Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside North Korea's Naenara Browser

Posted by timothy on from the threat-is-right dept.

msm1267 (2804139) writes with this excerpt from Threatpost Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness. The Naenara browser is part of the Red Star operating system used in North Korea and it's a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ That address is not reachable from networks outside the DPRK.

"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space. You heard me; they're treating their entire country like some small to medium business might treat their corporate office," Hansen wrote in a blog post detailing his findings. "The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists."

31 of 159 comments (clear)

  1. The future of the internet, really by Anonymous Coward · · Score: 4, Funny

    IPv6 will never take off, so in the end we'll be bridging national internets just like this one.

  2. Wow by Anonymous Coward · · Score: 5, Funny

    I didn't think it was possible to make the Internet Explorer and Windows XP I'm forced to use at work seem like a privilege. Congrats, North Korea. You pulled it off.

  3. In Soviet Korea by XxtraLarGe · · Score: 5, Funny

    The internet browses YOU!

    --
    Taking guns away from the 99% gives the 1% 100% of the power.
  4. This is horrible by Minwee · · Score: 5, Funny

    This means that North Korea is VIOLATING RFC 1918! Forget all that other stuff, this must be stopped by any means necessary!

    1. Re:This is horrible by Tukz · · Score: 5, Insightful

      Well, they ARE using it for a private network....of sorts.

      --
      - Don't do what I do, it's probably not healthy nor safe. -
    2. Re:This is horrible by XxtraLarGe · · Score: 2

      Well, they ARE using it for a private network....of sorts.

      You can say that again!

      --
      Taking guns away from the 99% gives the 1% 100% of the power.
    3. Re:This is horrible by RavenLrD20k · · Score: 2

      That again!

      Why did I need your permission, exactly?

  5. Correct me if I'm wrong... by Anonymous Coward · · Score: 2

    In other words, the U.S. government could make attackers coming from inside the DPRK a non-issue through a (relativey cheap for a national government) DDOS service?

    1. Re:Correct me if I'm wrong... by Howitzer86 · · Score: 5, Interesting

      People obsess over this idea that North Koreans must be hacking from within North Korea, and that there's no way they could realistically do it because their connection bandwidth is so puny. They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base. They likely have vast criminal connections. All they have to do is hire sympathetic South Korean hackers on the condition that they do their work under the North Korean banner. When all is said and done, the North Koreans come out looking like bad asses you don't want to mess with, when in reality they just farmed the work out using basic email, a courier, and a satellite phone.

      We could break their internet access forever, with a never ending DDOS, and it wouldn't matter one bit.

    2. Re:Correct me if I'm wrong... by dj245 · · Score: 3, Informative

      They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base.

      And Kim and pals work hard to make sure people keep on forgetting it.

      Do you personally know what Kim Jong Un has been up to? He has been in power only about 2 years and aside from propaganda photos, nobody knows really what he has being doing in that time, especially Westerners. Citizens of the DPRK don't even know how old he is. The only evidence giving a glimpse into his personal policies or beliefs is that he probably is quietly pushing reforms and experimenting with capitalism. He lived in Switzerland (probably) and has visited other capitalist countries. Turning a country around, especially one like North Korea, takes time. It is foolhardy to judge the man based on the almost nothing we know about him personally.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  6. That's how I'd do it by Anonymous Coward · · Score: 4, Interesting

    If I were in charge of the network in a place like North Korea where it's heavily monitored and locked down, I'd run it like a big corporate LAN too, utilizing the 10.x.x.x block. The IP that every browser hits on load would be set up as an anycast address with nodes in datacenters near large groups of users (corporate campuses, or cities with lots of PCs in this case.)

    The article also provides some good insight for those who aren't aware how malware can discretely provide security holes... using only one encryption key, allowing for easy man-in-the-middle attacks, as in this example.

  7. Non-reachable yet still slashdotted by rs1n · · Score: 5, Funny

    I like how the summary posts the non-reachable IP address just so we can slashdot it anyway.

    1. Re:Non-reachable yet still slashdotted by steveo777 · · Score: 4, Funny

      Nothing stops you from creating your own host at 10.76.1.11. And then slashdotting the SOB

      --
      This sig isn't original enough, it's time to come up with something witty...
  8. Conclusion goes too far? by ByTor-2112 · · Score: 3, Insightful

    Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

    1. Re:Conclusion goes too far? by gstoddart · · Score: 4, Funny

      One of the funniest things I ever saw on a corporate network:

      A manager had a bunch of machines in his office, and IT couldn't/wouldn't add any more network drops for him. So, he bought a little router. It turns out that the 192.168.* addresses it gave to his machine corresponded exactly to the ones the Exchange servers used, and something about the NAT crossed some signals.

      Once they pieced together why email had stopped working, they immediately put a ban on those things, and immediately got him a switch which didn't do DHCP so he could have more networking in his office.

      The whole time the developers were howling and thinking "really, that's the IP addresses they chose for critical infrastructure? The first one in the open pool?"

      Everything defaults to starting at 192.168.0.1, which means if you're using it you might not like the results.

      --
      Lost at C:>. Found at C.
    2. Re:Conclusion goes too far? by catmistake · · Score: 2

      Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

      he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./

      Its written poorly, but it sounds to me merely like the default site on the browser is set to http://10.76.1.11.../ so its possible whomever built that first instance is using a private network, used that internal address to test that his build worked, or is using an IP is not live, somehow left the default in there when it was distributed... or maybe all home routers in N.Korea have that as the internal IP address, and to make set up convenient, the browser just loads the home router's set up page at its internal address.. It is a massive leap to say all of N. Korea is a single private network just because the browser loads some arbitrary address. Its possible N. Korea is doing this, but this is not the kind of isolated evidence I would stake my life on, or bet money on.. I'd sooner believe TFA author made an error in judgement if he believes this absolute evidence of his theory simply because the browser loaded that IP first rather than www.getfirefox.com, www.mozilla.org, or whatever mozilla usually sets it to by default. If someone looked at your browser, and noticed when launched, it loads http://slashdot.org/ you really cannot make any conclusions from that, such as that you're a slashdot reader, because just because the browser tries to connect does not mean it can or will.

      --
      The Admin and the Engineer
  9. Re:The Narnia Browser by wonkey_monkey · · Score: 3, Funny

    Kim Il-Sung invented English in 1976 to stunt the intellectual development of the Western world.

    --
    systemd is Roko's Basilisk.
  10. Re:Translation pls. by EuclideanSilence · · Score: 5, Informative

    There are some addresses on the internet that are only associated (except for misuse) with 1 device, these are "public IP".

    There are some addresses on the internet that are intended to be associated with multiple devices, these are "private IP".

    Private addresses can only be "seen" on a local network, so only one instance of a private address per local network. If you ask for a connection to a private address and the local network doesn't have it, your network won't make any connection for you (even though hypothetically there is several people in the world on other local networks with that address).

    It's like being at a family reunion and asking for "John", and not getting a response because no one there is named John, even though a lot of people in the world share that name. On the other hand, if you ask for "Gilgamesh", well then people know to send you to ancient Sur, even though no one in your family is named "Gilgamesh". John is a private reusable identifier, Gilgamesh is a public unique identifier.

    The consequence of this is that to run a service for which machines from outside of your local network can connect to, you have to associate the service with a public address. Due to North Korea being one gigantic "local network" (something that usualy only exists on the scale of homes and companies), no one in the world can request a connection to anyone in North Korea, unless a public address/port pair is preallocated to that person. NKoreans can still request connections to the rest of the world, assuming that the routers on the edge of their private network can remember all those connections. For a healthy country, remembering so much would be almost impossible, but for North Korea, it is a sign of how few people can make Internet connections to the rest of the world.

  11. Slightly jumping to conclusions by wonkey_monkey · · Score: 4, Interesting

    When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run.

    This guy may want to tweak his astonishment threshold before going outside.

    "Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space.

    Not necessarily. He might well be right, but it might it not just be that the address is actually routeable from within DPRK, and that the IP address was deliberately chosen so as not to be routeable from the outside world?

    --
    systemd is Roko's Basilisk.
  12. Re:Why is this surprising? by Anonymous Coward · · Score: 3, Funny

    DPRK has one network under central control, much like a large corporate entity... it's not like there is a choice of ISPs who have to link with each other!

    Anyways, the DPRK internet as used by the those DPRK citizens (still a very small percentage of the overall population) is completely airgapped from the public internet as we know it. Only a very very small number of elites have access to the 'real' internet...

    So the DPRK is using AOL's old business model? That is EVIL!

  13. Re:Translation pls. by Megol · · Score: 2

    Hey I have written a TCP/IP stack* and don't remember the specifics anymore... Thinking that every technical person remembers every thing they ever touched is idiotic. Thinking every technical person knows details of everything is even more idiotic.

    (* embedded stuff using good old SLIP)

  14. Re:not that weird by jbmartin6 · · Score: 2

    I wonder how many people in NK even have access to their national 'intranet' let alone the global Internet.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  15. Re:Translation pls. by some1into_ISP · · Score: 2

    Network Address Translation, do you speak it?

  16. Re:The Narnia Browser by marcello_dl · · Score: 2

    Close, but no cigar.
    Hint: Apple Computer Inc. got founded April 1, 1976.

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  17. Re:Translation pls. by TemporalBeing · · Score: 2

    Can someone translate this for the people that do not understand network speak.

    Network Addresses, known as IP Addresses, are allocated into several groupings, namely Public, Private, Multicast, Local, and non-usable.
    The addresses are also allocated in blocks - A, B, and C - which has to do with how many addresses are available in the block purchased.

    The Private group consists of addresses 10.a.b.c, 192.168.x.y, and 172.16.x.y. These are considered class A, B, and C respectively. These addresses are suppose to only be used on private networks - e.g in your home, office, etc - as such, networks are typically configured to now be able to route to them. So if your at location A 10.0.0.1 will be a different server specifically on their network than if you were at location B.

    The Local group is similar and consists of 127.a.b.c, though typically only 127.0.0.1 is used. The big difference is that it will never route off the computer you are using.
    The Multicast group is a special group reserved at the upper end of the IPv4 spectrum. It was suppose to be for things like Video distribution where you have one sender and many receivers so as to optimize the network by allowing everyone to listen to the same stream - kind of like a TV over-the-air broadcast. However, they've been reclaiming addresses from it for the Public group because the Internet is basically not configured to support Multicast functionality.

    The Public group is pretty much everything else except the a special IP address in the 169.a.b.c range that is "do not use" range.

    So essentially, North Korea is making the entire country look like your work office or home network. At least, that's the claim.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  18. Re:Translation pls. by TemporalBeing · · Score: 2

    There are some addresses on the internet that are only associated (except for misuse) with 1 device, these are "public IP".

    There are some addresses on the internet that are intended to be associated with multiple devices, these are "private IP".

    That has nothing to do with it.

    All IP addresses are only suppose to point to one device; though a device may have multiple IP addresses. The difference is whether or not they are publically visible and routeable.

    There is nothing saying that North Korea didn't take a part of the 10.a.b.c range and define it as a public network within their country. So they are not necessarily segregating the whole country. Simply put - there is not enough information to substantiate whether the whole country is in a private range, or if they just utilized part of the private range for some country specific services, and made that range public within the country.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  19. It's URL, not IP. And 10/8 is _routable. by Moskit · · Score: 3, Informative

    Another summary written by a clueless, not a nerd.

    10/8 network is a perfectly routable IP range.

    http://10.76.1.11./ is a URL, not an IP address.
    It also has an extra dot before the closing slash.

    "News for _nerds_", sure...

  20. Re:Translation pls. by mythosaz · · Score: 3, Funny

    Gilgamesh and Enkidu, at Uruk.

    Darmok and Jalad at Tanagra.

  21. Re: Translation pls. by unixisc · · Score: 2

    Actually, w/ all that IPv4 address shortage, what's the function of all addresses from 127.0.0.2 to 127.255.255.254? Why would any network need 16,580,608 loopback addresses?

  22. IPv6's multiple addresses by unixisc · · Score: 2

    Even if your idea had been done, it would have grown from 32 bits to 36. But that aside, even if it had grown from 32 bits to 33, you'd still have a completely incompatible protocol, even if they preserved NAT and everything else already there in IPv4, since your IPv4 header would have changed. Which would have required all networking gear worldwide to be redone.

    The 128 bit representation - if you want, you could have represented an address of 2001:db8:fab:cad::1 in decimals as 8193.3512.4011.3245.0.0.0.1. While this particular address might not look ugly, one could have addresses like 8193.3512.42674.13579.59867.27384.57365.37485. Which would be about as ugly as hex. One advantage of hex - you are automatically clamped at ffff within a segment, as opposed to remembering not to exceed 65535 for any block, which would be somewhat more complicated than remembering not to exceed 255.

    It shouldn't be that difficult for network admins to understand: as for the average Billy Joe Blow, he'd have trouble even understanding subnet masks, NAT, Class C addressing and so on. Link Local addresses are addresses that belong to a link, and which don't need a network - you can connect 2 computers via an ethernet cable, and the addresses they'll use to communicate w/ each other would be the link local addresses. Node local is loopback address, this time, instead of reserving all of 127.x.x.x, they've just assigned 1 address ::1 to it. The site unique addresses are the equivalent of private addresses that one would use behind a NAT (in IPv4, concepts like link-local and site unique addresses are all conflated, due to the limited addresses). However, instead of the 192.168.1.176 that a lot of computers might get, this one is likely to be a unique address since it's randomly assigned from 112 bits: as a result, overlapping 2 VPNs is less likely to have conflicting addresses than in IPv4.

  23. Re:Translation pls. by some1into_ISP · · Score: 2

    That's not how it works... that's not how any of this works!