August 30, 2008

Revealed: The Internet’s Biggest Security Hole

By Kim Zetter
August 26, 2008 | 8:00:00

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses propecia online prescription in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy.  The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

"It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago…. We described this to intelligence agencies and to the National Security Council, in detail."

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network — say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.

"We're not doing anything out of the ordinary," Kapela told Wired.com. "There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working."

The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic.

Here's how it works. When a user types a website name into his browser or clicks "send" to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user's ISP then consults a BGP table for the best route. That table is built from announcements, or "advertisements," issued by ISPs and other networks — also known as Autonomous Systems, or ASes — declaring the range of IP addresses, or IP prefixes, to which they'll deliver traffic.

The routing table searches for the destination IP address among those prefixes. If two ASes deliver to the address, the one with the more specific prefix "wins" the traffic. For example, one AS may advertise that it delivers to a group of 90,000 IP addresses, while another delivers to a subset of 24,000 of those addresses. If the destination IP address falls within both announcements, BGP will send data to the narrower, more specific one.

To intercept data, an eavesdropper would advertise a range of IP addresses he wished to target that was narrower than the chunk advertised by other networks. The advertisement would take just minutes to propagate worldwide, before data headed to those addresses would begin arriving to his network.

The attack is called an IP hijack and, on its face, isn't new.

But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn't work — the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

"Everyone … has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"

Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.

Kapela said network engineers might notice an interception if they knew how to read BGP routing tables, but it would take expertise to interpret the data.

A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another — say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."

Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.

"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."

Filtering also requires ISPs to disclose the address space for all their customers, which is not information they want to hand competitors.

Filtering isn't the only solution, though. Kent and others are devising processes to authenticate ownership of IP blocks, and validate the advertisements that ASes send to routers so they don't just send traffic to whoever requests it.

Under the scheme, the five regional internet address registries would issue signed certificates to ISPs attesting to their address space and AS numbers. The ASes would then sign an authorization to initiate routes for their address space, which would be stored with the certificates in a repository accessible to all ISPs. If an AS advertised a new route for an IP prefix, it would be easy to verify if it had the right to do so.

The solution would authenticate only the first hop in a route to prevent unintentional hijacks, like Pakistan Telecom's, but wouldn't stop an eavesdropper from hijacking the second or third hop.

For this, Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop.

"That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said.

The drawback to this solution is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers.

Douglas Maughan, cybersecurity research program manager for the DHS's Science and Technology Directorate, has helped fund research at BBN and elsewhere to resolve the BGP issue. But he's had little luck convincing ISPs and router vendors to take steps to secure BGP.

"We haven't seen the attacks, and so a lot of times people don't start working on things and trying to fix them until they get attacked," Maughan said. "(But) the YouTube (case) is the perfect example of an attack where somebody could have done much worse than what they did."

ISPs, he said, have been holding their breath, "hoping that people don’t discover (this) and exploit it."

"The only thing that can force them (to fix BGP) is if their customers … start to demand security solutions," Maughan said.

Filed under internet, security by al

Permalink • Print • Comment

Comcast to enforce 250GB monthly bandwidth cap

By Justin Mann, TechSpot.com
Published: August 28, 2008, 7:55 PM EST Comcast to enforce 250GB monthly bandwidth cap

After months upon months of debates, inquisitions, rumors and much more, the final outcome of the Comcast vs. the Internet fiasco looks like it's about to be resolved. Comcast has confirmed earlier rumors about bandwidth caps, and is now going to implement them.

Starting October 1st, Comcast will begin enforcing a 250GB monthly bandwidth cap. The cap, they say, will satisfy the overwhelming majority of their users given that the median consumption rate is only about 2-3 GB per month. From many perspectives, this is a fair amount. Even if you are an avid Netflix user and stream like crazy, download a lot of music, and spend 12 hours a day on YouTube, you'd be hard pressed to chew up 250GB of data in a month. For those that do, however, there's definitely going to be some backlash.

Whether or not people will agree with the cap, at least it's good and correct for customers to acknowledge what the set limitation is. Formerly, Comcast would simply fine or cancel accounts that consumed too much bandwidth (in their opinion) never telling customers how much that was anyway.

Related Stories

Filed under internet by al

Permalink • Print • Comment

August 20, 2008

What is DSL?

Q:
I know this probably seems very basic, but what is DSL?

A:
No, that's an excellent question! I'm sure you're not the only one who has been wondering about that. Everyone else was probably too scared to ask, so I'm really glad you did. We here at WorldStart have done a few tips on DSL before, but we've never really given you a definition. So, if you're curious about what DSL really is, you've come to the right place. Here's a brief explanation just for you!

DSL stands for digital subscriber line and it's basically a type of broadband Internet access that is simply carried over propecia liver enzymes a regular phone line. DSL delivers a high-speed service and it's high on the list when compared to other broadband providers. The only common feature between DSL and dial-up is that DSL also requires its own modem, but you still cannot get a DSL signal from a conventional dial-up modem.

DSL works with unused frequencies to make a direct link from the provider to the subscriber (you!) It has been around for over two decades and it's just now becoming one of the more popular Internet access points. If you're interested in getting DSL for your home, check your local phonebook for providers. If you have any questions, give them a call and they should be able to answer all of them for you.

So, the only question that remains is: "Are you a DSL user?!"

Filed under internet by al

Permalink • Print • Comment

July 11, 2008

Rights like free speech don’t always extend online

By ANICK JESDANUN | AP Internet Writer

10:38 AM EDT, July 7, 2008

NEW YORK

Rant all you want in a public park. A police officer generally won't eject you for your remarks alone, however unpopular or provocative.

Say it on the Internet, and you'll find that free speech and other constitutional rights are anything but guaranteed.

Companies in charge of seemingly public spaces online wipe out content that's controversial but otherwise legal. Service providers write their own rules for users worldwide and set foreign policy when they cooperate with regimes like China. They serve as prosecutor, judge and jury in handling disputes behind closed doors.

The governmental role that companies play online is taking on greater importance as their services — from online hangouts to virtual repositories of photos and video — become more central to public discourse around the world. It's a fallout of the Internet's market-driven growth, but possible remedies, including government regulation, can be worse than the symptoms.

Dutch photographer Maarten Dors met the limits of free speech at Yahoo Inc.'s photo-sharing service, Flickr, when he posted an image of an early-adolescent boy with disheveled hair and a ragged T-shirt, staring blankly with a lit cigarette in his mouth.

Without prior notice, Yahoo deleted the photo on grounds it violated an unwritten ban on depicting children smoking. Dors eventually convinced a Yahoo manager that — far from promoting smoking — the photo had value as a statement on poverty and street life in Romania. Yet another employee deleted it again a few months later.

"I never thought of it as a photo of a smoking kid," Dors said. "It was just of a kid in Romania and how his life is. You can never make a serious documentary if you always have to think about what Flickr will delete."

There may be legitimate reasons to take action, such as to stop spam, security threats, copyright infringement and child pornography, but many cases aren't clear-cut, and balancing competing needs can get thorny.

"We often get caught in the middle between a rock and a hard place," said Christine Jones, general counsel with service provider GoDaddy.com Inc. "We're obviously sensitive to the freedoms we have, particularly in this country, to speak our mind, (yet) we want to be good corporate citizens and make the Internet a better and safer place."

In Dors' case, the law is fully with Yahoo. Its terms of service, similar to those of other service providers, gives Yahoo "sole discretion to pre-screen, refuse or remove any content." Service providers aren't required to police content, but they aren't prohibited from doing so.

While mindful of free speech and other rights, Yahoo and other companies say they must craft and enforce guidelines that go beyond legal requirements to protect their brands and foster safe, enjoyable communities — ones where minors may be roaming.

Guidelines help "engender a positive community experience," one to which users will want to return, said Anne Toth, Yahoo's vice president for policy.

Dors ultimately got his photo restored a second time, and Yahoo has apologized, acknowledging its community managers went too far.

Heather Champ, community director for Flickr, said the company crafts policies based on feedback from users and trains employees to weigh disputes fairly and consistently, though mistakes can happen.

"We're humans," she said. "We're pretty transparent when we make mistakes. We have a record of being good about stepping up and fessing up."

But that underscores another consequence of having online commons controlled by private corporations. Rules aren't always clear, enforcement is inconsistent, and users can find content removed or accounts terminated without a hearing. Appeals are solely at the service provider's discretion.

Users get caught in the crossfire as hundreds of individual service representatives apply their own interpretations of corporate policies, sometimes imposing personal agendas or misreading guidelines.

To wit: Verizon Wireless barred an abortion-rights group from obtaining a "short code" for conducting text-messaging campaigns, while LiveJournal suspended legitimate blogs on fiction and crime victims in a crackdown on pedophilia. Two lines criticizing President Bush disappeared from AT&T Inc.'s webcast of a Pearl Jam concert. All three decisions were reversed only after senior executives intervened amid complaints.

Inconsistencies and mysteries behind decisions lead to perceptions that content is being stricken merely for being unpopular.

"As we move more of our communications into social networks, how are we limiting ourselves if we can't see alternative points of view, if we can't see the things that offend us?" asked Fred Stutzman, a University of North Carolina researcher who tracks online communities.

First Amendment protections generally do not extend to private property in the physical world, allowing a shopping mall to legally kick out a customer wearing a T-shirt with a picture of a smoking child.

With online services becoming greater conduits than shopping malls for public communications, however, some advocacy groups believe the federal government needs to guarantee open access to speech. That, of course, could also invite meddling by the government, the way broadcasters now face indecency and other restrictions that are criticized as vague.

Others believe companies shouldn't police content at all, and if they do, they should at least make clearer the rules and the mechanisms for appeal.

"Vagueness does not inspire the confidence of people and leaves room for gaming the system by outside groups," said Lauren Weinstein, a veteran computer scientist and Internet activist. "When the rules are clear and the grievance procedures are clear, then people know what they are working with and they at least have a starting point in urging changes in those rules."

But Marjorie Heins, director of the Free Expression Policy Project, questions whether the private sector is equipped to handle such matters at all. She said written rules mean little when service representatives applying them "tend to be tone-deaf. They don't see context."

At least when a court order or other governmental action is involved, "there's more of a guarantee of due process protections," said Robin Gross, executive director of the civil-liberties group IP Justice. With a private company, users' rights are limited to the service provider's contractual terms of services.

Jonathan Zittrain, a Harvard professor who recently published a book on threats to the Internet's openness, said parties unhappy with sensitive materials online are increasingly aware they can simply pressure service providers and other intermediaries.

"Going after individuals can be difficult. They can be hard to find. They can be hard to sue," Zittrain said. "Intermediaries still have a calculus where if a particular Web site is causing a lot of trouble … it may not be worth it to them."

Unable to stop purveyors of child pornography directly, New York Attorney General Andrew Cuomo recently persuaded three major access providers to disable online newsgroups that distribute such images. But rather than cut off those specific newsgroups, all three decided to reduce administrative hassles by also disabling thousands of legitimate groups devoted to TV shows, the New York Mets and other topics.

Gordon Lyon, who runs a site that archives e-mail postings on security, found his domain name suddenly deactivated because one entry contained MySpace passwords obtained by hackers.

He said MySpace went directly to domain provider GoDaddy, which effectively shut down his entire site, rather than contact him to remove the one posting or replace passwords with asterisks. GoDaddy justified such drastic measures, saying that waiting to reach Lyon would have unnecessarily exposed MySpace passwords, including those to profiles of children.

Meanwhile, in response to complaints it would not specify, Network Solutions LLC decided to suspend a Web hosting account that Dutch filmmaker Geert Wilders was using to promote a movie that criticizes the Quran — before the movie was even posted and without the company finding any actual violation of its rules.

Service providers say unhappy customers can always go elsewhere, but choice is often limited.

Many leading services, particularly online hangouts like Facebook and News Corp.'s MySpace or media-sharing sites such as Flickr and Google Inc.'s YouTube, have acquired a cachet that cannot be replicated. To evict a user from an online community would be like banishing that person to the outskirts of town.

Other sites "don't have the critical mass. No one would see it," said Scott Kerr, a member of the gay punk band Kids on TV, which found its profile mysteriously deleted from MySpace last year. "People know that MySpace is the biggest site that contains music."

MySpace denies engaging in any censorship and says profiles removed are generally in response to complaints of spam and other abuses. GoDaddy also defends its commitment to speech, saying account suspensions are a last resort.

Few service providers actively review content before it gets posted and usually take action only in response to complaints.

In that sense, Flickr, YouTube and other sites consider their reviews "checks and balances" against any community mob directed at unpopular speech — YouTube has pointedly refused to delete many video clips tied to Muslim extremists, for instance, because they didn't specifically contain violence or hate speech.

Still, should these sites even make such rules? And how can they ensure the guidelines are consistently enforced?

YouTube has policies against showing people "getting hurt, attacked or humiliated," banning even clips OK for TV news shows, but how is YouTube to know whether a video clip shows real violence or actors portraying it? Either way, showing the video is legal and may provoke useful discussions on brutality.

"Balancing these interests raises very tough issues," YouTube acknowledged in a statement.

Unwilling to play the role of arbiter, the group-messaging service Twitter has resisted pressure to tighten its rules.

"What counts as name-calling? What counts as making fun of someone in a way that's good-natured?" said Jason Goldman, Twitter's director of program management. "There are sites that do employ teams of people that

do that investigation … but we feel that's a job we wouldn't do well."

Other sites are trying to be more transparent in their decisions.

Online auctioneer eBay Inc., for instance, has elaborated on its policies over the years, to the extent that sellers can drill down to where they can ship hatching eggs (U.S. addresses only) and what items related to natural disasters are permissible (they must have "substantial social, artistic or political value"). Hypothetical examples accompany each policy.

LiveJournal has recently eased restrictions on blogging. The new harassment clause, for instance, expressly lets members state negative feelings or opinions about another, and parodies of public figures are now permitted despite a ban on impersonation. Restrictions on nudity specifically exempt non-sexualized art and breast feeding.

propecia 1mg 5mg /> The site took the unusual step of soliciting community feedback and setting up an advisory board with prominent Internet scholars such as Danah Boyd and Lawrence Lessig and two user representatives elected in May.

The effort comes just a year after a crackdown on pedophilia backfired. LiveJournal suspended hundreds of blogs that dealt with child abuse and sexual violence, only to find many were actually fictional works or discussions meant to protect children. The company's chief executive issued a public apology.

Community backlash can restrain service providers, but as Internet companies continue to consolidate and Internet users spend more time using vendor-controlled platforms such as mobile devices or social-networking sites, the community's power to demand free speech and other rights diminishes.

Weinstein, the veteran computer scientist, said that as people congregate at fewer places, "if you're knocked off one of those, in a lot of ways you don't exist."

Filed under internet by al

Permalink • Print • Comment

June 10, 2008

AT&T: Internet to hit full capacity by 2010

Posted on ZDNet News: Apr 18, 2008 2:17:00 PM

U.S. telecommunications giant AT&T has claimed that, without investment, the Internet's current network architecture will reach the limits of its capacity by 2010.

Speaking at a Westminster eForum on Web 2.0 this week in London, Jim Cicconi, vice president of legislative affairs for generic propecia 5mg AT&T, warned that the current systems that constitute the Internet will not be able to cope with the increasing amounts of video and user-generated content being uploaded.

"The surge in online content is at the center of the most dramatic changes affecting the Internet today," he said. "In three years' time, 20 typical households will generate more traffic than the entire Internet today."

Cicconi, who was speaking at the event as part of a wider series of meetings with U.K. government officials, said that at least $55 billion worth of investment was needed in new infrastructure in the next three years in the U.S. alone, with the figure rising to $130 billion to improve the network worldwide. "We are going to be butting up against the physical capacity of the Internet by 2010," he said.

He claimed that the "unprecedented new wave of broadband traffic" would increase 50-fold by 2015 and that AT&T is investing $19 billion to maintain its network and upgrade its backbone network.

Cicconi added that more demand for high-definition video will put an increasing strain on the Internet infrastructure. "Eight hours of video is loaded onto YouTube every minute. Everything will become HD very soon, and HD is 7 to 10 times more bandwidth-hungry than typical video today. Video will be 80 percent of all traffic by 2010, up from 30 percent today," he said.

The AT&T executive pointed out that the Internet exists, thanks to the infrastructure provided by a group of mostly private companies. "There is nothing magic or ethereal about the Internet–it is no more ethereal than the highway system. It is not created by an act of God, but upgraded and maintained by private investors," he said.

Although Cicconi's speech did not explicitly refer to the term "Net neutrality," some audience members tackled him on the issue in a question-and-answer session, asking whether the subtext of his speech was really around prioritizing some kinds of traffic. Cicconi responded by saying he believed government intervention in the Internet was fundamentally wrong.

"I think people agree why the Internet is successful. My personal view is that government has widely chosen to…keep a light touch and let innovators develop it," he said. "The reason I resist using the term 'Net neutrality' is that I don't think government intervention is the right way to do this kind of thing. I don't think government can anticipate these kinds of technical problems. Right now, I think Net neutrality is a solution in search of a problem."

Net neutrality refers to an ongoing campaign calling for governments to legislate to prevent Internet service providers from charging content providers for prioritization of their traffic. The debate is more heated in the United States than in the United Kingdom because there is less competition between ISPs in the States.

Content creators argue that Net neutrality should be legislated in order to protect consumers and keep all Internet traffic equal. Network operators and service providers argue that the Internet is already unequal, and certain types of traffic–VoIP, for example–require prioritization by default.

"However well-intentioned, regulatory restraints can inefficiently skew investment, delay innovation, and diminish consumer welfare, and there is reason to believe that the kinds of broad marketplace restrictions proposed in the name of 'neutrality' would do just that, with respect to the Internet," the U.S. Department of Justice said in a statement last year.

The BBC has come under fire from service providers such as Tiscali, which claim that its iPlayer online-TV service is becoming a major drain on network bandwidth.

In a recent posting on his BBC blog, Ashley Highfield, the corporation's director of future media and technology, defended the iPlayer: "I would not suggest that ISPs start to try and charge content providers. They are already charging their customers for broadband to receive any content they want."

Andrew Donoghue

Filed under internet by al

Permalink • Print • Comment
« Previous PageNext Page »
Made with WordPress and an easy to customize WordPress theme • Sky Gold skin by Denis de Bernardy