Entire internet suffers man-in-middle attack

[Cain]

This is very worrying:

Imagine one day you're using the Internet the same way you do every day. Reading the news, shopping, sending email, checking your bank and credit card balances. Maybe even doing some work for your employer.

Typically, but not always, the bits being sent from your computer, tablet or phone will flow from where you are to where they need to be via the most direct route available.

But what if they didn't? What if someone slipped in between you and the various servers you're connecting with and diverted your traffic elsewhere, funneling it through a choke point of their choosing, so they could capture, copy and analyze it? Your data takes some extra — and imperceptible — milliseconds to get where it's going and ultimately everything you're doing online works just fine. But your traffic has been hijacked by parties unknown and you're none the wiser that it has happened.

In network security circles, this is what's known as a Man-In-The-Middle attack. And for years it has been understood to be possible in theory, but never seen in practice. That changed earlier this year when someone — it's unclear who — diverted Internet traffic from some 150 cities around the world through networks in Belarus and Iceland.

Now obviously, there are two important questions here.  How was this done?  The article goes into some detail about this and while I'm no expert on the technical side, it seems that small ISPs which were front companies for...whoever did this, were able to get away with it because the larger ISPs weren't monitoring traffic to keep an eye on where it was going.

But the other question is who was behind this?  Two ISPs are mentioned in regards to this, one in Belarus, and one in Iceland.

Belarus is not an easy country to operate in.  It's a one-party dictatorship, with strict media control.  In regards to the internet, the state telecom corporation, Beltelecom, "holds the exclusive interconnection with Internet providers outside of Belarus. Beltelecom owns all the backbone channels that linked to the Lattelecom, TEO LT, Tata Communications (former Teleglobe), Synterra, Rostelecom, Transtelekom and MTS ISP's. Beltelecom is the only operator licensed to provide commercial VoIP services in Belarus."

GlobalOneBel appears to be owned by a Mr Vladimir Koresko, who also registered a firm, GlobalOne Security, in the UK (which was dissolved in 2005).  According to the records from that registration, he is of Russian origin, and born in 1945.  His given address in Belarus is the same as that of GlobalOneBel's HQ.

Apart from that, it's pretty much impossible to get information on him.  I did find however, that Research Programmes Ltd was registered as an officer with GlobalOne Security, and this company was associated with a number of Russian internet and software firms in the UK, including Power Engineering Universal, where they first served as a director.  Power Engineering Universal has dissolved, but in the same address there is now iTranstion Group Ltd, where they were listed as the Director between 2006 and 2007.  The current director is Iryna Hvardzeitsava, who is also of Belarussian origin.

This may be linked, it may not be.  Depends on what exactly Research Programmes Ltd is.

As for the Icelandic firm...Nyherji "is the Icelandic representative of a number of foreign technology firms, most of whom are at the forefront of their field, including IBM, Lenovo, Canon, Lexmark, Sony, Heidelberg, SAP, Avaya, Cisco Systems and APC" according to their corporate website.  From my limited look, it does seem to be fairly legit.  As does Opin Kerfi.

So...I don't know.  Attribution is a bitch on the internet.

[Cain]

And lets recall, not long after the above, this occured.

[East Coast Hustle]

This century's warfare definitely has a tendency to take some interesting forms.

Thanks for posting this, dude. I had no idea.

[Cain]

No problem.

And I agree, I think this is a state op, or at least with state sanction.  The article suggests a financial motive, but those who were mostly looking to benefit from insider trading, high frequency trading etc would not, in my opinion, be looking to get such vast quantities of government data as well.  Some would be useful, yes, contract bids etc but this seems on a far vaster scale than that.

We know Belarus and Russia have a fairly cozy relationship despite recent troubles, especially on security issues.  Russian-Icelandic relations are also warm, though probably not to the level of carrying out covert ops together.  American cities were the primary target.

But then, this is the 21st century, and all the lines are blurring.

[Faust]

Just another reason to encrypt fucking everything.

[Cain]

The other possibility is that this is the NSA.  By routing internet traffic out of America, the information becomes international in nature, and so subject to the 215 dragnet.

There was a fairly credible suggestion that this occured with Canada not too long ago.  Iceland and Belarus would be...unusual choices, to put it mildly, but it's not entirely impossible.

[LMNO]

What's the probability that if a couple of Russian-owned ISPs could do this, the US has been doing it for about a decade?

[Pæs]

You can also do this sort of thing by exploiting bit-squatting (http://media.blackhat.com/bh-us-11/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_WP.pdf), where a single one or zero becomes corrupted somewhere in transit or on an overheating drive or in bad memory and changes the cached URL. So your computer forgets about microsoft.com and is suddenly asking DNS servers "HEY GUYS, WHERE IS MIC2OSOFT.com?" and the attacker has dodgy content hosted at that address.

Spoke with a guy a couple of weeks ago who had done this for the root name servers, which are basically the authoritative source of truth on which name corresponds to which actual server. He registered the bitflipped versions of the root servers themselves, so every time a piece of hardware failed to correctly remember the name of the root server, it would ask his server where the rest of the internet was.

Instead of compromising individuals whose computers had failed to ask for the right website, he was compromising entire ISPs and all of their millions of customers. People were asking him "HEY, WHERE IS UPDATE.MICROSOFT.COM? HEY, WHERE IS VERISIGN?" A failed piece of memory at your ISP would result in it asking HIM for every website you want, and he could direct you wherever he wanted. He wasn't redirecting people anywhere, just responding with failure until the ISP tried something else and when people investigated, his site was an explanation of the attack, but he could have just as easily acted invisibly, altered or simply read the traffic before sending it on to its real destination.

[Telarus]

Wow. Thanks for passing that along, Cain. (Also, very interesting Paes!)

[Cain]

Interesting, Paes.  I think it was ars technica who mentioned that, or something like that, being a possible vector for the attack. 

Somehow, though, I don't think we're ever going to get to the bottom of this.