Inside North Korea's Naenara Browser

msm1267 (2804139) writes with this excerpt from Threatpost Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness. The Naenara browser is part of the Red Star operating system used in North Korea and it's a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ That address is not reachable from networks outside the DPRK.

"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space. You heard me; they're treating their entire country like some small to medium business might treat their corporate office," Hansen wrote in a blog post detailing his findings. "The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists."

The future of the internet, really

IPv6 will never take off, so in the end we'll be bridging national internets just like this one.

Wow

I didn't think it was possible to make the Internet Explorer and Windows XP I'm forced to use at work seem like a privilege. Congrats, North Korea. You pulled it off.

In Soviet Korea

[XxtraLarGe]

The internet browses YOU!

This is horrible

[Minwee]

This means that North Korea is VIOLATING RFC 1918! Forget all that other stuff, this must be stopped by any means necessary!

Re:This is horrible

[Tukz]

Well, they ARE using it for a private network....of sorts.

That's how I'd do it

If I were in charge of the network in a place like North Korea where it's heavily monitored and locked down, I'd run it like a big corporate LAN too, utilizing the 10.x.x.x block. The IP that every browser hits on load would be set up as an anycast address with nodes in datacenters near large groups of users (corporate campuses, or cities with lots of PCs in this case.)

The article also provides some good insight for those who aren't aware how malware can discretely provide security holes... using only one encryption key, allowing for easy man-in-the-middle attacks, as in this example.

Non-reachable yet still slashdotted

[rs1n]

I like how the summary posts the non-reachable IP address just so we can slashdot it anyway.

Re:Non-reachable yet still slashdotted

[steveo777]

Nothing stops you from creating your own host at 10.76.1.11. And then slashdotting the SOB

Conclusion goes too far?

[ByTor-2112]

Can you really generalize that all the internal network must be from the 10.0.0.0/8 block? What prevents those addresses from being used other than convention and router setup. Perhaps they are only for the internal government computers to make them completely invisible to outside networks.

Re:Conclusion goes too far?

[gstoddart]

One of the funniest things I ever saw on a corporate network:

A manager had a bunch of machines in his office, and IT couldn't/wouldn't add any more network drops for him. So, he bought a little router. It turns out that the 192.168.* addresses it gave to his machine corresponded exactly to the ones the Exchange servers used, and something about the NAT crossed some signals.

Once they pieced together why email had stopped working, they immediately put a ban on those things, and immediately got him a switch which didn't do DHCP so he could have more networking in his office.

The whole time the developers were howling and thinking "really, that's the IP addresses they chose for critical infrastructure? The first one in the open pool?"

Everything defaults to starting at 192.168.0.1, which means if you're using it you might not like the results.

Re:Correct me if I'm wrong...

[Howitzer86]

People obsess over this idea that North Koreans must be hacking from within North Korea, and that there's no way they could realistically do it because their connection bandwidth is so puny. They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base. They likely have vast criminal connections. All they have to do is hire sympathetic South Korean hackers on the condition that they do their work under the North Korean banner. When all is said and done, the North Koreans come out looking like bad asses you don't want to mess with, when in reality they just farmed the work out using basic email, a courier, and a satellite phone.

We could break their internet access forever, with a never ending DDOS, and it wouldn't matter one bit.

Re:The Narnia Browser

[wonkey_monkey]

Kim Il-Sung invented English in 1976 to stunt the intellectual development of the Western world.

Re:Translation pls.

[EuclideanSilence]

There are some addresses on the internet that are only associated (except for misuse) with 1 device, these are "public IP".

There are some addresses on the internet that are intended to be associated with multiple devices, these are "private IP".

Private addresses can only be "seen" on a local network, so only one instance of a private address per local network. If you ask for a connection to a private address and the local network doesn't have it, your network won't make any connection for you (even though hypothetically there is several people in the world on other local networks with that address).

It's like being at a family reunion and asking for "John", and not getting a response because no one there is named John, even though a lot of people in the world share that name. On the other hand, if you ask for "Gilgamesh", well then people know to send you to ancient Sur, even though no one in your family is named "Gilgamesh". John is a private reusable identifier, Gilgamesh is a public unique identifier.

The consequence of this is that to run a service for which machines from outside of your local network can connect to, you have to associate the service with a public address. Due to North Korea being one gigantic "local network" (something that usualy only exists on the scale of homes and companies), no one in the world can request a connection to anyone in North Korea, unless a public address/port pair is preallocated to that person. NKoreans can still request connections to the rest of the world, assuming that the routers on the edge of their private network can remember all those connections. For a healthy country, remembering so much would be almost impossible, but for North Korea, it is a sign of how few people can make Internet connections to the rest of the world.

Slightly jumping to conclusions

[wonkey_monkey]

When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run.

This guy may want to tweak his astonishment threshold before going outside.

"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space.

Not necessarily. He might well be right, but it might it not just be that the address is actually routeable from within DPRK, and that the IP address was deliberately chosen so as not to be routeable from the outside world?

Re:Why is this surprising?

DPRK has one network under central control, much like a large corporate entity... it's not like there is a choice of ISPs who have to link with each other!

Anyways, the DPRK internet as used by the those DPRK citizens (still a very small percentage of the overall population) is completely airgapped from the public internet as we know it. Only a very very small number of elites have access to the 'real' internet...

So the DPRK is using AOL's old business model? That is EVIL!

It's URL, not IP. And 10/8 is _routable.

[Moskit]

Another summary written by a clueless, not a nerd.

10/8 network is a perfectly routable IP range.

http://10.76.1.11./ is a URL, not an IP address.
It also has an extra dot before the closing slash.

"News for _nerds_", sure...

Re:Translation pls.

[mythosaz]

Gilgamesh and Enkidu, at Uruk.

Darmok and Jalad at Tanagra.

Re:Correct me if I'm wrong...

[dj245]

They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base.

And Kim and pals work hard to make sure people keep on forgetting it.

Do you personally know what Kim Jong Un has been up to? He has been in power only about 2 years and aside from propaganda photos, nobody knows really what he has being doing in that time, especially Westerners. Citizens of the DPRK don't even know how old he is. The only evidence giving a glimpse into his personal policies or beliefs is that he probably is quietly pushing reforms and experimenting with capitalism. He lived in Switzerland (probably) and has visited other capitalist countries. Turning a country around, especially one like North Korea, takes time. It is foolhardy to judge the man based on the almost nothing we know about him personally.