Final IPv4 addresses distributed

The final blocks of IPv4 protocol addresses have been allocated by IANA, the keeper of Internet addresses. For internet users this is a non-event, but from a technical standpoint, as Network World notes, IPv4's finale 'one of the most important days of the Internet'.

Rapid growth in Internet usage used up the last blocks of the roughly 4.2 billion original 32 bit IP addresses (known as IPv4). These addresses are the numbers used by the DNS to identify devices connected to the Internet. This day was predicted with considerable accuracy.

As the final Ipv4 addresses within these blocks are doled out it will be necessary to use the IPv6 protocol for IP addresses. This has already started, primarily in the Far East. With 2¹²⁸ of addresses, we will never run out. Additionally, IPv6 is a more secure protocol and has other benefits for those that operate the internet. However, there are older servers, firewalls, load balancers, DNS servers, and other devices and software that may not be ready for IPv6 traffic or that do not handle both IPv4 ad IPv6 traffic gracefully. And both protocols will need to be supported seamlessly for some time.

For consumers this should be a non-event as the people who run the Internet have done an excellent job of staying ahead of the game with these changes. But it is quite a milestone when one considers just how interconnected the world has become.

Denial of Service Attacks from Authoritarian Governments

Today's New York Times editorial "How the Kremlin Harnesses the Internet" highlights another dimension - government censorship and intimidation - that goes beyond the denial of service (DoS) attack wars that have been waged over Wikileaks/Operation Payback and certain file sharing web sites during the past month or more.

The Wikileaks incidents focused on PayPal, VISA, Mastercard and other sites that shut off payment services for Wikileaks supporters. The fact that a disorganized group of supporters could knock out service to these sites is amazing, but consider how life would be if there was a real but non-violent threat from a nation state. And there are at least several dozen countries that could mount a credible attack.

A targeted  DoS attack could take down GPS services, making navigation systems inoperable. It could disable banking communications, making credit card transactions or (as happened with the Wikileaks attacks) make verification impossible. One type of attack uses SMS messaging, which could render texting inoperable. (OK, maybe these attacks are not all bad.) Our daily routine would not be the same and he world economy would be seriously disrupted by even a brief outage of the Internet.

NPR had a segment today about the Estonian government, which has been the victim of DoS attacks in the past. Time has a related article:  Estonia Considers a Nerd Draft to Staff Cyber Army. I think a volunteer group would be much more effective and motivated.

What would be even better is for service providers to care about denial of service attacks and demand that Infrastructure and networking products (like DNS) have built in denial of service attack protection. There are products with these features on the market today and they are less expensive than competing products with no protection.

DNSSEC deployed in the .net domain as demand for DNSSEC grows

It was announced today the DNS security extensions have been deployed in the .net domain. This is the next to last big top level domain to adopt DNSSEC, with only the .com zone remaining. It is expected that .com will be signed in March of 2011. This is a big milestone for improving cyber security.

The timing is excellent given that the the recent WikiLeaks attacks have generated a lot of concern about the sorry state of Internet security. DNSSEC stops cache poisoning and man in the middle attacks and enables many other improvements in online and email security and privacy. 

A recent survey of businesses by Forrester Research (sponsored by Verisign, the operator of the .net and .com domains) found significant demand for DNSSEC among businesses. Details from the study will be released next week.

WikiLeaks cyber attacks expand

I'm not sure it makes sense for me to continue to post on this topic since mainstream media is now reporting on the attacks continuously. I wish I was at the ICANN meeting underway in Cartagena to hear the banter on this topic. ICANN is the governing body of the DNS.

According to Reuters, the attacks against WikiLeaks perceived enemies continue to increase. I get a Google Alert on denial of service attacks and the list of articles today is the longest I have ever seen.

Reuters also has a layman's guide to how these attacks are so easy to carry out:   Factbox: How cyber activists bring down a website. This is a very unsophisicated attack yet it is meeting with notable success, taking down the Swedish government website and even Sarah Palin. This has to be the first and only time both Sweden and Sarah have been attacked by the same group.

So far we don't have any power grids going down and most of the sites attacked have been able to recover relatively quickly. So I think I will retire this topic for the time being.

Operation Payback: WikiLeaks Defenders take down VISA site and others

A distributed denial of service (DDoS) attack is underway at visa.com. The attack is driven by Operation Payback, the defenders of WikiLeaks. Here is a current article from The Business Insider: BOOM: Visa.com Drops Dead Instantly After Hackers Attack. It looks like a seesaw battle at this point.

They attacked Mastercard successfully yesterday. There is more on Operation Payback here, and here.

As time passes there will be more information about the scale of these attacks but clearly many sites lack adequate protection from DDoS attacks. The web is also facing the seasonal traffic spike that is being exacerbated by spectacular growth in video and music streaming (see a video here and become part of the problem). PDAs and smartphones also put a load on traffic and everything is going to 4G, which is all IP (Internet Protocol) and so will stress networks further.

DDoS attacks are for the most part simply annoying, but imagine if you could not access a GPS system for directions or you could not use your credit card or access you bank while travelling. Even a several minute drop in service is not acceptable. But deployment of real defenses is just starting.

As a software vendor that builds DDoS mitigation into all of our products, it galls me that current solutions are so pathetically incapable of stopping these attacks.

Stay tuned, this one is not over. 

What have we learned from WikiLeaks?

The WikiLeaks disclosures are either the greatest benefit or the worse damage to freedom in 2010, depending on your political point of view. The disclosures have been embarrassing but also informative.

What is indisputable is the almost total lack of security over vast amounts of sensitive data residing on US government computers. If a low ranking individual can gain undetected access and copy information so easily, it is hard to imagine that more sensitive information is better protected.

There is a very simple and low cost solution to the problem: encrypt all but the least sensitive emails. This will be easier than today in the very near future.

What is also apparent is the continuing threat from distributed denial of service (DDOS) attacks. These attacks have been unable to stop WikiLeaks, but they have knocked down several other sites recently.

DDoS has gone commercial, with vendors offering their botnet services for a fee: New botnet comes to the fore. If there is money to be made, and with DDoS attacks there is, there will always be someone willing to provide a service.

Scientific American tells us why WikiLeaks has not been stopped: How has WikiLeaks Managed to Keep Its Web Site Up and Running? 

Over the past week, the WikiLeaks Web site has been brought down due to distributed denial-of-service (DOS) attacks, and then subsequently brought back online. What tools and techniques are available to Web sites to enable them to route and re-route access?
One tool is redirection, where you could have 10 different Web site addresses set up that send you to a particular location. [For example, readers who visit SciAm.com will automatically be redirected to ScientificAmerican.com.] Another option is to set up mirror sites—if the core Web server goes down, there's another Web server at a different location that will have the exact same look, feel and content. Redirects and mirror sites are common and they're necessary in order to run a legitimate business online.

Beyond the proactive steps that can be taken, the Web keeps a cache of data even after it has been taken offline. Google is a perfect example of a data cache—it doesn't actually go out on the Internet and crawl with its crawling capabilities to go find what you're looking for and bring it back to you each time you do a search. It's already done that; it's spent hours and hours of background computing time crawling the Web, sorting it and organizing it, putting it in a way that when you search for something, Google goes into its own cached data set to find it. The history maintained by your Web browser is another example of a data cache. In addition, some Web searches will return listings containing a "cached" hyperlink. When you click on that link, the original site may not exist, but the cache may still be there. It can take anywhere from three months to a year for Web browsers to re-crawl the Internet and update their cache to shed deleted Web pages.

Malicious hackers use these methods as well as proxy servers to obfuscate the location of their data and avoid prosecution. Are there legitimate uses for proxies, redirection, mirror sites and data caches?
A lot of legitimate sites use proxy servers, for example, because they keep data requests from being bottlenecked at a single server and make data flow faster. This can also be used to hide your location, which is useful when you're operating a controversial site and are worried about it being attacked or vandalized online. You could be standing up for a cause that you believe in such as gay rights and you have a Web site dedicated to that, but you're worried that people against your cause will try to take your site down. Then you would want to try to use proxies and route the data traffic to other locations, jump from one router to another and put the site behind a caching wall. You use multiple layers of security to protect yourself. Of course, proxy servers are also used by those doing things that are illegal to help avoid prosecution.

EveryDNS.net, a provider of domain name system [DNS] service that routes Internettraffic from domain names to IP addresses, dropped the WikiLeaks.org account last week. EveryDNS.net does not host content, however, so what did this action mean for WikiLeaks?
Basically if you don't have a DNS provider, nobody can find you. When you punch in wikiLeaks.org, your system says, I need to go find wikiLeaks.org, so it goes to a DNS provider that says, "I can point you to that direction." When you take that away that DNS provider there's nobody telling the  computer where to go to retrieve it. You in essence go dark.

WikiLeaks has the infrastructure to enable their data to persist despite the efforts of several governments and commercial companies. Few businesses have these resources, and using a service provider has its own risks. DDoS attacks continue to be a menace and all Internet software should include protections from these attacks.

The Scientific American article sums up the lack of information security and some lessons for everyone who uses the Internet:

What does the WikiLeaks incident tell people about the way information lives on the Internet and what lesson should be learned here?
The message is loud and clear to individuals, businesses and the government. On your laptop you should have a sentence taped to the top of your screen that says, "Before I hit send, do I want to see this on the front page of The New York Times or in Scientific American?" Once you hit send and send it to the Internet world, it's going to be persistent and in many ways permanent. If you don't put certain information onto the public Net, you're not going to have this problem in the first place. The message to the government is that, as much as it wants to embrace the digital world, it still needs to take almost a pause and look at the data they have and consider whether that data should be stored in digital form. If it is going to go into digital form, then there's a very long list of security measures that the government needs to be focused on. The government really needs to be on a red alert status when it comes to protecting their top-secret information.

 

 

Massive traffic hijack highlight's Internet vulnerabilities

This article is cross posted from Paths2Trust. It was prompted by an article in National DEFENSE:

 Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic

Key takeaways are that we are not secure online, and nation states have capabilities well beyond those of even organized criminals. But currently tools, including DNSSEC, can provide a simple and cost effective way to improve security and authentication.

The article begins:

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.

This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world’s largest dedicated Internet security company.

In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

Nobody outside of China can say, at least publicly, what happened to the terabytes of data after the traffic entered China.

Said Alperovitch: “This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”

The telephone giants of the world work on a system based on trust, he explained. Machine-to-machine interfaces send out messages to the Internet informing other service providers that they are the fastest and most efficient way for data packets to travel. For 18 minutes April 8, China Telecom Corp. told many ISPs of the world that its routes were the best paths to send traffic.

For example, a person sending information from Arlington, Va., to the White House in Washington, D.C. — only a few miles away — could have had his data routed through China. Since traffic moves around the world in milliseconds, the computer user would not have noticed the delay.

From Paths2Trust: Urgently Needed Chains of Trust

My previous two posts focused upon chains of trust - the first upon promising benefits of the emerging DNSSEC chain of trust and essential concomitant software chains of trust;  the second upon system architectural capabilities needed to actualize the benefits of software chains of trust.  The focus of this post is upon two other crucial chains of trust that presently are inadequate or non-existent in networked systems.

Needs for software and other critical chains of trust extend throughout the clients, servers, and world-wide infrastructure of today's networked information and control systems.  A 12 November article in National DEFENSE, NDIA's Business and Technology Magazine, highlights the urgent need for two more such chains of trust that are crucial for the security of Internet communications traffic.

The article discusses proof presently in the hands of security experts that "China Has Hijacked U.S.-Based Internet Traffic."  Dmitri Alperovitch, vice president of threat research at McAfee stated of the 18 minute 8 April event:  "This is one of the biggest - if not the biggest hijacks - we have ever seen" and  "What happened to the traffic while it was in China? No one knows."

The first exploited vulnerabilities enabled routers and systems to be told that the best routes for transmitting Internet traffic was via intercepting systems in China.  The details of the attack mechanisms were not spelled out in the article, but the results clearly imply that there was no chain of trust supporting the routing information used by the transmitting systems.  Information was accepted and acted upon by routers and systems that resulted in the flow of traffic through the attacker's interception systems - apparently without noticeable delays by the sending and receiving parties.

The second concern discussed in the article was more specific.  It sketched weaknesses in the capability of certificate-based asymmetric encryption to protect the confidentiality of  intercepted communications.  Specifically, it warned of an intercepting system's ability to inject public key certificates in to the traffic, which later could lead to decrypt-able transmissions.  The description in the article is in need of additional clarification to explain this danger and illustrate the absence of an essential chain of trust.

Certificate-based asymmetric cryptography employs a public key that is published in a certificate, and a corresponding private key that is not published, but retained solely by the owner of the public/private key pair.  Traffic is encrypted for confidentiality using the public key.  Encrypted traffic is decrypted using the private key.  So the real danger is that an injected public key can, without a sender's knowledge, be used to encrypt a transmission.  The owner of the corresponding private key then would be able to decrypt such a transmission. 

So the key question (pun intended) is "How can an injected public key certificate end up being used without the sender knowing about it?"  It turns out that an injected certificate, seemingly from someone a sender knows and trusts, can end up being used without the sender being aware of it.  And the root cause of this vulnerability turns out to be the lack of a chain of trust.

Mail programs in end user systems presently are set up to receive email encrypted with the receiver's public key, as well as "digitally signed email."  The latter includes, in addition to the normal mail contents, a value computed by executing a cryptographic hash function over the mail contents and encrypting the resulting hash value using a PRIVATE key.  This encrypted hash value is called a "digital signature." The public key certificate corresponding to the private key also is included. 

The integrity of the digitally signed email contents can be ensured by: i) recomputing the hash value of the mail contents,  ii)  encrypting the digital signature using the included PUBLIC key, and  iii) showing that the results of steps i) and ii) produce the same resulting value.  If the results are the same, the public key certificate is eligible to be added to the mailer's list of valid public keys.

Before being accepted as a valid public key certificate, however, the certificate must be further validated.  Validity and expiration dates must show that the certificate is currently valid.  But most importantly, the public key certificate must itself have been digitally signed by a recognized certificate authority and now be cryptographically revalidated.  Mail programs typically have a built-in list of public key certificates from many such authorities.  The public key of the authority's certificate is used to validate the newly incoming public key certificate.  And this is where the real danger lies - trusting the certificate of the authority.

The reader is invited and encouraged to look through the list of authorities included in his/her own mail program(s).  They are numerous, have many-year long validity dates, originate from many parts of the world, and, most importantly - ARE NOT SUPPORTED BY ANY CHAIN OF TRUST. 

A hostile Nation State, for example, could maneuver to have the public key certificate of a seemingly trustworthy certificate authority included in the standard mailers' built-in lists.  Then, by having covert access to the corresponding private key for that certificate, could generate and inject digitally signed emails containing fraudulent certificates for ANY ARBITRARY IDENTITIES.  Each of the fraudulent certificates would be signed by the private key of the supposedly trustworthy certificate authority, and would be readily accepted into the mailers.

Thereafter, a sender may think he/she is sending an encrypted email to "My Trustworthy Bank,"  but in fact be sending traffic that is hijacked and re-routed through an interception system belonging to the hostile Nation State.  Because the fraudulent public key certificate was in fact generated by the hostile State, the intercepting system would have the private key and would be able to decrypt the email, re-encrypt it with the Bank's real certificate, and harvest the sensitive information that was supposedly protected by very strong asymmetric encryption.  Both sender and bank, of course, would remain unaware of what had happened.

This weakness should not be construed to mean that public certificates cannot be securely managed.  It simply underscores the fact that the generation and distribution of such certificates must be supported by a solid chain of trust.  At the moment, the emerging DNSSEC chain of trust seems a good candidate for this role.

Microsoft warns of new Zero-day attack

I've been remiss with regard to blogging recently but this most recent warning of an exploit from Microsoft (via Network World) is worth passing on: Microsoft warns of new Zero-day attack affecting Internet Explorer 6,7,8.

Today Microsoft released Security Advisory 2458511 to warn Internet Explorer users of a new zero-day attack that Microsoft has seen in the wild. It affects versions 6, 7, and 8, although Microsoft says that the default installations of IE8 make that version of the browser harder to exploit by this issue.

The suggested actions are a bit technical for the average PC user. This is waht I find most frustrating about computing today:

While no patch is available yet, Microsoft has offered several workarounds including:

• Override the Web site CSS style with a user-defined CSS (that's not going to make a lot of Web developer's happy).
• Deploy Microsoft's Enhanced Mitigation Experience Toolkit, is a utility that Microsoft says helps prevent vulnerabilities in software from successfully being exploited. For more information, see Microsoft Knowledge Base Article 2458544.
• IE7 users are urged to enable the Data Execution Prevention (DEP) feature, although this may cause conflicts with some browser extensions.
• Read e-mails in plan text
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

Firefox users have faced recent vulnerabilities and patches as well with two critical updates in recent weeks (http://www.h-online.com/open/news/item/Mozilla-issues-Firefox-Thunderbird-security-updates-1126710.html).

Note to self: Be careful online and be diligent with patches.

 

IT Security: Falling further behind, costing more

Sometimes an article is published that hits right to the point. Greg Shipley's recent Informationweek article "Outgunned: How Security Tech Is Failing Us: Our testing shows we're spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?" underscores how ineffective and expensive IT security defenses have become.

"Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.

Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile.

We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures. Regulation and litigation have both increased. We're still struggling with the expensive PCI initiative, an effort as controversial as its efficacy is questionable--U.S. businesses continue to hemorrhage credit card numbers and personally identifiable information. The tab for the Heartland Payment Systems breach, which compromised 130 million card numbers, is reportedly at $144 million and counting. The Stuxnet worm, a cunning and highly targeted piece of cyberweaponry, just left a trail of tens of thousands of infected PCs. Earlier this month, the FBI announced the arrest of individuals who used the Zeus Trojan to pilfer $70 million from U.S. banks. Zeus is in year three of its reign of terror, impervious to law enforcement, government agencies, and the sophisticated information security teams of the largest financial services firms on the planet."

And later:

"...collectively, we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.

Most of the IT security vendors we interviewed for this article--and we spoke with many of them--admit that their products have flaws, are less than comprehensive, and certainly have room for improvement. But what many of them are not so forthright about is just how bad the situation is. For example, during our own tests of antivirus system effectiveness, bypassing every one of the five major AV suites we had in our lab was a trivial matter. (Our full report, at informationweek.com/analytics/ outgunned, contains a rundown of our AV effectiveness testing.)"

Given the enormity of recent software patches from nearly every vendor (see: US CERT) it is apparent the situation is not under control.

So what is the root of the problem? For one, we can't with any certainty authenticate who is whom on the Internet, including email. If identity can be spoofed and you don't know who is at the other end, you can never win this battle. DNSSEC provides the mechanism for authentication, but until it achieves a critical mass it will not be effective. And adoption has proceeded slowly. 

In addition, security solutions do not scale across organizations or across the internet. DNS is the only way to do this. Dan Kaminsky best articulates how DNSSEC addresses this need for scaling. Here is a good interview on this point, with further links to video.

Lastly and fundamentally, the infrastructure of the Internet - from hardware to operating systems - is not architect-ed for security. Without a secure foundation we can never be secure. My colleague Bill Worley has written about this essential need, some of which is noted in this earlier blog post.

Until these issues are resolved we will continue to pay an IT security "tax" since the cost of security is passed on to consumers and businesses. We will also be unable to utilize the full potential of wireless applications, like cell phone money, without a lot of costly risk. But in this time of economic pressure it would be cost effective for the major players in IT to take a hard look at the architecture and consider how cost effective it would be make that the focus and not additional "band aid and bodyguard" defenses.



Message to banks: take DNSSEC seriously

Just as the FCC is looking into tighter security at ISPs, Senator Chuck Schumer has introduced legislation extending consumer protections for online banking fraud to municipalities and schools - making banks liable for online fraud losses.

See this post from Krebs on Security: Bill Would Give Cities, Towns and Schools Same e-Banking Security Guarantees as Consumers:

In response to a series of costly online banking heists perpetrated against towns, cities and school districts, Sen. Charles Schumer (D-NY) has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — as long as they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

The banking industry may squawk about the expense of absorbing these losses but as an industry they have done very little to improve protections. And it doesn't have to be costly. Simply deploying DNSSEC and insisting that their municipal and school district clients adopt DNSSEC would provide mutual authentication for the bank and it's customers.

Banks want their customer to know that they are at the bank's web site and not a fake site, and also that there is no man in the middle attack spying. Likewise the bank should be able to authenticate that it is the customer and not someone else accessing their site.

This is accomplished though deployment of DNSSEC.

DNSSEC authenticates that you are you. Without it SSL and VPN are not secure. This has been known for some time yet deployment of DNSSEC has been painfully slow. Without secure DNS you are not secure.

Sending out crypto key fobs to customers with elaborate number entries is an expensive and cumbersome solution. With DNSSEC and existing SSL you get 99% there with almost no cost. Deploying DNSSEC today is not costly or complicated. I've discussed this with banking regulators but they barely return emails. It's time to get moving.