More evidence that the intertubes are fundamentally broken has been served up by Wired.com in an article laying out a technique to surreptitiously hijack huge chunks of the internet and monitor or even modify unencrypted traffic before it reaches its intended destination. The exploit of the routing protocol known as BGP, short …
someone found a way to turn off the internet.
they should hook this up to that big red button at turnofftheinternet.com
Based on trust
The Internet operates on interautonomous system routing, a system based on trust. Looking at RFC1771, It wouldn't be difficult to set up a PC to act as a BGP router to inject forged BGP routing update packets onto a network to set up routing loops and other DOS attacks. To intercept then forward traffic maybe beyond a metasploit plugin but a BGP packet spoofer would be too easy. I see a potential here to cause serious damage. I am not an expert, just a novice hoping and working to one day be one, so please correct me if I am wrong.
can't do withowt t'internet
hope they don't manage to do this - i've only just learnt to turn t'lights off being a northerner................. if i haven't got t'internet now my kids most likely will starve............ mines the one with the co-op shop apron!
Back in about 1995-96, when I was working in a certain place and before SysAdmins were the "professional" bunch they are now, I had a fair amount of involvement in LAN management and how it connected to the then primitive internet.
I and another "admin" were convinced that desktop encryption was the way to go to protect sensitive LAN traffic ... and that as soon as it was viable, we also wanted to see encrypted traffic as the norm on the internet.
It took a decade, but recently that organisation implemented desktop encryption (at the NIC level).
I think it's high time the other suggestion was implemented. Make encrypted internet traffic the norm. (Yes, I know there are other problems and exploits .... nothing's perfect).
Paris? No one can understand what she's saying at the best of times, even if they intercept it.
Mother of All Botnets
Hijack the path for applying updates to (name your application) as described for a variation of the recently described DNS flaw. How many people would have a clue about what is going on? Even running EtherReal/brouter and observing the traffic the tainting would be very hard to observe until the malware activated and did something stupid like trying to phone home to an alien IP address (it could hypothetically phone to a hijacked regular banner spam address and not be noticed if the hijacking lived long enough.).
An excellent attack vector for the black helo boyz, remote implantation of spyware... with a rubber hose they can hijack a DNS, and with the same rubber hose a cert for a convenient SBGP gateway (did anyone notice how infrequently SBGP changes certs? Same attack vector as for the old nym servers, don't need a rubber hose though, just some NSA compute time to crack the key), and off they go with the MITM attack.
(even most corps use dual tunnel for VPN remote to "save money" (by sacrificing security), leaving one tunnel subject to attack. A bit of spear phishing and the CEO's email is accessible... and most of the emps.... a large corp is a nice big IP address target too.)
A Plot to Sell Faster Hardware
The near-term solution appears to be encrypt 100% of your traffic.I guess that is why we all need multicore processors, fast connections, and more memory than ever before. At least Intel will make money.
Why is this news?
This problem is inherent to the way BGP works. The article itself even states this. Why is this news and why did it get airtime at Defcon?
"Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs." Is that what passes for innovation these days?
BGP has always operated on human trust (for better or worse). If we decide we want to fix it fine but let's not make out this is news or in some way new.
No news here
Sorry but where is the story? This is how BGP works. It didn't deserve to be mentioned at Defcon never mind repeated here. Even with encryption if you can gain access to a routing node you can redirect traffic as the router needs to know where did is coming from and going to.
At the end of the day you need to accept that there needs to be some trust in communicating via the internet or you won't be able to send and receive data.
Miscreants need an AS
BGP routes to organizations, a.k.a. ASs (Autonomous System number). You'd have to setup a multi-homed company or organization, or an ISP and get your AS number. Last I checked, ARIN, RIPE et al do pretty thorough identity checks (atop the need-to-have checks).
Transits and large NOCs can already do this, sometimes it's done on purpose for non-nefarious reasons. We presume the CIA has better ways.
After careful planning and great expense, a small company could probably steal another small companies data, but if you get caught, we know who you are and where you live. There are easier ways.
I have to agree, none of this is new information; it's BGP.
Still, any excuse to grab a bit of self serving publicity.
How is Encryption going to help on web sites?
As if they can redirect your traffic - they can send it to a man in the middle style attack. So unless you can verify the certificate of the website/remote end - and how do you check the certificate - usually via an internet connection by any chance or ones stored on local computer - which are usually updated via internet!
lets face it - unless we can get a separate distribution channel for certificates - it is all fubared
How do I tell.
So before the attack I'm routing my data over a potentially untrustworthy network. After the attack I'm routing my data over a different potentially untrustworthy network. Did I miss an announcement that the Internet was suddenly fundamentally trustworthy somewhere ?
Spin Waiting Log Jam?
Is there a moritorium on further discussion here?
How exactly would you system test this website? And how would you switch the internet back on?
Mines the one with the big red one....button I mean...
Now would someone care to route the Internet in a great circle around Sweden!
This article is complete crap
This is just BGP, its not news, don't quote wired. And quit sending correspondents to defcon who don't understand things, and get all excited about stuff like this. This article is complete FUD. (Just like the last article from defcon)
why the hell encrypt everything? the internet is fundamentally insecure. That doesn't mean that I want my email to Aunty Irene encrypted, because, guess what, I don't care.
You know? They have bent postmen too.
Hanging Thoughts out to Dry ..... after Brain Washing/Perceptions ReAsignment
"Now would someone care to route the Internet in a great circle around Sweden!" ... By EmperorFromage Posted Thursday 28th August 2008 12:57 GMT
Much Easier and more Fun for the Swedes to Route IT through them, EmperorFromage, then they can Savour and Favour all the Good Bits and Bin all the Rubbish for Onward Recycling/Intellectual Property Return to Sender........ a Sort of Sub Prime Collateralised Debt Obligation Special Investment Vehicle in Reverse.
Re: How is Encryption going to help on web sites?
"As if they can redirect your traffic - they can send it to a man in the middle style attack. So unless you can verify the certificate of the website/remote end - and how do you check the certificate - usually via an internet connection by any chance or ones stored on local computer - which are usually updated via internet!"
To change the certificate for my bank, they need to change the countersignatories as well, all the way up the chain, until they reach those root certificates that ship with Windows. Unless they'd got at the CD-ROMs, this seems unlikely. They'd also need to quietly modify and re-sign everything coming through file downloads, like Windows Update, not just web traffic. That's going to need some pretty smart AI algorithms to do real-time reverse engineering of downloads and some hefty processing to regenerate the modified versions. I doubt there is enough money in my bank account to make it worth their while, but if they try it anyway they will be easily detected by the sheer scale of their operations. (In the infra-red, it ought to be visible from space.)
Another "Internet is not safe" Article
Sure it's fine on the Reg, where most of us understand it's not earth shattering news, and it's been possible for ages - but not really done.
But I really wish journalists would start being responsible and putting "This is why we use secure connections for sensitive information, and you're safe with it" in these articles. It's not us lot that read this that will suffer, it's Joe Public who now has one more misinformed reason to steer clear of one of mankind's greatest inventions.
BGP routing may be logged, but
There are still games being played with it. A year ago I was at a talk where a fairly cute attack was outlined. One element of it was that folks were publishing BGP routes to ip4 addresses that are (as of now) dark. I can't remember now the exact value of advertising routes to IPs that don't exist, but there was value to doing it, and no indication that the BGP gatekeepers were paying close attention to it. No traffic for legitimately assigned addresses was interrupted; who was complaining? Which NOC employee at a tier 1 or tier 2 carrier has time to analyze phishing email misdirects?
As far as folks who want to trust SSL and plan to not use a system if the SSL cert isn't correct because DNS has been compromised upstream: all well and good for you. If you give the pointy haired boss who runs personnel a browser popup with two buttons, one of which says "you can't work for a few hours while IT figures out what's wrong with this crypto" and one of which says "you can keep doing what you think is your regular work by pressing this button," which button will get pushed?
And if the choice comes up a second time, because the first time the PHB accidentally made the safer decision the first time out?
Unless you're using a proxy that's set up to reject certs that don't pass, with no bypass mechanism, there will be a lot of people breaking SSL intentionally from inside the firewall; they won't understand what they're doing, but they'll compromise their own systems again and again.
How confident are you that the people whose computers handle your transactions are protected from making this mistake? Not just banking, but medical, pharmacy, car insurance, concert tickets....
Not much of an exploit, really....
So they route traffic through their systems. If its properly encrypted then it doesn't mean a thing. When the world talks about 'intercepting' or 'man in the middle' then they're talking eavesdropping on or modifying confidential messages, Clear text -- like this -- is designed to go anywhere to get to where its going. If some hacker wants to help it along, then great. (If they bit-bucket it, though -- not so great -- but then the Internet was designed with disappearing nodes in mind).
@Based on trust
ya, your wrong. its only the poor mans traffic intercept, and traffic would just be routed else where if any telecom exchange whatever is down. fly around in a plane intercepting satalite transmissions cant shut down the net either. youd need to simultainously intercept every country
I'm with the "not news" crowd.
Defcon delegates must be either seriously running out of ideas, or getting much younger and hence unable to recall discussion of this in past literature, which dates back _at least_ ten years.
Granted your average internet 'civilian' wouldn't necessarily be aware of this, but anyone who claims or considers themselves to be an internet security 'expert' or 'researcher', or even to be knowledgeable in the field and expresses surprise at this should be dismissed a s charlatan immediately.
2008 will surely be remembered as the year that Defcon became even less relevant and even more tediously uninteresting than it was to begin with.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Google offers up its own Googlers in cloud channel chumship trawl
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?