![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jducoeurThis is mostly of interest to the tech crowd, but if you're seriously into the Internet business, it's well worth reading. Ars Technica is reporting a new mechanism for attacking the BGP protocol, one of the central protocols underlying the Internet.
The article gives the broad outline, but the upshot is apparently that a skilled hacker could, in theory, sniff pretty much arbitrary Internet traffic. This is *really* bad news if someone builds it into a form that the script kiddies can use. While it's possible to use the Internet securely if you're careful, the reality is that most of it is sent with no particular security. Instead, most of it has always depended on "security through obscurity", and the fact that it's just plain a lot of work to sniff traffic.
More importantly, traffic sniffing has historically been easiest at the client end -- sitting in a Starbucks and grabbing the Wifi traffic floating around. That can be bad, but it's also very ad hoc -- the traffic is whatever the target user happens to be playing with, and it requires a good deal of human intervention to do much with it. Most of it is useless to the hacker.
But consider the implications of the new attack. If I'm understanding it correctly, it would theoretically allow the attacker to more or less silently eavesdrop on much or all of the traffic heading to a particular website. That means that the attacker can build automated tools that are tuned to that site, and really exploit any security weaknesses in the site -- potentially far more devastating.
Just to provide a concrete example: while I assume that the login process for LiveJournal is secure (I've never checked), the rest of your interactions are sent in the clear. (HTTPS doesn't even work with LJ, far as I know -- someone correct me if I'm wrong.) So if someone wanted to, they could theoretically intercept everything you send to LJ -- every posting, regardless of its security setting. Depending on exactly how the attack works (I confess, I'm still hazy on some of the details), it might also be possible for them to read your entire flist, including the private bits. And unlike snooping you specifically, they could do this for *all* of LiveJournal -- basically sweeping up all the information wholesale, to use as they like. Unlike sniffing Wifi in Starbucks, it's a very efficient spying vector.
So like I said -- unsettling. I'm not entirely clear on the fine details yet, and the scope of the danger will depend on that. But suffice it to say, HTTPS and other end-to-end encryption technologies are probably about to become a lot more important, because we may have to assume that someone is now *likely* to be listening to anything you say online. It's always been theoretically possible, but it sounds like the odds just went way up...
The article gives the broad outline, but the upshot is apparently that a skilled hacker could, in theory, sniff pretty much arbitrary Internet traffic. This is *really* bad news if someone builds it into a form that the script kiddies can use. While it's possible to use the Internet securely if you're careful, the reality is that most of it is sent with no particular security. Instead, most of it has always depended on "security through obscurity", and the fact that it's just plain a lot of work to sniff traffic.
More importantly, traffic sniffing has historically been easiest at the client end -- sitting in a Starbucks and grabbing the Wifi traffic floating around. That can be bad, but it's also very ad hoc -- the traffic is whatever the target user happens to be playing with, and it requires a good deal of human intervention to do much with it. Most of it is useless to the hacker.
But consider the implications of the new attack. If I'm understanding it correctly, it would theoretically allow the attacker to more or less silently eavesdrop on much or all of the traffic heading to a particular website. That means that the attacker can build automated tools that are tuned to that site, and really exploit any security weaknesses in the site -- potentially far more devastating.
Just to provide a concrete example: while I assume that the login process for LiveJournal is secure (I've never checked), the rest of your interactions are sent in the clear. (HTTPS doesn't even work with LJ, far as I know -- someone correct me if I'm wrong.) So if someone wanted to, they could theoretically intercept everything you send to LJ -- every posting, regardless of its security setting. Depending on exactly how the attack works (I confess, I'm still hazy on some of the details), it might also be possible for them to read your entire flist, including the private bits. And unlike snooping you specifically, they could do this for *all* of LiveJournal -- basically sweeping up all the information wholesale, to use as they like. Unlike sniffing Wifi in Starbucks, it's a very efficient spying vector.
So like I said -- unsettling. I'm not entirely clear on the fine details yet, and the scope of the danger will depend on that. But suffice it to say, HTTPS and other end-to-end encryption technologies are probably about to become a lot more important, because we may have to assume that someone is now *likely* to be listening to anything you say online. It's always been theoretically possible, but it sounds like the odds just went way up...
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2008-08-28 05:42 pm (UTC)But does this affect https type stuff? If everyone just starts using https for everything, couldn't that fix it?
(no subject)
Date: 2008-08-28 09:43 pm (UTC)Well, no. Indeed, this one is less of a "crashing down around us" danger than many of the usual threats. It's more a matter that there are now more ways that someone can spy on you. (Although note Lowell's message below, on the difficulties of using this particular attack -- those are at least mildly comforting, in that this isn't something the average script kiddie can easily mount.)
If everyone just starts using https for everything, couldn't that fix it?
HTTPS will deal with at least much of the danger. Not quite all -- you can still garner some implicit information even from an encrypted packet -- but it greatly limits the effect. But HTTPS is costly enough that usage is still spotty at this point, and many sites don't yet support it. (Indeed, CommYou doesn't do so yet, although it will eventually.)
Insufficient
Date: 2008-08-29 10:17 am (UTC)Note that the set of attackers that could suborn a CA definitely includes organized crime.
Re: Insufficient
Date: 2008-08-29 01:22 pm (UTC)Re: Insufficient
Date: 2008-08-29 06:28 pm (UTC)Of course, if the target is actually reading their logs, they may notice that suddenly all of their requests are coming from the same IP number. ;-)
(no subject)
Date: 2008-08-28 07:02 pm (UTC)For one thing, you can't just fire up BGP on any Internet host and expect to get another host to peer with you. In fact, most BGP hosts are configured with their intended peers, and authenticate them to boot. Real routers tend to have extensive route filters configured, and the backbone more or less refuses to accept long prefixes. Furthermore, BGP packets are blocked on a lot of links.
Another issue is that it's pretty likely to be noticed, despite the researchers' claims to the contrary. What you're effectively doing is creating a backhaul of all the data for the network under attack. Most of the data will end up being hairpinned at the snooping point, and providers keep a careful eye out for that (because it costs them a lot of unnecessary money). In general, there is a lot of scrutiny of worldwide BGP activity; the data is public and can show a lot of useful (and, often, financially profitable) trends.
The danger in this kind of attack isn't so much from script kiddies as from governments and other deep-pockets organizations. They can afford the bandwidth requirements, as well as the many and widely connected links needed to avoid hairpinning. And, of course, they will be running BGP legitimately to connect up those big, complicated networks.
[Disclaimer: although I work on packet forwarding in large routers, I wouldn't consider myself a real expert in routing protocols. I do know a bit, though.]
(no subject)
Date: 2008-08-28 10:11 pm (UTC)So the real question then would be whether the various organized-crime groups are well-enough connected to make this work. The script kiddies might not be a danger, but the growing malware-as-a-service industry might be, if they can cover their tracks well enough inside legitimate traffic...
Organized crime
Date: 2008-08-29 12:47 pm (UTC)Shouldn't be too hard—all kinds of options open up when you're not bound by law or morality.
Do a traceroute to find out your target's upstream providers; say it's Level3. Do a little social engineering on Level3 to find out who maintains the route filters; say it's Fred. Get one of your people hired by Level3's cleaning service. Find enough information on Fred's desk to track down his wife and kids, take a few pictures through a rifle sight, and you're in.
Of course, this kind of thing works even without a BGP vulnerability; but the vulnerability makes it easier to get away with it, since it may not be noticed for a long time.
(no subject)
Date: 2008-08-28 11:17 pm (UTC)If you are not using https://www.livejournal.com/login.bml, and are instead using http://www.livejournal.com/login.bml, you are logging in insecurely.
So yes, your password is snaggable every time you log in unless you explicitly make it not. And everything you read or post is snaggable. Whenever. There is *no* option to read LJ securely.
This is part of why I don't do it at work anymore.