Every now and then, something seems so huge, that you don't realize it for a long period of time. It's like waking up out of a cosy dream recognizing that real life is something different. But in this one, there is a vast security Vaccum in the WorldWideWeb. At least it seems like. Then you suddenly realize you're in a massive hole. Or, in this case, a gaping Security Hole in the Internet, because someone seems to be sucking enormous amounts of Input out of it.
Wired.com has been
reporting, that someone, something, somewhere, has been using a big Security Loophole
(
a feared existing one), to steal Internet Traffic heading back to government agencies, Multinational Corporations and other important beneficiaries in the United States. Early in its beginning, it (THAT Traffic) was redirected to
Belarus and/or
Iceland, then, recently sent on to its predetermined recipients. It took several months, until someone observed this changing pattern. And this may not have been the first time that this took place, simply the first time someone noticed.
Researchers @
Renesys (The Internet Intelligence Authority - as they claim themselves), a Internet Monitoring Company, said, that over several months earlier this year (2013) someone (Extraterrestrials maybe?) diverted the traffic, using the same vulnerability in the so-called
Border Gateway Protocol (also short termed
BGP, designed to exchange routing and reachability information between Autonomous Systems (AS)), that the two security researchers demonstrated in 2008 (therefor you need to read
this article, that gives you full insight to this developing story). This Attack (can be compared to the well known exploiting
Man-in-the-Middle-Attack) allows Cybercriminals to jerk other routers by redirecting their data to a system, that the hijackers control themselves. Finally, then when they resend the data to the intended recipient, noone of the origin communicators is aware, that their information has been funneled.
The danger out of this scheme, is potentially enormous. Once critical data is intercepted, copied and secured, the Hijacker can burrow through the archives of any unencrypted information, spying through emails and spreadsheets, extracting credit card numbers, and seizing all available amounts of sensitive data.
In this case, the backers initiated the hijacks
at least 38 times,
grabbing traffic from about 1.500 individual IP blocks. Sometimes for minutes, sometimes for hours, sometimes for days. It is known, that they did it in such a way, that it is the consistant SAY: Make no mistake about it ! There was no mistake to commit, Analysts say.
(I thought Renesys (a Internet Monitoring Firm), are specialized on this matter. So, how can it be that this happened so often before someone noticed ? But maybe it has nothing else to do with about the first phrase i wrote up in this Post.)
 |
| Doug Madory |
Renesys Senior Analyst
Doug Madory says initially he thought the motive was financial, since traffic destined for a large bankcompany (...?) got sucked up in the deviation. But then the Cybercriminals started diverting traffic, that once was intended for some foreign ministries of several countries
(that Doug Madory declined to name...?) as well as a large VoIP (
Voice over IP)-Provider in the United States, and Internet Service Providers that process the internet communications of thousands of customers.
Although the intercepts originated from a number of different systems in Belarus and Iceland, Renesys believes the attacks are all related, and that the hijackers may have altered the locations to obfuscate their malicious activity.
“What makes a man-in-the-middle attack different from a simple routing hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys
wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify it if desired, and send it back on its way. Who needs fiberoptic taps?” (...?)
 |
| Tony Kapela |
Tony Kapela, Vice-President of data center and network technology at
5Nines in Wisconsin (and one of the researchers who exposed the BGP vulnerability in 2008) is shocked that no other signs of intentional hijacking have occurred since their talk five years ago and questions whether this is really the first case, or just the first one seen...(without alerting)? He also thinks that all of this what happened, actually could be a
"Newcomer" who simply seizes control of one of the systems, and sends out the phony message without knowledge of the System Owner. He imagines a scenario:
"...where an attacker gains physical access to a router belonging to one of the companies and installs a monitoring device to record data, then gains control of the router console to send out a bogus BGP announcement, to redirect traffic through the router. If anyone discovers the redirect, so that the "Bad Guy" would appear, to be the company itself, that owned the router...."
How long will it take to resolve this Enigma, when you think about the fact that it took 38 blinks of an eye, to realize: There is a Mystery going on...?
