Slashdot Mirror
The Internet's Biggest Security Hole Revealed
At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.
I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.
And you actually trust Verisign to be a primary signature authority for SSL? Why? They've cooperated in all sorts of stupidity, such as their temporary insistence on returning their own squatting domain as a valid entry for every non-existent domain in *.com, which was particularly nasty because they own the .com master servers. Do you really think that Verisign is that secure, and wouldn't cooperate in faking keys if a national security agency asked them to?
They gave away Microsoft's private keys to someone who called them, a while back, in a rather infamous case that forced Microsoft to change their entire update system and their collection of "secure" sites. If they've done it once, it can clearly happen again, and the lack of publicity may simply be evidence of better media management. I'd be very wary of trusting them with anything and would be skeptical of any institution that relied on Verisign for any kind of critical proof-of-identity situation, though they're probably reasonable enough for personal certs.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It was really cool, opened a lot of peoples eyes. Here is the archive, http://www.stits.org/fp/Defcon_16/. Please don't flood it and only download it if you will use the info. I also took a ton of photos: http://www.flickr.com/photos/stits/sets/72157606608859399/ Hope to see you all next year!
Yeah, but they don't need to poison BGP to read our data, since they have access by the Tier 1 providers and telcos to the actual photons on the backbone fibers. And of course legal immunity now that they passed that bill.
Nay, this would best be used against other countries, where the NSA actually works.
Cool! Amazing Toys.
The whole MITM thing would raise a flag unless the attackers were close enough to the real routers for the ip address block it was hijacking. Several companies I know notice when BGP screws up and doubles their latency. They notice and complain loudly.
Well.. maybe. Or Maybe not. But Definitely not sort of.
wooosh!
Not quite.
Prepends affect your outbound announcements, and this affects inbound traffic to you. Prepends are the most effective tool for BGP manipulation because they're transitive - announcing more specifics works too, but that's not quite the same thing.
Need Geek Rock? Try The Franchise!
Here's a link to information about the incident you mentioned:
http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
You obviously don't know the basics of Internet protocols then. Anyone who knows BGP basics knows this problem is inherent in current interdomain routing.
This is not an attack that just anyone can pull off (unlike Dan's DNS vulnerability). You need possess a BGP peering relationship with a provider who doesn't filter the prefixes listed in the NLRI of a BGP update message, as well as any further upstream providers. A _very high_ bar to say the least.
We're seen numerous accidental route leakages over the years and even some malicious hijacking of IP space for nefarious activity as noted in the presentation. Any significant hijacking for the purpose of MITM (hijacking for spam really isn't a priority for ISPs) would be tracked down instantly on the NANOG list and have severe peering repercussions for the offending ISP. Bumping the IP TTL isn't going to do squat for all the BGP anomaly detection systems continually monitoring the routing infrastructure (Renesys, PHAS, etc).
Sensitive government communications ride on networks that operate separately from the public Internet.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
I am familiar with l0phtcrack... I used it to reset a password or two back in the day. It came recommended (believe it or not) by one of the higher-ups in Microsoft network security.
Oh... but it did more than just sniffing cleartext passwords. It would also decipher encrypted passwords over the net, given plenty of time. And it could be used to crack encrypted Hosts passwords.
I always wondered why they did not follow it up.
Eh, I was trying to make a reference to the big email scandal of a while ago, where it turned out that important stuff was being sent (illegally) from email accounts at gwb32.com or georgewbush.com instead of whitehouse.gov. Slashdot coverage.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Why would someone in the White House use an insecure communications channel to send sensitive correspondence to a foreign official? End-to-end encryption is used in such situations.
Information transmitted from government installations is compartmentalized according to its classification level. Unclassified systems don't reside on the same networks as those intended for classified purposes.
I'm a Navy communications nerd; this is kinda what I do for a living.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
I haven't come across a good technical description of the attack, but I expect that the AS path prepending is just to stop the transit AS that you are using to reinject the traffic from sending the traffic straight back at you.
ie. if you know AS666 is a transit for AS69 (that you are hijacking the traffic from), then you prepend AS666 in the path you advertise to the rest of the internet and bgp loop detection on the routers in AS666 will drop the bogus path and send your traffic to the real target AS69 instead.
I am a lawyer and this constitutes legal advice and I shall indemnify you against any losses arising from taking it.
Move to Japan. Nearly all the fiber to the home here is IPv6.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
Some bgp attacks of similar nature have been shown in simulation. This is a paragraph from a related research paper: "This attack can be viewed as a variation of the well-known man in the middle (MITM) attack, in which players are ASes and messages are intercepted in one direction instead of both directions. Furthermore, it is more powerful than the MITM attack in the sense that it can affect traffic not just between two players, e.g. Alice and Bob, but between a number of sender ASes and one receiver AS, where each of the involved ASes bears a large number of end users. The impact of the false announcements made by the compromised AS depends on the topological properties of the compromised AS and the victim AS. Intuitively, if the compromised AS is located near the core of the AS topology it will affect more ASes. Also if the victim AS is located at the periphery of the AS topology it is more vulnerable to an attack." The full paper can be found in http://www.informs-sim.org/wsc04papers/038.pdf
They gave away Microsoft's private keys to someone who called them
Not quite. Microsoft's private key wasn't compromised; their identity was stolen. The attacker convinced VeriSign to sign his certificate claiming to be "Microsoft Corporation." The whole point of PKI is to never transmit your private key, even to an authority like VeriSign. As usual, the technology is secure; it's the people running it who aren't.
I admit, I looked.
It's a picture of Bill O'Reilly for some reason.
I... think that's an improvement...?
Just stuff the AS numbers of the BGP anomaly detection systems into the path you're using to hijack and voila! They'll never see it.
The attack uses spoofed AS paths which include the AS numbers of the ASes in the -return path- of your hijacked traffic. It works because the default eBGP behaviour is to drop routes w/ an AS in the path that matches theirs (loop detection!)
Its not fool-proof, but you -can- reasonably selectively remove ASes from receiving the announcements.
Furthermore, if you know the topology near the network you're hijacking, you could figure out all the exit (transit) ASes, spoof those so the announcement never makes it out to the general internet and hijack the traffic near them. Dense peering relationships at multiple places around the internet == your friend in this method.
No such network exists, white house email all travels through the regular Internet. The pentagon has some network capability of its own but that is mostly leased lines. Very few parts are actually pentagon controlled fiber. I have been in countless meetings where the pentagon has proposed building its own independent network.
Some White house email is encrypted. The pentagon has a massive email security project. But that only handles a portion of the traffic.
And the Bush administration have in any case been routing their communications through gwbush43.com which is run by an outside contractor and which must have been penetrated by the Russians, Iranians, Israelis and every other self respecting intel service.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Slashdot, the only site in internet where a post titled The Internet Biggest Security Hole can result on a vagina talk.
Correcting myself is the site with the fastest convergence rate to that topic.
Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
And those of us who actually do this stuff for a living (who already knew at least most of this) are neither surprised, nor any more paranoid about it. As a matter of fact, this might be the sauce needed to get more providers to properly filter announcements, and possibly more. So making this more public might actually be a good thing.
The ability to hijack space is already very well known to anyone in a position to do it, and most of us have accidentally done so at some point in our careers. I know I haxxored 192.168.0.0 by accident once by announcing it to an upstream. Yeah....it happens. And it never should. TO this day, you'll more often than not see RFC1918 space being announced if you get a full routing table.
BGP routing table entry for 192.168.0.0/16, version 3564
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non per-group peers:
202.10.0.201 202.10.0.202
Local
192.0.2.1 from 0.0.0.0 (192.189.54.221)
Origin incomplete, metric 0, localpref 101, weight 32768, valid, sourced, best
Community: 2764:20
Do not fold, spindle or mutilate.