Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 06, 2016, 02:18:41 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: The internet hijacked  (Read 7560 times)

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
The internet hijacked
« on: May 20, 2008, 02:34:16 AM »
Recently the IP address for one of the root nameservers has changed.
These IP addresses are hard-coded in configuration files deep in the servers or many ISP's, and are hardly ever updated.

Some smart, sneaky, probably malicious entity figured they would grab the OLD ip address of the nameserver, and set up an unauthorized nameserver of their own, thus capturing all hostnames requested by pretty much most people on the internet. And also having control to what these hostnames resolve to (so thus having the ability to redirect anyone to any malicious proxy or site, intercept any data they want etc,...)

Read all about it

[ Invalid Attachment ]


So why do I post this in the developer corner section?

Things like this really make you reflect on security in your internet-enabled applications.
It should be assumed that any connection you make to a remote server can potentially be snooped upon.

Actually, a root dns server being hijacked is a bit extreme, but it is a lot easier for your data to be compromised. It only takes one compromised network on the route between the two parties(or the network of one of the parties themselves), and a mitm(man in the middle) attack is possible.

With the vast amount of botnets and compromised drone computers out there these days, it becomes more and more likely that you stumble upon a compromised network, and potentially make your data available to unauthorized parties.

Very few applications still use encryption these days. Only the most sensitive information is encrypted usually.

But data that doesn't seem sensitive at first sight can still be harmful if combined with (lots) of other data. Identity thieves are especially crafty at that kind of thing.

One reason you don't see as much (https) encrypted websites on the web as you should is because of a limitation in the https protocol: only one https domain name per ip address is possible. (eg, currently you can't have donationcoder.com and codycoins.com on the same IP, both using https). This is just one of many examples of how our current infrastructure is not built for the vast amount of threats that are present on the web these days.

So what are you doing to make your internet-enabled applications, web-applications, and websites ready for the remainder of the 21st century?

To conclude, a little scary quote from the article:
Quote
So the operators of such bogus name servers could operate for a very long time, providing correct answers or incorrect ones as they saw fit. They could log your requests to determine your interests and censor the ones they didn't like. In general, they could engage in all sorts of mischief, ranging from very targeted ("let's get this one individual or organization") to very wide-ranging ("let's blow away .com today").
« Last Edit: May 20, 2008, 02:40:02 AM by Gothi[c] »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,714
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: The internet hijacked
« Reply #1 on: May 20, 2008, 03:05:13 AM »
What's with the big hat? I read the article and it wasn't there!  :huh:


Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
Re: The internet hijacked
« Reply #2 on: May 20, 2008, 03:13:18 AM »
It's just a blackhat reference.
I needed to put something there so the image looked like an image. It was blending in with the rest of my text too much.. so much that it looked part of it.
Anyway,.. who cares about the hat? :p

nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,117
    • View Profile
    • Donate to Member
Re: The internet hijacked
« Reply #3 on: May 20, 2008, 04:30:12 AM »
i like the hat. :Thmbsup:

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
Re: The internet hijacked
« Reply #4 on: May 20, 2008, 04:38:14 AM »
:D

This reminds me of a monty python scene where they were talking about the meaning of life, man's unique ability to get distracted, and hats.

Quote
HARRY:
    That's right. Yeah, I've had a team working on this over the past few weeks, and, uh, what we've come up with can be reduced to two fundamental concepts. One: people are not wearing enough hats. Two: matter is energy. In the universe, there are many energy fields which we cannot normally perceive. Some energies have a spiritual source which act upon a person's soul. However, this soul does not exist ab initio, as orthodox Christianity teaches. It has to be brought into existence by a process of guided self-observation. However, this is rarely achieved, owing to man's unique ability to be distracted from spiritual matters by everyday trivia.

Perhaps the reason security on the internet is broken, is because people get distracted by hats.
(black hats, gray hats, white hats, red hat,... we might be on to something here)

Quote

...pause...

BERT:
    What was that about hats, again?
HARRY:
    Oh, uh, people aren't wearing enough.
CHAIRMAN:
    Is this true?
« Last Edit: May 20, 2008, 04:39:59 AM by Gothi[c] »

tinjaw

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,927
    • View Profile
    • Donate to Member
Re: The internet hijacked
« Reply #5 on: May 20, 2008, 05:55:26 AM »
Mr. Hat..err... Gothi[c],

Quote from: Gothi[c]
One reason you don't see as much (https) encrypted websites on the web as you should is because of a limitation in the https protocol: only one https domain name per ip address is possible.

Just using my intuition, I wouldn't guess that as one of the reasons. What are you basing your statement on? Strictly going on personal experience, I don't think there is a lack of use of SSL. I don't always pay attention, but just about any website I use that requires the transfer of data of a personal nature uses an SSL connection. (Don't forget that the page with the form may be served up w/o SSL and the page you see after submission may be served up w/o SSL, but the forms data can still be sent via https.)

The number one problem, IMNHO (In My Never Humble Opinion) is that geeks rule the internet. They build stuff that makes sense to them, not "normal" people. The #1 problem in that geeks expect other geeks to "comply" and "understand" the technical issues and so build things that way. Let's continue on the example of HTTPS. Geeks may understand why warning boxes pop-up and warn about SSL certs and hostnames not matching ip addresses and domains having expired and crap like that. But what does the average user do? The exclaim, "WTF is this?" and then click through the error box and go to the page anyways. Why? Because they have done it before and the world didn't end. Why did they do it before? Because some sysadmin goofed up in the past and the cert was invalid for 24 hours on some site the user trusted. When the user went to that site during that 24 hour period they saw the warning box, didn't understand the technical details, clicked through, and all was well.

I don't know what the solution to such problems are, but I doubt they are purely technical.

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
Re: The internet hijacked
« Reply #6 on: May 20, 2008, 06:15:42 AM »
Most of the major sites and sites that absolutely need https will of course have it.
It's your average joe cpanel user that runs into the issues like you stated.
I was merely using it as an example, not stating it is 'the' reason.
I find it a perfect example showing how many of the protocols we use are inherently flawed, or perhaps, more
correctly, used these days as they were never intended to be used. It's as if the entire internet is hack built upon hack built upon hack, just to make things work.

Rebuilding the entire lot to be more user friendly so your average joe can run a site or server without worrying about hackers or security would be a dream-solution, but unfortunately the sad reality is that there is no such thing as 100% security, even if you were to build the system from the ground up to be user friendly.

The result would then be even more people running servers that don't understand basic security, and even more malware and drone servers on the net.

You may build a fortress from the ground up, security flaws will exist, and perhaps it is a good thing, in a way, that some knowledge is required to set up basic things, since people with that knowledge 'tend' to be more security aware.

Windows was designed to be user friendly out of the box, and look how many virus infected drone computers are out there. Vista was redesigned with security in mind and to address many issues, and it only took a few days for exploits to be released in the wild. It may not be the perfect example again, but I think the point is that it may not always be a good idea to promote a culture where knowledge/experience isn't needed to run things.

cranioscopical

  • Friend of the Site
  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,367
    • View Profile
    • Donate to Member
Re: The internet hijacked
« Reply #7 on: May 20, 2008, 06:18:37 AM »
Anyway,.. who cares about the hat?

Well, I don't think you should beret the idea!


momonan

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 227
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: The internet hijacked
« Reply #8 on: May 20, 2008, 06:49:20 AM »
cranioscopical, how DO you do it? 8)
When you can't be a good example, then you'll just have to be a horrible warning - Catherine Aird

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: The internet hijacked
« Reply #9 on: May 20, 2008, 08:20:18 AM »
There's a couple of WTFs here... one is that so many of the internet protocols we use have gaping security holes - something as critical for the whole internet infrastructure as the root DNS servers ought to have some form of cryptographic verification applied. I do realize it's basically impossible to change something as established as the DNS protocol, though, and that crypto verification would be very costly on something as high-volume as root DNS servers.

Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.

As for SSL, it protects you against casual snooping and tampering, but afaik as soon as there's a man-in-middle (exploited router, carnivore box at your ISP, ...) you're game over anyway.
- carpe noctem

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,169
    • View Profile
    • Donate to Member
Re: The internet hijacked
« Reply #10 on: May 20, 2008, 11:29:05 AM »
--pedantic mode--
you can run multiple ssl servers on one IP, alhough you have to use non standard ports - thats the way it is often done especially if you have load balancers in front which can hide the non standard port
--shuts up--

Although the story of the root server is incredible - how could someone just snatch that IP like that...
Thankfully most of DNS never goes all the way up to the root server so the effect might not have been as bad.
« Last Edit: May 20, 2008, 11:30:59 AM by iphigenie »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,714
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: The internet hijacked
« Reply #11 on: May 20, 2008, 01:21:49 PM »
Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.

I'm not sure if it's the real Bill Manning, but a user in the comments named Bill Manning said this:

Quote
Why was ICANN using the EP.NET address space?

It was assigned to "L" when I created it in 1996. ICANN should have renumbered when they took over "L". They did -not- and have been squatters on the space. They now threaten legal action if I announce my own space. This is a sad state of affairs.

I admit my own ignorance on what all these things truly mean, but if I understand it correctly, this is the reason why the IP address changed.


Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: The internet hijacked
« Reply #12 on: May 20, 2008, 04:42:55 PM »
What we need is a tinfoil hat :D

In theory, the newer browsers have a better system to warn the user about invalid certificates (using color codes and less cryptic dialogs). Then again you know what they say about the universe producing better and bigger idiots, including quite some webmasters.

Anyway, what troubles me the most is they don't have a clue about who and why :S

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
Re: The internet hijacked
« Reply #13 on: May 20, 2008, 05:58:31 PM »
https on alternate ports is a good solution but is not always an option, and it puts an ugly semicolon in the url  (believe it or not, many people find this enough reason to not use it.)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: The internet hijacked
« Reply #14 on: June 02, 2008, 10:31:46 AM »
I only want to comment on a couple things here that f0dder brought up. (Other comments have been done.)

There's a couple of WTFs here... one is that so many of the internet protocols we use have gaping security holes - something as critical for the whole internet infrastructure as the root DNS servers ought to have some form of cryptographic verification applied. I do realize it's basically impossible to change something as established as the DNS protocol, though, and that crypto verification would be very costly on something as high-volume as root DNS servers.

Correct in every way. The cost would be impossible to cover.


Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.

This is what I don't get. How the Hell could that happen?

Changing like that is simply insane!

As for SSL, it protects you against casual snooping and tampering, but afaik as soon as there's a man-in-middle (exploited router, carnivore box at your ISP, ...) you're game over anyway.

There is no MITHM attack with SSL. That's what SSL stops. If it's a MITHM attack for DNS, you're screwed. But for regular HTTPS traffic to a web site, then you're safe. SSL is client to server security. Which doesn't cover DNS...

Are you talking about something else there? I'm curious. I don't know of any "real" SSL attacks. There are some that involve ISPs and trusted intermediaries but those are special cases and not for regular Internet connections.


Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
Re: The internet hijacked
« Reply #15 on: June 02, 2008, 07:10:19 PM »
Quote
There is no MITHM attack with SSL. That's what SSL stops.

Erm, yes there is :)
There are plenty of different SSL mitm attacks possible.
While it protects the casual kid from reading plaintext stuff, the attacker can inject false ssl certificates into the tcp stream, and most users will accept them without thinking twise.

No ISP needs to be compromised. It only takes one trojaned machine on your network, or a wireless router with a cracked WEP/WPA/WPA2/... key.
« Last Edit: June 02, 2008, 07:11:56 PM by Gothi[c] »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: The internet hijacked
« Reply #16 on: June 11, 2008, 09:25:12 AM »
Quote
There is no MITHM attack with SSL. That's what SSL stops.

Erm, yes there is :)
There are plenty of different SSL mitm attacks possible.
While it protects the casual kid from reading plaintext stuff, the attacker can inject false ssl certificates into the tcp stream, and most users will accept them without thinking twise.

No ISP needs to be compromised. It only takes one trojaned machine on your network, or a wireless router with a cracked WEP/WPA/WPA2/... key.

Ok. I know the attack that you're describing.

I was thinking of attacks on an SSL session, and not the proxied SSL cert vulnerability that you get with some corporate networks and ISPs.

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker