Slashdot Mirror
The Internet's Biggest Security Hole Revealed
At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.
Depends on how much you value your privacy.
IMAGE VERIFICATION IS EVIL!
Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?
Note, I've also given you the hint to prevent this bullshit from being a problem.
How we know is more important than what we know.
I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.
Find me an internet provider not using BGP, and I'll show you a European who favours ESES. Yes, this is a major problem, BGP is (almost) the only WAN protocol anyone takes seriously and is the only one meaningfully deployed. I've worried about the possibility of BGP poisoning attacks myself, but only because we have a virtual monoculture and monocultures are generally a Bad Idea. They are dangerous animals.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I don't think anyone thinks that self-signed certs should be blindly accepted.
What should be done is that self-signed certs should be acceptable, with the right handling. The way ssh does this is a good one; it alerts you when you initially connect, and throws up an extremely loud and nasty warning if the host's cert has changed from the last time you connect. This gives you the opportunity to verify the cert out of band if you should care to, and forces an attacker to hit you on your very first access to a given site.
Properly signed certs should be given higher priority, but a self -signed cert is still vastly better than nothing. The problem is that current browsers treat self-signed certs as being the worst of the three, when in reality they're much better than a naked HTTP connection.
If you mod me Overrated, you are admitting that you have no penis.
Depends on how much you value your privacy, Mr. Stephen P Wallagher of 4242 Green Leafy Forest Terrace, Springfield, Ohio 55538, Phone number 1-900-Hot Dude, alias "Lovestospooge."
fixed.
If you can read this, I forgot to post anonymously.
How can a title including 'The Internet's Biggest ... Hole' not be kicked off with a goatse joke?
He's getting rather old, but he's a good mouse.
Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?
Note, I've also given you the hint to prevent this bullshit from being a problem.
So we need to destroy the White House?
It was really cool, opened a lot of peoples eyes. Here is the archive, http://www.stits.org/fp/Defcon_16/. Please don't flood it and only download it if you will use the info. I also took a ton of photos: http://www.flickr.com/photos/stits/sets/72157606608859399/ Hope to see you all next year!
Wait, you're telling me that they taught US intelligence agencies and the National Security guys how to attack the internet with man-in-the-middle attacks and exploits to fool routers into re-directing data to an eavesdropper's network...
and they didn't do anything to end the interception and eavesdropping problem???
I am shocked.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
There is a lot of harm you can do, least for a short while. But I have to say, this seems like a lot of FUD to me.
It is not trivial to get BGP peering, or to keep it if you are doing bad things. You will need one or more peers, and they will have to do this for you manually, not automatically. And (as I can attest) the AS prepending this attack relies on is a very blunt instrument.
Here are the troubles I see
- You need to be able to offer a better path from Point A to Point B than the existing Internet topology
- Unless you are Dr. Evil and can afford infinite bandwidth, this better path had better not also apply to a large chunk of the Internet, or you will get hosed with a lot of bandwidth (and, also, instantly stick up on the screens of NOCs all over the place) and
- If you are relying on AS prepends, these affect the path from you, but not directly the path to you. They are notoriously tricky and may stop working (because of changes in other people's advertisements) at any time.
So, to me, this is a might work sometimes for some people in some places, but probably not that well on a general basis.
The DNS cache poisoning sounds a lot worse, frankly.
I looked at this problem back in the early 1980s, when I was doing some work on TCP. I was trying to come up with a routing protocol that didn't require passing the same information around repeatedly, because backbone networks had very low bandwidth back then, and the existing routing protocols had either O(N^2) traffic or the "hop count to infinity" problem.
I came up with something called "Gateway Database Protocol", which was a scheme for passing tuples of the form "X says Y=Z" around. The idea was that any node seeing inconsistencies in "X says ..." would propagate the tuple back to X, revealing the problem to X.
This is enough to detect hijacking, but not enough to stop it. I'd worked out a scheme good enough to automatically correct erroneous data, but not one good enough to deal with the insertion of hostile data. The design goal back then was to guarantee that if the hostile site was removed from the network (perhaps forcibly), the system would then stabilize into a valid state.
That's not enough any more. But it is worthwhile considering that a routing protocol should have the property that if X's info is being faked anywhere in the network, X hears about it. BGP doesn't do that.
Yeah.. That's funny. Nice observation there...
Just one thing though... You sound like the teenage boys who always claim they want to grow up to be a gynecologist. Problem with that is that gynecologists usually see the worst looking, diseased, and nasty vagina. Not the good looking, sweet smelling, celebrity vagina.
So the guy who has all the internet porn is going to have quite a collection of goatse and things that will make you WANT to go back to looking at goatse.
Heh. Standards should be the starting point, not the end goal (or, in IE's case, the work of fiction based on the screenplay based on a True Story of one man and his chair).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
No, it gets sent through Dick Cheney's hotmail account.
Great, give the very people who want to abuse this the most the inside details, then show shock when it isn't fixed.
I'm an American. I love this country and the freedoms that we used to have.
Here's a link to information about the incident you mentioned:
http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
You obviously don't know the basics of Internet protocols then. Anyone who knows BGP basics knows this problem is inherent in current interdomain routing.
This is not an attack that just anyone can pull off (unlike Dan's DNS vulnerability). You need possess a BGP peering relationship with a provider who doesn't filter the prefixes listed in the NLRI of a BGP update message, as well as any further upstream providers. A _very high_ bar to say the least.
We're seen numerous accidental route leakages over the years and even some malicious hijacking of IP space for nefarious activity as noted in the presentation. Any significant hijacking for the purpose of MITM (hijacking for spam really isn't a priority for ISPs) would be tracked down instantly on the NANOG list and have severe peering repercussions for the offending ISP. Bumping the IP TTL isn't going to do squat for all the BGP anomaly detection systems continually monitoring the routing infrastructure (Renesys, PHAS, etc).
Sensitive government communications ride on networks that operate separately from the public Internet.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Yet another case for end-to-end encryption. Folks using the public Internet for sensitive communications without employing crypto, are already in a bad position.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Why would someone in the White House use an insecure communications channel to send sensitive correspondence to a foreign official? End-to-end encryption is used in such situations.
Information transmitted from government installations is compartmentalized according to its classification level. Unclassified systems don't reside on the same networks as those intended for classified purposes.
I'm a Navy communications nerd; this is kinda what I do for a living.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
plus goatse has fewer gaping assholes
You called? Sorry I'm late
The Internet's Biggest Hole Revealed at http://goatse.cz/
He said he doesn't want to see duplicates... why are you sending him to Slashdot's main page?
Protect your browser with the Force Safe Search add-on
Having seen (or been subjected to), as we all have, to upskirts of Britney, Paris, etc, I gotta say that "celebrity vagina" is by no means universally "good looking, sweet smelling"...
They gave away Microsoft's private keys to someone who called them
Not quite. Microsoft's private key wasn't compromised; their identity was stolen. The attacker convinced VeriSign to sign his certificate claiming to be "Microsoft Corporation." The whole point of PKI is to never transmit your private key, even to an authority like VeriSign. As usual, the technology is secure; it's the people running it who aren't.
Over +9000!!!
Whew! Good thing you clicked the "Anonymous Coward" box when you posted that!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
A man-in-the-middle attack on BGP would require that you intercept and re-write BGP data. The only place to do that is if you can insert some hardware on the physical route between two BGP-speaking routers. That is, on the cable between two ISPs that are peering with each other or have a transit agreement. While the BGP protocol could, in theory, be routed across the internet, my understanding is that in practice it never is.
Add to that that to successfully perform such an attack, you would need appropriate (expensive) network interfaces and hardware capable of speaking fast enough, and this "attack" becomes something that needs a *lot* of resources to pull off. Sure, governments and big corporations can do it, maybe big organised crime could too, but yer average bedroom cracker couldn't.
And why would the big boys bother anyway, when they can just announce bogus routes?
That's great and all if you are an internet mechanic. But what if you just want to drive the damn car? For those people, who are the majority, those messages don't mean squat.
And you know, teenage kids who "just want to drive the damn car" are also responsible for a substantial portion of collisions. Coincidence?
The fundamental mistake of computer security is assuming that it can be made easy for the lowest common denominator. It can't. Sorry, I've got no clever analogy for this one -- but it's true. There is simply no way that you can design a system that can retain its security in the face of a user that is both ignorant and has no desire to learn how to properly use the tools at his disposal. You just can't do it. Warnings will be ignored, errors will be bypassed, and someone who wants to remain ignorant will, no matter how many hoops he has to jump through to do it. Most users aren't just ignorant -- they revel in it: how many times have you heard someone say "Oh, I'm just hopeless with computer stuff", followed by a smirk and a giggle? There ain't enough crypto in the world can protect that user.
Designing a security measure around the lowest common denominator will make everyone less secure, all in the name of making someone who wants to remain ignorant slightly more comfortable. And for the benefit of all of us who want real security, this is a very, very bad idea.
The real litigious bastards...