Sorry FRA, nu kan vi alla avlyssna :)

[brainslicer]

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

Revealed: The Internet's Biggest Security Hole

 

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

"It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.

"We're not doing anything out of the ordinary," Kapela told Wired.com. "There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working."

The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic.

Here's how it works. When a user types a website name into his browser or clicks "send" to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user's ISP then consults a BGP table for the best route. That table is built from announcements, or "advertisements," issued by ISPs and other networks -- also known as Autonomous Systems, or ASes -- declaring the range of IP addresses, or IP prefixes, to which they'll deliver traffic.

The routing table searches for the destination IP address among those prefixes. If two ASes deliver to the address, the one with the more specific prefix "wins" the traffic. For example, one AS may advertise that it delivers to a group of 90,000 IP addresses, while another delivers to a subset of 24,000 of those addresses. If the destination IP address falls within both announcements, BGP will send data to the narrower, more specific one.

To intercept data, an eavesdropper would advertise a range of IP addresses he wished to target that was narrower than the chunk advertised by other networks. The advertisement would take just minutes to propagate worldwide, before data headed to those addresses would begin arriving to his network.

The attack is called an IP hijack and, on its face, isn't new.

But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn't work -- the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

"Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"

Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.

Kapela said network engineers might notice an interception if they knew how to read BGP routing tables, but it would take expertise to interpret the data.

A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."

Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.

"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."

Filtering also requires ISPs to disclose the address space for all their customers, which is not information they want to hand competitors.

Filtering isn't the only solution, though. Kent and others are devising processes to authenticate ownership of IP blocks, and validate the advertisements that ASes send to routers so they don't just send traffic to whoever requests it.

Under the scheme, the five regional internet address registries would issue signed certificates to ISPs attesting to their address space and AS numbers. The ASes would then sign an authorization to initiate routes for their address space, which would be stored with the certificates in a repository accessible to all ISPs. If an AS advertised a new route for an IP prefix, it would be easy to verify if it had the right to do so.

The solution would authenticate only the first hop in a route to prevent unintentional hijacks, like Pakistan Telecom's, but wouldn't stop an eavesdropper from hijacking the second or third hop.

For this, Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop.

"That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said.

The drawback to this solution is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers.

Douglas Maughan, cybersecurity research program manager for the DHS's Science and Technology Directorate, has helped fund research at BBN and elsewhere to resolve the BGP issue. But he's had little luck convincing ISPs and router vendors to take steps to secure BGP.

"We haven't seen the attacks, and so a lot of times people don't start working on things and trying to fix them until they get attacked," Maughan said. "(But) the YouTube (case) is the perfect example of an attack where somebody could have done much worse than what they did."

ISPs, he said, have been holding their breath, "hoping that people don’t discover (this) and exploit it."

"The only thing that can force them (to fix BGP) is if their customers ... start to demand security solutions," Maughan said.

[Snusarn]

Intressant rubrik, men inte en chans i helvetet att jag läser det där.

[striker]

Intressant rubrik, men inte en chans i helvetet att jag läser det där.

 

Haha, I´m with you!

[Maruzi]

orkar nån översätta kortfattat?

[brainslicer]

Intressant rubrik, men inte en chans i helvetet att jag läser det där.

 

orkar nån översätta kortfattat?

 

Samma på svenska hos IDG:

 

Så väl storebror som lillasyster kan lyssna | 2008-08-27 14:49

Nytt allvarligt hot mot internet

http://www.idg.se/2.1085/1.176059

 

En enorm säkerhetsbrist i ett internetprotokoll har nått dagens ljus. Bristen innebär att internettrafik mycket enkelt kan avlyssnas.

 

Det var på hackarkonferensen Defcon 16 i Las Vegas, USA, i början av augusti som säkerhetsbristen i internetprotokollet border gateway protocol uppdagades, rapporterar tidningen Wired.

 

Protokollet utgår från att routern talar sanning när den berättar om den bästa vägen till mottagaren. Den som kontrollerar även en mindre router kan därför lura till sig trafik som den inte borde ta del av.

 

Protokollets svaghet kan användas för industrispionage, spionage på andra länder eller av underrättelseverksamhet där organisationen inte har lust att efterfråga information från internetoperatörerna, hos vilka protokollet bland annat används.

 

Bristen har länge varit känd som ett problem i teorin, men det var först på Defcon 16 som säkerhetsexperterna Tony Kapela och Alex Pilosov demonstrerade hur det kunde användas i praktiken. Detta genom att dirigera om inkommande internettrafik på konferensnätverket till ett system i New York.

Patrik Fältström, internetstrateg och teknisk expert på Cisco, säger att bristen är allvarlig.

 

– Border gateway protocol är ett oskyddat protokoll, säger Patrik Fältström.

 

Att svagheten varit känd en längre tid utan att någon gjort en större insats för att lösa bristen beror på två saker, enligt Patrik Fältström. Dels att antalet attacker varit mycket få, dels att det finns larmsystem hos internetoperatörerna som varnar.

 

Samtidigt kan en internetoperatör släta över en eventuell attack. Det vore en riktig skandal om det kommer ut att internetoperatören slarvat bort hemliga eller viktiga uppgifter.

 

– Det är upp till varje enskilt företag att skydda sig. Alla nivåer i protokollstacken måste säkras, och vpn-tunnlar är ett sätt att skydda känslig information, säger Patrik Fältström.

 

Exakt hur många av landets internetoperatörer som säkrat upp sina routar kan Patrik Fältström inte uttala sig om, men han tror att det är en ganska hög procentsats.

 

– Men säkerheten kan bli bättre, och jag skulle kontakta min internetoperatör för att försäkra mig om hur de jobbar, säger Patrik Fältström.

 

Han tillägger att inte bara attacker kan ställa till problem med avlyssnad trafik. Även felkonfigurerade nätverk är ett problem, och påminner om när Pakistans statliga telekombolag sänkte Youtube i februari.

 

Enligt säkerhetsexperten Peiter Zatko, som redan 1998 demonstrerade hur han kunde stänga ner delar av internet inom 30 minuter med hjälp av ett liknande säkerhetshål i samma protokoll, är inte nådig i sin dom.

 

– Hålet är minst lika allvarligt och stort som dns-buggen, om inte större, säger Peiter Zatko till tidningen Wired.

[Matfrid]

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

 

Vädligt intressant. Fantastiskt vad oskyddat BGP är.

 

AS path prepending verkar vara ett riktigt hack:

Prepending an AS path makes a shorter AS path look longer and therefore less preferable to the Border Gateway Protocol (BGP). http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/policy-actions-config2.html

[aiken]

Egentligen handlar det väl mest om "obehörig" avlyssning och således ett "problem"för leverantörerna som inte får koll på trafiken. Ett oskyddat (=icke krypterat etc) koppling går väl alltid att avlyssna som jag förstått det.

[Matfrid]

Egentligen handlar det väl mest om "obehörig" avlyssning och således ett "problem"för leverantörerna som inte får koll på trafiken. Ett oskyddat (=icke krypterat etc) koppling går väl alltid att avlyssna som jag förstått det.

 

Självklart. Har du bara tillgång till det medium signalerna går igenom, så kan du avlyssna 100% av trafiken.

[K_MaN]

Förklara för oss vad detta innebär för en pokerspelare i praktiken.

[SunTzu]

Såvitt jag vet så är det tveksamt om det spelar nån roll alls. För folk som inte vill att andra ska lyssna så är det ett gigantiskt problem.

[brainslicer]

de där säger väl lite vad som är nytt? förut märkte man om nåt va fel, anslutningen dog ut, nu märker man inte om nån avlyssnar på detta sättet:

 

The attack is called an IP hijack and, on its face, isn't new.

But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn't work -- the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

"Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"

 

för en pokerspelare vet jag inte, allt torde vara krypterat iaf?

och andra sidan var ju flera nycklar o certs på villovägar sedan i våras...pga sårbarheten i tillverkningen av dom som dom var lättgissade

[Matfrid]

de där säger väl lite vad som är nytt? förut märkte man om nåt va fel, anslutningen dog ut, nu märker man inte om nån avlyssnar på detta sättet:

 

 

 

för en pokerspelare vet jag inte, allt torde vara krypterat iaf?

och andra sidan var ju flera nycklar o certs på villovägar sedan i våras...pga sårbarheten i tillverkningen av dom som dom var lättgissade

 

Det var ju också en diskussion om ifall certifikaten är säkra här tidigare. Jag hävdar fortfarande att de kan bytas ut någonstans på vägen. Men frågan kan lämnas öppen.

 

En annan sak att tänka på i sammanhanget är att ingen kryptering lär vara säker i framtiden. Dvs all av dagens krypterade kommunikation kommer att vara läsbar om ngt dussin år. Detta är nog inte så intressant för pokerspelare, men det är oerhört intressant för säkerhetspolis. Går vi tillbaka i tiden så innebär det t ex att den 64-bitars kryptering som svenska försvaret använde på 90-talet i Lotus Notes idag är trivialt läsbar, för den som sparat databaserna. [De var redan trivialt läsbara för CIA på den tiden, eftersom 24 av bitarna redan var deponerade hos dem ].

 

Slutsats, för den som vill ha det enkelt: gör inget hemligt idag som du inte vill ska vara offentligt 2020!