Just when you thought it was safe to go outside...
Wired and Slashdot reported yesterday on The Internet's Biggest Security Hole. This time it was a long-known problem with Border Gateway Protocol (BGP) which was given a new twist by Alex Pilosov and Tony "Xam" Kapela at the most recent DEFCON.
BGP, as you will recall, is the protocol that ties together the different networks making up the Internet. While Senator Ted Stevens (R-Alaska) famously described the Internet as a "Series of Tubes" he wasn't that far off. The reason it's called the Internet is because it is made up of a series of interconnected networks. These networks, referred to as Autonomous Systems (AS) have numbers (ASNs) and provide connectivity to a set of computers that are assigned a range of IP addresses. While both the ASNs and IP addresses are assigned by an official organization (ARIN in the US), the actual mapping between the two is done by a network owner using BGP to "advertise" to other networks what range of such addresses it contains. Usually network owners are ISPs and large corporations, but we had our own AS at Convoq and used BGP so that our servers could be connected to the Internet via multiple, redundant links. The problem is that since all such network owners are considered trustworthy, there is no widely used mechansim for verifying the validity of the advertisements. Anyone can claim to own any range of addresses and cause the rest of the Internet to send it traffic intended for those addresses. This happened last February when the government of Pakistan attempted to prevent its citizens from viewing a YouTube video by advertising a route for YouTube that led to a black hole. While they probably intended that route to apply only within Pakistan it was automatically redistributed throughout the Internet and took YouTube off the air worldwide.
Something as dramatic as making a web site globabally unavailable is usually noticed and repaired fairly quickly, but what Pilosov and Kapela discovered was a way to take the traffic one purloined and then forward it on, unnoticed, to its legitimate destination, perhaps copying or moidfying it in the process. They outlined a fix but as it will take a lot of effort and computing power to implement, most likely nothing will happen until there is a major attack and ensuing scandal. In the meantime, it is wise to do as people in high-security government positions are taught to do, which is regard all your communications as being open unless proven otherwise.