The digital information networks that we are building, while incredibly useful, are also distressingly fragile. A few mistakes can cause problems. A few bad guys can cause disasters. It is all really obscure and really, really stealthy.
When I attended the InfoSec conference, there was one particularly insightful session — “Things That We Trust That We Shouldn’t” — by Chris McNab, Director of Network Security for iSEC Partners.
He had three main topics:
- Cell phones
- HTTPS, which are is supposed to make accessing websites secure
- Something called BGP, which I had never heard of before
Until recently, cell phone networks had been reasonably secure because it would take so much effort and expense to set up all the equipment needed to hack into them.
But now, open source software (OpenBTS) and cheap hardware (around $2,000) allows someone to set up their own, rogue node for a cell phone network. This can be used for what is called a “man-in-the-middle” attack, to sniff voice, SMS, and data traffic from nearby cell phones.
Remember that cell phones, like all wireless devices, are designed to connect to the strongest signal. That makes sense – you always want your phone to connect to the node with the most “bars.”
In a classic man-in-the-middle (the security industry just uses the acronym “MITM”) attack, all you have to do is put up an antenna and stick an amplifier behind it. You will automatically pick up all the traffic nearby. (This works on wifi too, by the way.)
Of course, you also have to forward the traffic back onto the regular network, otherwise the victims will simply think the network is down and hang up.
Someone could drive a van up to an office building, park out front, and put up cell phone antenna aimed, let’s say, at the CEO’s office. Bingo, they just hacked the CEO’s cell phone conversations, text messages, even emails.
The communications would still be encrypted, but the encryption used is not all that hard to break. The simplest approach is to record all the traffic, bring it back to the hacker’s lair, and and decrypt it, using one of the many software programs that can do that.
But there is an even more clever approach: there is a way that the hackers can even force the handset to skip the normal encryption and send the traffic in the clear.
Many countries still have rudimentary cell phone networks that do not support encryption. Cell phones are designed to drop the encryption if the “tower” does not support it. All a hacker has to do, then, is to set up his rogue node using one of the older protocols and all the security provisions of the cell phone are completely and silently bypassed – there is not even any warning indicator on the handset.
As you know — or at least should know — “secure” websites are those that use “HTTPS” (versus “HTTP”) and show the little lock symbol on your browser. This is what financial institutions, retailers, and others use to provide secure transactions over the internet.
The underlying technology behind HTTPS is called SSL/TLS, and it is considered the current state-of-the-art technology.
There were quite a number of sessions on HTTPS at the InfoSec World conference, and the message from all of them is that while it’s the best we’ve got, it is far from perfect.
I plan to write extensively about HTTPS in the near future. For now, I will simply relate McNab’s conclusion of this section of his presentation:
“HTTPS is completely dependent on what are called Certificates of Authority. Unfortunately, the way these Certificates are issued makes the process completely untrustworthy.”
This makes HTTPS very vulnerable to man-in-the-middle attacks, and there are no good solutions in sight.
BGP – Border Gateway Protocol
Since I had never heard of Border Gateway Protocol (sounds like something for Homeland Security, doesn’t it?), I had to struggle to understand some of what McNab was talking about. But I knew it was serious – he actually subtitled this section as “A disaster waiting to happen” and noted that very few people understand the problem.
Here is how Wikipedia describes BGP:
“The Border Gateway Protocol (BGP) is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or ‘prefixes’ which designate network … routing decisions based on path, network policies and/or rulesets.”
Most Internet Service Providers must use BGP to establish routing between one another….
Therefore, even though most Internet users do not use it directly, BGP is one of the most important protocols of the Internet.
So BGP depends on a series of routing tables — a huge roadmap, which together define how you get a message from Point A to Point B on the Internet.
Step back, and remember that the World Wide Web was originally designed to share scientific information between universities and laboratories around the world. In this environment, it could be assumed that anyone who has access to those tables knows what they are doing and would not intentionally do anything bad.
Incorrect routing instructions can be sent, and the rest of the internet would accept them blindly. McNab said this happens every day at small levels, mostly in error, and typically is not a major cause for concern.
But not all the “errors” are minor and probably not all are accidental. You might remember that a few months ago there was a “problem” with Internet traffic involving China.
Here is the way a technical blog described it:
“The U.S.-China Economic and Security Review Commission says that for a period of 18 minutes last April, China Telecom hijacked 15 percent of the world’s Web traffic and sent it to servers in China, an accusation the state-run organization has denied. Whether the apparent reroute was intentional or accidental, it’s exposed another weakness in the structure of the Web.”
The security industry does not think this was an accident. There are a variety of suggestions of what China might have been after, but there is a pretty strong belief that all eighteen minutes worth of Internet traffic is now stored somewhere in China, and is being very thoroughly analyzed.
This is, essentially, another form of our old friend, a man-in-the-middle attack. Rather than using wifi stations or cell phone antennas, China simply made a few changes to the BGP tables, and they hijacked the entire web.
By the way, McNab ended this section by saying that, if someone wanted to, they could bring down the entire Web, almost instantly, using the same approach.
See what he means by “A disaster waiting to happen?”