Slashdot Mirror
Inside North Korea's Naenara Browser
msm1267 (2804139) writes with this excerpt from Threatpost Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness. The Naenara browser is part of the Red Star operating system used in North Korea and it's a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ That address is not reachable from networks outside the DPRK.
"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space. You heard me; they're treating their entire country like some small to medium business might treat their corporate office," Hansen wrote in a blog post detailing his findings. "The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists."
"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space. You heard me; they're treating their entire country like some small to medium business might treat their corporate office," Hansen wrote in a blog post detailing his findings. "The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists."
IPv6 will never take off, so in the end we'll be bridging national internets just like this one.
I didn't think it was possible to make the Internet Explorer and Windows XP I'm forced to use at work seem like a privilege. Congrats, North Korea. You pulled it off.
The internet browses YOU!
Taking guns away from the 99% gives the 1% 100% of the power.
This means that North Korea is VIOLATING RFC 1918! Forget all that other stuff, this must be stopped by any means necessary!
If I were in charge of the network in a place like North Korea where it's heavily monitored and locked down, I'd run it like a big corporate LAN too, utilizing the 10.x.x.x block. The IP that every browser hits on load would be set up as an anycast address with nodes in datacenters near large groups of users (corporate campuses, or cities with lots of PCs in this case.)
The article also provides some good insight for those who aren't aware how malware can discretely provide security holes... using only one encryption key, allowing for easy man-in-the-middle attacks, as in this example.
I like how the summary posts the non-reachable IP address just so we can slashdot it anyway.
People obsess over this idea that North Koreans must be hacking from within North Korea, and that there's no way they could realistically do it because their connection bandwidth is so puny. They forget that North Korean government is really an organized criminal syndicate with a huge military and slave labor base. They likely have vast criminal connections. All they have to do is hire sympathetic South Korean hackers on the condition that they do their work under the North Korean banner. When all is said and done, the North Koreans come out looking like bad asses you don't want to mess with, when in reality they just farmed the work out using basic email, a courier, and a satellite phone.
We could break their internet access forever, with a never ending DDOS, and it wouldn't matter one bit.
There are some addresses on the internet that are only associated (except for misuse) with 1 device, these are "public IP".
There are some addresses on the internet that are intended to be associated with multiple devices, these are "private IP".
Private addresses can only be "seen" on a local network, so only one instance of a private address per local network. If you ask for a connection to a private address and the local network doesn't have it, your network won't make any connection for you (even though hypothetically there is several people in the world on other local networks with that address).
It's like being at a family reunion and asking for "John", and not getting a response because no one there is named John, even though a lot of people in the world share that name. On the other hand, if you ask for "Gilgamesh", well then people know to send you to ancient Sur, even though no one in your family is named "Gilgamesh". John is a private reusable identifier, Gilgamesh is a public unique identifier.
The consequence of this is that to run a service for which machines from outside of your local network can connect to, you have to associate the service with a public address. Due to North Korea being one gigantic "local network" (something that usualy only exists on the scale of homes and companies), no one in the world can request a connection to anyone in North Korea, unless a public address/port pair is preallocated to that person. NKoreans can still request connections to the rest of the world, assuming that the routers on the edge of their private network can remember all those connections. For a healthy country, remembering so much would be almost impossible, but for North Korea, it is a sign of how few people can make Internet connections to the rest of the world.
When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run.
This guy may want to tweak his astonishment threshold before going outside.
"Here's where things start to go off the rails: what this means is that all of the DPRK's national network is non-routable IP space.
Not necessarily. He might well be right, but it might it not just be that the address is actually routeable from within DPRK, and that the IP address was deliberately chosen so as not to be routeable from the outside world?
systemd is Roko's Basilisk.
One of the funniest things I ever saw on a corporate network:
A manager had a bunch of machines in his office, and IT couldn't/wouldn't add any more network drops for him. So, he bought a little router. It turns out that the 192.168.* addresses it gave to his machine corresponded exactly to the ones the Exchange servers used, and something about the NAT crossed some signals.
Once they pieced together why email had stopped working, they immediately put a ban on those things, and immediately got him a switch which didn't do DHCP so he could have more networking in his office.
The whole time the developers were howling and thinking "really, that's the IP addresses they chose for critical infrastructure? The first one in the open pool?"
Everything defaults to starting at 192.168.0.1, which means if you're using it you might not like the results.
Lost at C:>. Found at C.