Slashdot Mirror
The Internet's Biggest Security Hole Revealed
At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.
I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.
And you actually trust Verisign to be a primary signature authority for SSL? Why? They've cooperated in all sorts of stupidity, such as their temporary insistence on returning their own squatting domain as a valid entry for every non-existent domain in *.com, which was particularly nasty because they own the .com master servers. Do you really think that Verisign is that secure, and wouldn't cooperate in faking keys if a national security agency asked them to?
They gave away Microsoft's private keys to someone who called them, a while back, in a rather infamous case that forced Microsoft to change their entire update system and their collection of "secure" sites. If they've done it once, it can clearly happen again, and the lack of publicity may simply be evidence of better media management. I'd be very wary of trusting them with anything and would be skeptical of any institution that relied on Verisign for any kind of critical proof-of-identity situation, though they're probably reasonable enough for personal certs.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It was really cool, opened a lot of peoples eyes. Here is the archive, http://www.stits.org/fp/Defcon_16/. Please don't flood it and only download it if you will use the info. I also took a ton of photos: http://www.flickr.com/photos/stits/sets/72157606608859399/ Hope to see you all next year!
Yeah, but they don't need to poison BGP to read our data, since they have access by the Tier 1 providers and telcos to the actual photons on the backbone fibers. And of course legal immunity now that they passed that bill.
Nay, this would best be used against other countries, where the NSA actually works.
Cool! Amazing Toys.
Not quite.
Prepends affect your outbound announcements, and this affects inbound traffic to you. Prepends are the most effective tool for BGP manipulation because they're transitive - announcing more specifics works too, but that's not quite the same thing.
Need Geek Rock? Try The Franchise!
Here's a link to information about the incident you mentioned:
http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
You obviously don't know the basics of Internet protocols then. Anyone who knows BGP basics knows this problem is inherent in current interdomain routing.
This is not an attack that just anyone can pull off (unlike Dan's DNS vulnerability). You need possess a BGP peering relationship with a provider who doesn't filter the prefixes listed in the NLRI of a BGP update message, as well as any further upstream providers. A _very high_ bar to say the least.
We're seen numerous accidental route leakages over the years and even some malicious hijacking of IP space for nefarious activity as noted in the presentation. Any significant hijacking for the purpose of MITM (hijacking for spam really isn't a priority for ISPs) would be tracked down instantly on the NANOG list and have severe peering repercussions for the offending ISP. Bumping the IP TTL isn't going to do squat for all the BGP anomaly detection systems continually monitoring the routing infrastructure (Renesys, PHAS, etc).
Sensitive government communications ride on networks that operate separately from the public Internet.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Eh, I was trying to make a reference to the big email scandal of a while ago, where it turned out that important stuff was being sent (illegally) from email accounts at gwb32.com or georgewbush.com instead of whitehouse.gov. Slashdot coverage.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Why would someone in the White House use an insecure communications channel to send sensitive correspondence to a foreign official? End-to-end encryption is used in such situations.
Information transmitted from government installations is compartmentalized according to its classification level. Unclassified systems don't reside on the same networks as those intended for classified purposes.
I'm a Navy communications nerd; this is kinda what I do for a living.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
They gave away Microsoft's private keys to someone who called them
Not quite. Microsoft's private key wasn't compromised; their identity was stolen. The attacker convinced VeriSign to sign his certificate claiming to be "Microsoft Corporation." The whole point of PKI is to never transmit your private key, even to an authority like VeriSign. As usual, the technology is secure; it's the people running it who aren't.
I admit, I looked.
It's a picture of Bill O'Reilly for some reason.
I... think that's an improvement...?
Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
And those of us who actually do this stuff for a living (who already knew at least most of this) are neither surprised, nor any more paranoid about it. As a matter of fact, this might be the sauce needed to get more providers to properly filter announcements, and possibly more. So making this more public might actually be a good thing.
The ability to hijack space is already very well known to anyone in a position to do it, and most of us have accidentally done so at some point in our careers. I know I haxxored 192.168.0.0 by accident once by announcing it to an upstream. Yeah....it happens. And it never should. TO this day, you'll more often than not see RFC1918 space being announced if you get a full routing table.
BGP routing table entry for 192.168.0.0/16, version 3564
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non per-group peers:
202.10.0.201 202.10.0.202
Local
192.0.2.1 from 0.0.0.0 (192.189.54.221)
Origin incomplete, metric 0, localpref 101, weight 32768, valid, sourced, best
Community: 2764:20
Do not fold, spindle or mutilate.