Tag Archives: BGP

Security News for the Week Ending March 4, 2022

Apple Scrambles to Try and Figure Out How to Stop Stalkers From Using AirTags

Their newest idea is, when you initialize a new AirTag, it will tell you that Stalking may be illegal in your country. I really, really, doubt that will have any effect. They are also shortening the time window for notifying you that you are being stalked. Users of newer Apple devices will be able to find out how far away Apple thinks that rogue AirTag is. They are trying, but there is no simple fix. Credit: Yahoo

China Outs NSA Hacking Tool

Just like the U.S. outs foreign hacking tools when it suits our purposes, China is now doing the same thing. Likely this is for internal consumption, but it does give us a little bit of insight into their thinking and for sure, that certain hacking tools are no longer secret. Credit: Vice

Anonymous Hacks High Profile Russian Leaning Websites

First Anonymous hacks the Russian Ministry of Defense and posted the stolen data online for free. The data includes officials passwords, phone numbers and emails (Credit: Cyber News) and then they claim to have broken into Belarusian weapons maker Tetraedr and stole a couple hundred gigabytes. The data stolen included emails and they even, conveniently indexed all of them and handed the data to DDoS Secrets. They call this Operation Cyber Bully Putin. (Credit: Cyber News). It sounds like there will be more web sites hacked. Stay tuned.

Apple Responds to Russian Invasion of Ukraine

Each company is doing its own thing. In Apple’s case, they have paused all product sales in Russia. Apple pay and other services have been limited. Apple maps have stopped live update and Russian propaganda apps have been taken off the Apple store (why were they there in the first place?). Credit ZDNet

FCC to Review Border Gateway Protocol Security

In 1989 an engineer from Cisco and one from IBM wrote down an idea on two napkins (that have been preserved). That was the basis of Border Gateway Protocol or BGP. Needless to say, they did not think about security. BGP has been hacked by China and North Korea, among many others, so many times that we have all lost count. But BGP is a critical part of the Internet’s routing system. Finally, twenty five years too late, the FCC is “looking into” BGP security. We shall see what happens. Change on the Internet goes slowly. IPv6 was approved 10 years ago and still, it is the minority of traffic on the Internet (it is used a LOT on the backbone, just not at the edge). Credit: Data Breach Today

Security News for the Week Ending September 4, 2020

Centurylink Routing Issues Lead to Massive Internet Outage

Last Saturday night/Sunday morning, Centurylink had a bit of a problem, either taking down or severely impacting web site such as Cloudflare, Amazon, Steam, Twitter and many more. Just because a system was designed to stay operating in case of a nuclear attack does not mean that it is immune to human error or software bugs. Centurylink has not explained what happened. This particular attack nullified many business continuity strategies. If staying online is important to you, this would be a good time to review your DR-BC program. Credit: Bleeping Computer

The New Normal: Dell Says 60% of Their Staff Will Not be Going Back to the Office Regularly

We are seeing more companies saying that they do not plan to return to office life ever. Dell says that the majority of it’s 165,000 member workforce will never return to the office again or regularly. Dell says “work is something you do, an outcome, not a place or time”.

Ignore for the moment what this means for the commercial real estate market if this becomes the new normal.

That means a significant leap for your cybersecurity practices going forward. When the majority of your work is being done on a network, via unencrypted wireless through a router that was last patched in 2013, what does that mean for security? If that thought keeps you up at night, call us. Credit: The Register

Users’ Browsing Can Be De-Anonymized With Little Work, Researchers Say

Mozilla (Firefox) collected two 1-week browsing history datasets from 50,000 volunteers and were able to re-identify anonymous browsing data to the individual successfully. With users who only visited 50 web sites during that period, they were able to re-identify up to 80% of them. The odds improve when the researchers have more data. After all, who visits only 50 web sites in a two week period. Therefore, assume claims of data being anonymized with great skepticism. Credit: Help Net Security

US Federal Appeals Court Rules NSA’s Mass Surveillance Disclosed by Edward Snowden is Illegal

Seven years after Edward Snowden disclosed the existence of NSA’s mass surveillance program a federal appeals court said the program is illegal. In defending the program, the NSA pointed to one case where NSA surveillance data was used, but the judge overseeing that case says that the NSA’s information was not material. However, the same court said that the folks convicted in that case are still guilty so no getting off the hook based on that. Given the hundreds of millions of dollars spent on this program, the fact that the NSA can only point to one court case where the program had any effect should kill the program on effectiveness grounds anyway, but that it not the job of the court. I am sure the Republican administration will appeal this up to the Supremes, but they may or may not take the case, so stay tuned. Credit: Threatpost

Republican Plan to Ban Huawei Will Cost Americans $2 Billion

Now that the Republicans have decided (it is an election year) that Huawei is a national security threat (but wasn’t for the last three years), they have created a requirement to rip out and replace all of the existing Huawei (and ZTE) equipment that carriers are already using. The first step in this process was to ask the carriers well, how much will it cost to replace all that stuff. The carriers have come back with that initial estimate and it is $1.8 billion and change. Carriers are notoriously bad at estimating costs like this, so make it $2.5 billion or so.

BTW, I am not saying that the FCC is wrong, I just don’t understand why this wasn’t considered a problem in 2017 vs. two months before the elections.

Where is that money going to come from? There are really only two options – higher prices to customers and a taxpayer subsidy.

Curiously, the Republicans are complaining about a Chinese law that requires Chinese companies to comply with requests from the intelligence services and not tell anyone. If I was wearing a blindfold, that would sound exactly like the U.S. Foreign Intelligence Surveillance Act or FISA.

I have said for a long time that when it comes to telecom, the U.S. is basically a third world country (according to Wikipedia, we rank 30th in the world for mobile Internet connection speed). What the carriers will do in the short term is, except for really densely populated downtown cities, slow down the rollout of 5G Internet (Verizon, for example, only covers 5% of the population with high speed 5G – high speed means that a user can tell the difference when connecting over a 5G connection vs. connecting over a 4G connection). Other carriers cover more of the US, but with virtually no speed difference over 4G, but now, even that rollout will likely slow down.

To Russia With Love

No, this is not a new Bond movie;  it is, instead, an example of one of the many weaknesses of an Internet that was never designed to handle malicious attackers.

I will try to make this as non-technical as I can, but it will be a bit technical, so please stay with me.

Larger Internet users, whether businesses or Internet providers, often have multiple connections to the Internet so that customers and partners can continue to reach them even if one of their Internet connections goes down.  Some companies might have 3, 4 or more connections.  Somehow, these companies need to tell other companies and Internet providers on the ‘net how to reach them – which connection to use for which internal nets.

Out of this problem – and literally on a couple of sheets of paper (see below), an IBM and a CIsco engineer designed BGP the Border Gateway Protocol.

Unfortunately, back in 1989 no one considered security.

How BGP works is that when someone wants to tell other Internet users about a new BGP connection, they “announce” it.

Unfortunately, the BGP protocol has not changed much since 1989 and still has no security.

What this means is that ANYONE can announce a new route.  This happens non-stop, every day.  Without security, you hope it gets done right.

We have seen many instances of BGP announcements that are very suspicious; earlier this month we had another one.

On December 11/12, for a three minute window, about 80 “routes” were hijacked, then for about 2 hours, 40 “routes” were hijacked and finally, at the end of this event, for a couple of minutes, 80 “routes” were hijacked again.

Surprisingly – or not – the hijacked routes all went through Russia.  While there is no security on BGP, a route does have to be associated with a specific user.  That is how we know the announcements came from Russia.

There are two reasons why Russia might do this.  One reason is to siphon a whole lot of data and then try to decrypt or analyze it.

The other reason would be to take down a large part of the Internet.  If the malicious user takes in all this data but does not put it back out on the Internet, then all of the traffic destined for these affected sites gets “black holed”, which means that all of their traffic goes into the digital trashcan.

The sites affected by this attack were Google, Facebook, Apple, Microsoft and a few others.  Likely not a coincidence.

Lets assume that this was just a test.  You route the traffic through Russia but put it back out on the Internet and maybe no one is any the wiser.

Then, when you want to create chaos, you route the traffic through Russia but put ZERO traffic back out.  The sites that you attack are totally down.  Hopefully, relatively quickly, the sites can announce new routes, but then the attackers can re-announce their routes.

It would be a mess.

And don’t count on the Internet gurus to fix this security “hole” any time soon.  It has been this way for decades and fixing it would be a many year process.  First you have to agree to what the fix is, then you have to develop the fix, next you have to test it and finally get everyone in the world who uses BGP – literally – to install it.  It would probably take a decade.

This is why companies closely monitor their BGP announcements – ones that they make and ones that other people make on their behalf – illegally.

Information for this post came from Ars Technica.