The cert is valid, which is scary. One thing which is currently unknown is how the cert got out there, if it was a hack or a leak or someone from the outside got access to the DigiNotar CA.

If you want more technical details on how to verify the cert, you can check this out:

Internet death sentence for DigiNotar’s Root CA!

Security researcher and Tor developer Jacob Applebaum confirmed that the certificate was valid in an email answer to Computerworld questions, as did noted SSL researcher Moxie Marlinspike on Twitter. “Yep, just verified the signature, that pastebin *.google.com certificate is real,” said Marlinspike .

Because the certificate is valid, a browser would not display a warning message if its user went to a website signed with the certificate.

It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.

Schouwenberg urged the company to provide more information as soon as possible.

“Given their ties to the government and financial sectors it’s extremely important we find out the scope of the breach as quickly as possible,” Schouwenberg said. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.

Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern Europe.

Initially, Comodo argued that Iran’s government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates.

Today, Kaspersky’s Schouwenberg said “nation-state involvement is the most plausible explanation” for the acquisition of the DigiNotar-issued certificate.

Google have also mentioned in on their security blog here:

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

An update on attempted man-in-the-middle attacks

There was also quick action taken by both Mozilla and Microsoft.

It’s been pretty quiet really to say this is really a major issue, I hope more details come out about how this occurred. If you are using Firefox there are instructions on how to delete/distrust the DigiNotar CA here.

Source: Network World

Ah it’s that time of the year again when all the back to skoolers have some mad l33t knowledge and wanna h4x0r the planet or something.

Hmmm website hacking, sounds simple eh?

thriller wrote:
hai i would like to know website hacking how?……… sedn to my mail

Ok I’m following up up to the exploding part? Not quite sure about that one.

kesarjahs wrote:
hi 2 all, i just want to ask if you have program for hacking of yahoomail /gmail account? If you don’t mind can you send it to my gmail account coz i want to hack and try to explode. I’m looking forward to the end such a long time.

sincerely,
Kesar Jahs

Ok this one is really bizarre, what kind of question does he expect actually?

Jason Davis wrote:
What is this site. I’m a lil lost
J

WTF, does this look like Security Focus? Oh right copy and paste, at least have the decency to change the e-mail you lazy fuck.

Rudra wrote:
Hello,
I’m the senior product manager and a founder employee of Wank Security – the industry’s leading on demand penetration testing company. Previously I’ve written articles in Hakin9, infosec magazine and CISSP training materials for renowned authors. I would also like to contribute to Security focus on a wide variety of topics including penetration testing. Please let me know if you are accepting articles at this point. Offline, I’ve been working on a article on security threats for online gaming. I can contribute this one if it fits your requirement to start with.

Hope to hear from you soon!

Thanks!
Rudra

Ah back to the normal cheating spouse/erase my debt thing going on.

Aliana wrote:
Quick background – I would like to start a new life, my x husband ran my credit to the ground. I am a 28 year old mother and am seeking someone who can help me erase my debt. If you know of anyone please pass on my email address, if not I am sorry to have wasted your time. Thank you!

What’s the bet this guy is Indian, all their e-mails start with ‘Sir’. BTW if you find the magic undetectable hacking tool Fadi, I want a copy too – thanks.

Fadi wrote:
Dear Sir,
i m looking for undetectable hacking tool to purchase is there any so please tell mei didn’t found any yet :( please sir i shall be highly thankfull to u .

I’m not exactly sure what kind of site people think this is, but since when did we do identity searches? She didn’t even mention what country she’s in or how I’m supposed to locate this mysterious person.

Nia wrote:
Do u need the permission of the individual to be able to give me their location?
And how much will it cost for one search?

Website: Hotmail

Credit cards? I have plenty, you can have them all if you want..I keep buying stuff I don’t really need.

noname wrote:
I want to buy credit card what to do to buy?

mig22 or mig33? Make up your mind..

ahmad wrote:
dear friend,
i just wanted to request you something. there is a software used for chating via mobile. its name is mig22. i want to request you to find some way or make some software for that , for hacking or cracking mig33 password. i will be very thankful to you.
waiting for your reply

Oh wow, poor you Louis. I swear people seem to think every ‘hacker’ runs some kind of hack on demand password recovery scheme.

Louis wrote:
Hi,

My ex stole my email accounts and changed all the details so I cant access them or recover them, can you please help me get the passwords so I can recover the email accounts?

Thanks in advance,

Louis

This one sounds like a 419er.

collins masango wrote:
i would need a good creditcard dealer to be suppling me with numbers,this for long time deal,preferably russian,german,canadian,uk or american

This one is a little bit scary..and disjointed, coins and bombs? What a combination.

Alana wrote:
I looking for imfo on atm and coin machines and how to crack into them and on bombs

Keep an eye on the retards here:

http://www.darknet.org.uk/category/retards/

Google started the new year by fixing a serious vulnerability in Gmail.

This was quite an interesting case and once again (as everything relating to web apps seems to be nowdays) it was an XSS flaw that allowed malicious attackers to steal your contact list, leading to some pretty bad information leakage.

Google has fixed a vulnerability in its popular GMail web mail service that creates a means for hackers to steal users’ contact lists.

The cross-site scripting flaw stemmed from the decision by GMail to store contact lists in a JavaScript file. GMail always saves contact lists as JavaScript code using the same URL, so a script featuring this URL can read out the fields of a users’ contact list. GMail failed to check what sites were attempting to run this “callback” function.

There was a previous very similar flaw on Google which effected computers with multiple Gmail users.

As a result users logged into GMail, or other Google services sharing the same login, are liable to hand over their contact list to spammers or other miscreants providing they are tricked into visiting a maliciously constructed website. Exploitation would have been as simple as fooling users into visiting a hostile website through spam messages sent to users’ email accounts.

Coders failed to take into account that it was a bad idea to save sensitive data as JavaScript, under predictable URLs, a problem Google watchers spotted shortly after Google made the coding changes last week

I do like Google though, they tend to fix things pretty fast!

Source: The Register