Weekly Edition
Return to the Security page
| |||||||||||||
Revealed: The Internet's Biggest Security Hole (Wired)
Wired covers
a talk given at DefCon about vulnerabilities in the Border Gateway
Protocol (BGP) which is the protocol used to advertise routes for internet
traffic. The
attack can
hijack packets bound for a particular IP address, then silently send them on
to the proper destination—possibly after modifying them. "The
issue exists because BGP's
architecture is based on trust. To make it easy, say, for e-mail from
Sprint customers in California to reach Telefonica customers in Spain,
networks for these companies and others communicate through BGP routers to
indicate when they're the quickest, most efficient route for the data to
reach its destination. But BGP assumes that when a router says it's the
best path, it's telling the truth. That gullibility makes it easy for
eavesdroppers to fool routers into sending them traffic."
(Log in to post comments)
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 2:41 UTC (Wed) by drag (subscriber, #31333) [Link]
Which again, is why, we try to use protocols that verify end points and protect from eavesdropping. Whose systems they happen to pass through is suppose to be irrelevant.
(Isn't it lovely that the internet is designed to work with no knowledge of the sort of information being transmitted on it? To bad people are working hard to subvert that..)
Although this hack is terrific propaganda weapon to have. We need a demonstrable way to illustrate this sort of 'we need secure protocols' thing to people. Otherwise they get the odd idea of things like 'how is a bad person get control over a internet router?' and such.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 3:39 UTC (Wed) by dw (subscriber, #12017) [Link]
Re: 'Although this hack is terrific propaganda'
I read this article earlier and as someone who has never really had much interest in Internet routing, fail to see the meat in this new attack. Are they simply saying "we can announce routes then MITM arbitrary Internet destinations!", because surely that is not new.
One article I read claimed that the "innovation" is the ability to forward the hijacked traffic on to the original intended recipient, but even this seems like something that is just a matter of some routing trickery or picking your egress/ingress peers correctly (or carefully controlling to whom and how you announce the fake routes).
One other thing, AFAIK the absence of "security" in IP was an original design goal, so of course applications should be validating/protecting data if said data is worth it. Again this seems to detract from this news piece being anything new.
What's so magical and new in this attack?
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 15:35 UTC (Wed) by kfiles (subscriber, #11628) [Link]
I think that, to folks familiar with BGP next-hop selection, this presentation doesn't contain much that's really surprising. However, actually forwarding traffic to its intended recipients after intercepting it, using just BGP routing, is not entirely simple. The most straightforward way of doing it would be for the attacker to dual-home to two ISPs, and scope the attack to only affect one of those. He'll then be able to forward the traffic post-intercept to the other provider.
I don't know of anyone else who's suggested using AS path prepending in quite this way (to preserve the original valid route for the traffic in a particular ISPs routing tables, while affecting most other ISP routing tables). Due to BGP AS loop detection, ASs included in the false prepending will thus ignore the attacker's advertisement, leaving them as good targets for forwarding the traffic.
There are really lots of ways to play with route advertisements, in the absence of universal ingress prefix filtering. Special-purpose communities, routes to be advertised only to a single ISPs customers, as path, etc.
In the end, though, it should be apparent that this is still a really messy and public way to intercept traffic. A well-funded adversary will use much more effective and transparent intercept methods at lower levels (port mirroring, optical splitters, wiretaps, etc.). The only reason that BGP route hijacking will succeed is because of the sheer size of our global routing tables today, and the difficulty in noticing a single new malicious advertisement among many.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 7:51 UTC (Wed) by flewellyn (subscriber, #5047) [Link] (Isn't it lovely that the internet is designed to work with no knowledge of the sort of information being transmitted on it? To bad people are working hard to subvert that..) Could you expand on this? Who is working to subvert it, and how?
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 17:01 UTC (Wed) by Duncan (guest, #6647) [Link]
I took that as a reference to all the deep packet inspection and
anti-network-neutrality efforts going on. Blocking, deliberately RSTing, or severely throttling traffic somebody in power doesn't like, or in ordered to demand that an additional toll be paid to give the traffic what should be ordinary privileges.
Duncan
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 1:09 UTC (Thu) by drag (subscriber, #31333) [Link]
Yep. That and content filtering by governments and businesses.
It's just a few steps away if certain folks get what they want... It's well known that many governments filter web access heavily. As the technical savvy of it's citizens increase then that desire for control and censorship will want to spread to other protocols.
And it's not just places like China and the Middle East. In most places in Europe many types of political expressions are illegal. Imagery, docs, websites, etc etc. Being in possession and knowingly transporting banded forms of speech can be a very serious offense. In the U.S.A. we have rules against that sort of censorship (for now), but people will want to use the government control over the airwaves to extend to things like 'Free wireless internet, but with no porn for kids'.
Then there is big pushes to monitor communications in and out of the country. And most governments want the ability to filter and restrict information during times of war and social unrest. (if 'the people' are able to orginize and spread information outside of controlled media then it may be possible for them to out manuver police forces or spread riots on a much wider scale; for example.)
Once the luddites in government finally realize that 'OMFG Internet != WorldWideWeb' they are going to want to do a hell of a more then monitor and filter websites. They'll want to spend billions to develop technology to monitor and filter content on all sorts of different protocols.
Then you can probably imagine the next step.. People have already used encryption to try to work around perceived protocol manipulation by their ISPs, and evade piracy laws, regarding p2p systems like Bittorrent.
Once the average government person realizes that all the money they spend on monitoring and filtering content is completely and totally f-ing worthless if somebody sets up something as trivial as a https website in Cuba then they'll want to pass all sorts of horrific laws.
You can see all sorts of hints at it when people mention 'terrorists' and 'laptops' and how the terrorists are actually quite educated and savvy enough to encrypt information and hide communications on websites.
Back in the 90's there was a big push and fear surrounding things like the 'Clipper chip', government-mandated back doors into encryption protocols, and Encryption Key Escrow laws.
Us in the U.S. are not going to see this sort of push right now, due to the elections. But I expect that within 3 years people are going to start to fight hard again on restricting access of effective encryption technology to the common people.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 6:34 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
one point I disagree with you over.
you lump filtering by 'governments' and 'businesses' together and label them both evil, why didn't you list 'schools' and 'parents' as well?
businesses should have the right to filter content for their own networks just like parents should have the right to filter content on their own networks.
filtering isn't inherently evil (how many people run with not anti-spam filters for example), where it crosses the line is when you filter (or force a filter) on someone else's network.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 11:12 UTC (Thu) by nix (subscriber, #2304) [Link]
Why is it any more ethical for a business to filter its network connection
(modulo spam of course) than it is for a business to tap its employees' use of its phones?
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 19:28 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
becouse the company is paying for the line and the company is paying the employees.
there is no right to unfiltered internet access from work (there is no right to _any_ internet access from work)
and there are situations where it's perfectly legitimate for companies to record phone calls. and filter e-mail (inbound and outbound)
it's not legitimate to do these things without notice that they are happening, but with such notice it's legal (and in some industries, required)
companies are paying the bill and providing the tools for their employees to get work done, if the company wants to allow those tools to be used for non-work purposes they can do so, they can also define what is reasonable.
with phones companies limit where you can call to (blocking 900 numbers and international calls in many cases) and they have enough logging that if someone runs up silly amounts of long-distance calls they will take action. If you run up several hundred dollar a month phone bills on your cell phoen most companies will take action against you.
why should computer use be any different?
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 21:04 UTC (Thu) by drag (subscriber, #31333) [Link]
I don't have any problem businesses filtering their private network.
I do it at my work.
(Also I have very easy ways to work around the most vigorous filtering techniques.)
But ISPs are beginning to heavily filter and monitor traffic. There are lots of very rich and power companies that would love to have the government actively monitoring the internet for their own benefit. Lots of companies would stand to make a whole lot of money from being paid to monitor the internet.
As you have seen with TiVO and the broadcast flags many businesses are successfully able to use government as a springboard for having private companies dictate hardware and software design, backed up by fines and imprisonment. Already lots of people have been assaulted and caged up for the sake of keeping them quiet for the sake of protecting the profits of multinational corporations. Not for actually piracy, but just talking about technology that people could use to do piracy.
Businesses by themselves are harmless.
They are no less evil, stupid, or badly run as any government.. it's the same issue with any sufficiently large human-based organization.
The difference is that governments retain to themselves the ability to seize property, demand compulsory payments and back it up with real threats, fine people, imprison people, and kill people. Businesses, generally, are not allowed to that sort of thing (legally) unless they are under contract from governments. It's the same thing for any country. USSR, GB, France, China, Australia, USA, etc. The only differences is the circumstances in which the government penalties kick into effect. (for example: China can kill people on political grounds. police in Germany can kill people to prevent serious crimes (like murder), but in the USA the government can still kill people even after the murder took place as punishment.)
In my country individuals do retain some rights to kill people, when defending their life and other people's lives, and some notion of that extends to corporations (since they are nothing but a group of individuals), but generally under even more restrictions.
Now businesses, in comparison, are much less of a threat. If I piss of, say, Ford Motor Company then they can't send armed men to my house and take me away from my family. Only the government can do that. So unless I do something very fraudulent the worst possible outcome is that a bank may reposes my car and ruin my credit. In the larger scheme of things this may be quite unpleasant, but it's not very bad and the effect is only temporary.
Now, unfortunately, what we are seeing is that we have government and businesses are working together.
The People (Us) gave the government power to control aspects of commerce and business in a attempt to protect ourselves and the economy from dishonest businessmen. Unfortunately it was not really done in a very good manner because we are seeing laws meant to control businesses being turned around and used to control individuals for the _sake_ businesses. So instead of us in charge of the government we are seeing the government AND business working together to maximize profit and power.
Of course all of this is extending to attempts to control how the Internet functions, like I mentioned above.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 21:05 UTC (Thu) by drag (subscriber, #31333) [Link]
> Businesses by themselves are harmless.
I mean in comparison. They are capable of some serious bad things by themselves, of course, like any other group of humans.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 28, 2008 22:34 UTC (Thu) by nix (subscriber, #2304) [Link]
More to the point, public companies in particular are potentially immortal
`individuals' with no consistent ideals at all and with a legal requirement to be sociopathic.
Companies as originally constituted were a good idea, but things started
(Er, sorry for the nasty centre-embedded sentence, I can't think of a
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 5:10 UTC (Wed) by BillyCrook (guest, #53586) [Link]
It has been obvious for a long time that identity should be validated by possession of private keys using asymmetric cryptography (SSL), and not by machine name (DNS) or IP address (BGP). BGP exactly IS trust, but carriers that participate in BGP generally have physical wires running between themselves and their customers, providers, and other companies that they have actual business relationships, which serve as collateral to ensure nobody does anything nasty. The worst BGP hickups have been accidents, and were detected, tracked down, and fixed relatively quickly because every involved router knows which direction the error is in.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 7:25 UTC (Wed) by paulj (subscriber, #341) [Link] The worst BGP hickups have been accidents, and were detected, tracked down, and fixed relatively quickly Actually, what you mean is "The worst BGP hickups, which we know about, have been accidents". The scarey thing is that lots and lots of BGP "hijacks" actually go undetected (see the "Pretty Good BGP" paper by Josh Karlin, et al). Further, we don't actually know how many are accidental and how many malicious. One of the most widely publicised hijacks was quite deliberate (the Youtube hijack), other than in the eventual scope of the hijack.
Revealed: The Internet's Biggest Security Hole (Wired) Posted Aug 27, 2008 13:17 UTC (Wed) by kh (subscriber, #19413) [Link] Also see the LISA 2007 presentation from David Josephsen: Homeless Vikings: BGP Prefix Hijacking
BGP experts Posted Aug 27, 2008 8:59 UTC (Wed) by ncm (subscriber, #165) [Link]
I was told a few years back (OK, 7) that most of the BGP experts in the world are in India.
BGP experts Posted Aug 27, 2008 14:34 UTC (Wed) by nhasan (guest, #1699) [Link]
and your point being?
|
|||||||||||||