Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Internet's Biggest Security Hole Revealed

Posted by kdawson on from the kaminsky-was-a-warmup dept.

At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.

18 of 330 comments (clear)

  1. Re:Fun fun fud by lordsid · · Score: 5, Insightful

    Depends on how much you value your privacy.

    --
    IMAGE VERIFICATION IS EVIL!
  2. SSL by jamesh · · Score: 4, Insightful

    I hope that all of those people who thought that getting users to blindly accept self signed certs was a good idea are starting to feel a bit stupid now...

    An SSL cert signed by a trusted central authority isn't the absolute solution to all mitm attacks, but it's a whole lot closer to 'safer' than not.

    1. Re:SSL by Jah-Wren+Ryel · · Score: 4, Insightful

      What should be done is that self-signed certs should be acceptable, with the right handling. The way ssh does this is a good one; it alerts you when you initially connect, and throws up an extremely loud and nasty warning if the host's cert has changed from the last time you connect.

      That's great and all if you are an internet mechanic. But what if you just want to drive the damn car? For those people, who are the majority, those messages don't mean squat. Which means they have just as much a chance of picking the unsafe choice as they do the safe choice. So Firefox's solution has been make it hard to pick the unsafe choice. Make it so that you pretty much have to understand what's going on in order to even get the chance to pick the potentially unsafe choice. That seems like a pretty good policy to me.

      --
      When information is power, privacy is freedom.
    2. Re:SSL by nine-times · · Score: 4, Insightful

      Properly signed certs should be given higher priority, but a self -signed cert is still vastly better than nothing. The problem is that current browsers treat self-signed certs as being the worst of the three, when in reality they're much better than a naked HTTP connection.

      Exactly. I certainly don't want to sign on to my online banking for the first time and find that it's using a self-signed certificate. On the other hand, if I had to choose between a self-signed certificate and transmitting login information in plain-text, there's no contest.

      I'm of the opinion that encryption should be encouraged in order to stop simple snooping, even if it doesn't prevent more complex attacks. It's not as though certificate authorities are all that diligent in their identity verification anyhow.

    3. Re:SSL by bit01 · · Score: 4, Insightful

      For those people, who are the majority, those messages don't mean squat.

      Until self-signed certificates are less safe than bare http any justification for putting up scary messages for self-signed only is nonsense.

      The real problems that need to be fixed are:

      1. The potential for confusion between externally signed and self-signed and the degree of trust thus evidenced. Firefox should use a different lock icon for encrypted transport and for identity validated instead of conflating the two. Some more extensive interface change might be appropriate (color change somewhere?)
      2. It's a site change from externally signed to self-signed or bare, or from self-signed to bare that should be flagged. Firefox should remember signed site state and flag with popups when those transitions occur. Those popups should be integrated with the existing warning popups.

      That seems like a pretty good policy to me.

      It's not good policy to put up popups that have no meaning. Just like the boy that cried wolf and Vista UAC all you're doing is training the user to ignore popups when they do matter.

      Programmers complain incessantly about users ignoring messages. Almost always it's the programmer's fault for not designing their user interface for their target audience. Why on earth should a user take any notice of messages that

      1. are meaningless because they're written in software dialect English not mainstream English
      2. are often more important to the programmer than to the user
      3. do not give the user any avenue to respond. i.e. do not tell the user step-by-step what to do.

      ---

      "Advertising supported" just means you're paying twice over, once in time to watch/avoid the ad and twice in the increased price of the product to pay for the ad.

    4. Re:SSL by maztuhblastah · · Score: 5, Insightful

      That's great and all if you are an internet mechanic. But what if you just want to drive the damn car? For those people, who are the majority, those messages don't mean squat.

      And you know, teenage kids who "just want to drive the damn car" are also responsible for a substantial portion of collisions. Coincidence?

      The fundamental mistake of computer security is assuming that it can be made easy for the lowest common denominator. It can't. Sorry, I've got no clever analogy for this one -- but it's true. There is simply no way that you can design a system that can retain its security in the face of a user that is both ignorant and has no desire to learn how to properly use the tools at his disposal. You just can't do it. Warnings will be ignored, errors will be bypassed, and someone who wants to remain ignorant will, no matter how many hoops he has to jump through to do it. Most users aren't just ignorant -- they revel in it: how many times have you heard someone say "Oh, I'm just hopeless with computer stuff", followed by a smirk and a giggle? There ain't enough crypto in the world can protect that user.

      Designing a security measure around the lowest common denominator will make everyone less secure, all in the name of making someone who wants to remain ignorant slightly more comfortable. And for the benefit of all of us who want real security, this is a very, very bad idea.

      --
      The real litigious bastards...
  3. Re:Fun fun fud by jd · · Score: 5, Insightful

    Find me an internet provider not using BGP, and I'll show you a European who favours ESES. Yes, this is a major problem, BGP is (almost) the only WAN protocol anyone takes seriously and is the only one meaningfully deployed. I've worried about the possibility of BGP poisoning attacks myself, but only because we have a virtual monoculture and monocultures are generally a Bad Idea. They are dangerous animals.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. Re:Scary Much? by dlgeek · · Score: 5, Insightful

    Well, no. Large ISPs don't have to accept and forward routes from customers without verifying them. The solution to this is the same as preventing forged IP source addresses: stop it at the origination point. If you're an ISP with customer A and customer A starts advertising routing for an IP range they haven't previously advertised, don't accept the advertisement and forward it up the chain until you verify that they actually should advertise that route.

  5. Why this is not an issue: by teknopurge · · Score: 4, Insightful

    BGP is almost always setup manually, at least when first configured. Network admins: DO NOT PUT UNTRUSTED PEERS IN THE ACLs. Joe smith running BGP on 123abcxxxhost.nl has no business being in your tables. If you're accepting adverts from any AS you deserve what you get.

    The routing on the Internet has always been hierarchical: get updates from your upstreams. If they send you bad info you're SOL anyway, just like SSL certs and Verisign's root certs.

    --
    Website Hosting
  6. You can bet good money... by Caspian · · Score: 4, Insightful

    ...that the good folks at the NSA (and/or the FBI, CIA, DHS, ATF, etc., as well as their counterparts in other nations) have been exploiting this for years.

    --
    With spending like this, exactly what are "conservatives" conserving?
  7. Wait, you're telling me.... by Alsee · · Score: 5, Insightful

    Wait, you're telling me that they taught US intelligence agencies and the National Security guys how to attack the internet with man-in-the-middle attacks and exploits to fool routers into re-directing data to an eavesdropper's network...

    and they didn't do anything to end the interception and eavesdropping problem???

    I am shocked.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  8. Re:The man in the middle by EdIII · · Score: 5, Insightful

    Yeah.. That's funny. Nice observation there...

    Just one thing though... You sound like the teenage boys who always claim they want to grow up to be a gynecologist. Problem with that is that gynecologists usually see the worst looking, diseased, and nasty vagina. Not the good looking, sweet smelling, celebrity vagina.

    So the guy who has all the internet porn is going to have quite a collection of goatse and things that will make you WANT to go back to looking at goatse.

  9. ESES is mature? by thegameiam · · Score: 4, Insightful

    I've seen implementations of ISIS, and have deployed it myself in both IP and ATM environments. I've never seen an actual deployment of ESES, and I've never heard of one either. I've encountered ISIS adjacencies which don't form correctly, and come up as ESIS, though.

    What hardware supports ESES?

    --
    Need Geek Rock? Try The Franchise!
  10. What did he expect? by frovingslosh · · Score: 5, Insightful
    a drastic weakness in the Internet's infrastructure ...to eavesdrop on Net traffic in a way that wouldn't be simple to detect. ... testified to Congress in 1998 ... disclosed privately to government agents how BGP could also be exploited to eavesdrop. '..... We described this to intelligence agencies and to the National Security Council, in detail.'....

    Great, give the very people who want to abuse this the most the inside details, then show shock when it isn't fixed.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  11. this is one of those exploits by circletimessquare · · Score: 4, Insightful

    that requires one teensy weensy detail to work (in other words, one huge wonking detail)

    here, it is to be a bgp level peer

    kind of like i can empty a bank of all of its money

    all i need is the key to the safe

    yeah, minor detail

    so do i panic now?

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  12. Re:Fun fun fud by palegray.net · · Score: 5, Insightful

    Yet another case for end-to-end encryption. Folks using the public Internet for sensitive communications without employing crypto, are already in a bad position.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  13. Re:The man in the middle by IMightB · · Score: 5, Insightful

    plus goatse has fewer gaping assholes

  14. I think not by DrHyde · · Score: 5, Insightful

    A man-in-the-middle attack on BGP would require that you intercept and re-write BGP data. The only place to do that is if you can insert some hardware on the physical route between two BGP-speaking routers. That is, on the cable between two ISPs that are peering with each other or have a transit agreement. While the BGP protocol could, in theory, be routed across the internet, my understanding is that in practice it never is.

    Add to that that to successfully perform such an attack, you would need appropriate (expensive) network interfaces and hardware capable of speaking fast enough, and this "attack" becomes something that needs a *lot* of resources to pull off. Sure, governments and big corporations can do it, maybe big organised crime could too, but yer average bedroom cracker couldn't.

    And why would the big boys bother anyway, when they can just announce bogus routes?