February 2008
Underwater Fiber Cuts in the Middle East (4 February 2008)
Abandoned Ship Anchor Found Near Cable Cut (7 February 2008)
Teach a Man to Phish (13 February 2008)
A Technical Mistake (16 February 2008)
A Pakistani ISP "Hijacks" Youtube (24 February 2008)

Underwater Fiber Cuts in the Middle East

4 February 2008

Within the last week, there have been outages affecting four underwater cables. Millions of users are off the net in India, Pakistan, Egypt, Saudi Arabia, UAE, Kuwait, Qatar, and Bahrain.

It isn’t clear yet exactly what happened. Two cables in the Mediterranean, SEA-ME-WE 4 and Flag Telecom’s FLAG cable were cut. The latter cut was 8.3 km from Alexandria; the former was reported to be cut near Marseille, though other reports have that cut near Egypt, too. After that, there were problems with two cables in the Persian Gulf. Flag’s Falcon cable was cut; a cable between the UAE and Oman has suffered some sort of power failure.

Four failures in less than a week. Coincidence? Or enemy action? If so, who’s the enemy, and what are the enemy’s goals?

You can’t have that many failures in one place — especially such a politically sensitive place — without people getting suspicious. Naturally, most of the fingers have pointed at the US and Israel, with Iran seen as the likely target. There’s just one problem: Iran doesn’t seem to have been affected much. In fact, one study shows better throughput to Iran after the incident.

Now — the US certainly has the ability to tap undersea cables. After all, they did just that to the Soviets several decades ago. That said, I don’t think it’s an NSA or Mossad operation, as some have speculated, because I don’t think they’re that stupid. Four failures at once will raise suspicions, and that’s the last thing you want when you’re eavesdropping on people.

If if wasn’t a direct attempt at eavesdropping, perhaps it was indirect. Several years ago, a colleague and I wrote about link-cutting attacks. In these, you cut some cables, to force traffic past a link you’re monitoring. Link-cutting for such purposes isn’t new; at the start of World War I, the British cut Germany’s overseas telegraph cable to force them to use easily-monitored links. One of the messages they intercepted — and cryptanalyzed — was the Zimmerman telegram, which asked Mexico to join Germany in attacking the US, in exchange for financial support and recovery of Texas, New Mexico, and Arizona. Instead, public outrage in the US contributed to the decision to enter the war against Germany.

The problem with this scenario is that the benefit is short-lived: the cables will be repaired in a few weeks.

One can construct other scenarios. Some I’ve seen involve stock market manipulation, al Qaeda trying to block access to nasty Internet content, clueless terrorists launching a denial of service attack, etc. Any of these are possible, but are they plausible? Who gains, and by how much?

Cables do fail, for all sorts of reasons, including ship anchors, storms (and there was bad weather in the area), earthquakes, even sharks. To be sure, a common failure cause seems improbable, given the geographic and temporal extent of the failures. Besides, Egypt says there were no ships in the area. (Cables fail even more on land, as Neal Stephenson explained in a wonderful article some years ago.)

So — I don’t know what happened. As a security guy, I’m paranoid, but I don’t understand the threat model here. On the other hand, four accidental failures in a week is a bit hard to swallow, too. Let’s hope there will be close, open examination of the failed parts of the cables.


Update: there’s a good summary article here. It also states definitively that both cuts in the Mediterranean were near Alexandria, which increases the odds that there was a common cause for the failure. Presumably, the confusion about the location of the SEA-ME-WE 4 break arose because the other end of the cable is in Marseille.
Update: Contrary to some rumors and reports, Iran has not been knocked off the net. See the Renesys analysis for details.

Abandoned Ship Anchor Found Near Cable Cut

7 February 2008

Flag Telecom reports that an abandoned ship anchor was found near the cut in FALCON between Dubai, UAE, and Al Seeb, Oman. They state categorically that that was the cause of that failure.

They’re working on their failed cable near Alexandria; a remotely-operated submarine is being used to look for cuts along the cable.

Teach a Man to Phish

13 February 2008

Phishing — tricking people into entering their login and password on a fake site, in response to a forged email — is a problem. There are lots of reasons for this; one, though, is that people are trained to respond to phishing messages by legitimate companies that want to make life easy for their customers.

I received just such a message yesterday "from" Amtrak. It almost certainly was legitimate, because they’ve been engaging in this sort of dubious behavior for years. Let’s take a look at the message:


From: Amtrak
To: smb
Subject: Changes Coming to Your Amtrak.com Login
Date: Wed, 13 Feb 2008 17:46:31 EST
Reply-To: amtrak.W….@amtrak.bfi0.com

Steven,

CHANGES COMING TO YOUR AMTRAK.COM LOGIN

In an effort to streamline the login process and communicate more effectively with our customers, we will be changing the way you access your Amtrak.com account in a few weeks. Prior to this update, we ask that you log in to verify the accuracy of the information in your account.

The first problem is with the From: line. The human-readable name, which is all that some mailers display in the summary area, is "Amtrak". People are being told who the mesage is from — but the actual return address is at bfi0.com. Of course, that’s easy to fake. (In a sense, it’s good that the retun address isn’t something@amtrak.com, since it does show the actual origin of the message. I should add that all of the more subtle indicators in the message header were consistent with bfi0.com as the source of the message; it isn’t faked.)

The next problem, though, is that the message asks people to log in by clicking a link in the message:

Go to Amtrak.com now and update your profile
http://amtrak.bfi0.com/…..

So — we’re told that the login process will change (which is good cover for assorted mischief), but we should click on a link that doesn’t even claim to go to amtrak.com and log in with our Amtrak login and password.

I should note that I’m not in any way claiming that either Amtrak or Bigfoot Interactive (bfi0.com, bigfootinteractive.com, and epsilon.com all appear to be the same company) are in any way acting illegally or unethically. The message is almost certainly legitimate, and it doesn’t make any false claims about its origin. The problem is that the message is teaching bad habits. Neither Amtrak nor anyone else should ever send out messages asking people to click on some link and then log in.

They’re not the only ones, of course. I regularly receive very legitimate emails that ask me to click and then log in. (Shortly after I joined the faculty here, I amused myself teasing the dean about such a note sent under his login.) I wrote about a telephone analog a couple of months ago. But that doesn’t make it a good idea.

Phishing isn’t going to go away, and I don’t have much confidence that any of the much-touted authenticity markers will help, either. But legitimate companies don’t have to make it worse.

A Technical Mistake

16 February 2008

The Electronic Frontier Foundation has obtained an FBI document describing a mistake that was made in monitoring someone’s email: the ISP sent the FBI all of the email for the entire domain, rather than just the suspect’s email.

It isn’t surprising that something like this can happen. Matt Blaze and I warned about configuration problems in surveillance systems several years ago:

Needless to say, any wiretapping system (whether supplied by an ISP or the FBI) relied upon to extract legal evidence from a shared, public network link must be audited for correctness and must employ strong safeguards against failure and abuse. The stringent requirements for accuracy and operational robustness provide especially fertile ground for many familiar risks.

First, there is the problem of extracting exactly (no more and no less) the intended traffic.

The context then was Carnivore, but the problem is the same. On the same subject, Matt wrote
More seriously, I suspect that the meat (so to speak) of any meaningful analysis of Carnivore’s security and behavior lies not in its core source code but rather in the parameters used when it is actually configured and installed.

In fact, errors by third parties are not uncommon. The New York Times report on this incident makes it clear:

Past violations by the government have also included continuing a wiretap for days or weeks beyond what was authorized by a court, or seeking records beyond what were authorized. The 2006 case appears to be a particularly egregious example of what intelligence officials refer to as "overproduction" — in which a telecommunications provider gives the government more data than it was ordered to provide.

The problem of overproduction is particularly common, F.B.I. officials said. In testimony before Congress in March 2007 regarding abuses of national security letters, Valerie E. Caproni, the bureau’s general counsel, said that in one small sample, 10 out of 20 violations were a result of "third-party error," in which a private company "provided the F.B.I. information we did not seek."

From what has been released, the FBI did nothing wrong here. In fact, they say that they destroyed the unwanted (and unauthorized) emails when they noticed the problem. But mistakes will happen. This is why I and others have warned about the dangers of too-close linkage to the telecommunications system: other plausible configuration errors could give malicious parties access to the network.

Surveillance is difficult. Complexity and interconnections make it dangerous, too.

A Pakistani ISP "Hijacks" Youtube

24 February 2008

The government of Pakistan has ordered all ISPs in the country to block access to Youtube. By itself, it’s yet another sign of government censorship; that’s bad, but this example is hardly unique. As the article points out, a fair number of other countries have blocked Youtube in the past. However, the way it was done this time is worrisome.

The obvious way to keep users from reaching a destination is to install some sort of access control list blocking the IP address. Pakistan Telecom did it differently: they created their own machines with the appropriate IP addresses (208.65.153.238, 208.65.153.251, and 208.65.153.253), so that any of their users who tried to reach Youtube presumably received a notice about the new government rule. Unfortunately, they made a serious mistake: they "announced" the network to the entire Internet.

This blog is not the place for a full tutorial on Internet routing. For now, let it suffice to say that an organization or ISP that "owns" a particular IP address announces it to the rest of the Internet. Other ISPs believe the announcement and thus know how to reach that address. (Caution: this description is grossly oversimplified.) Crucially, an address announcement with a "longer prefix" — a more specific route; the analog of announcing a particular street within a city, rather than the city itself — will be used preferentially by parties who wish to reach that particular address.

That’s what happened here. Pakistan Telecom misconfigured a router so they announced a route to Youtube. Worse yet, they announced a very specific route (a "/24", in Internet parlance). The effect was to take Youtube off the air globally for about an hour.

This sort of hijacking isn’t new. Spammers have done it to hide their tracks. There was a famous instance in 1997 known as the AS 7007 incident. But this is a serious security issue. In 1999, the National Academies called routing problems one of the two most serious threats to the global Internet. In other words, professionals have long known this could happen.

The added risk now is that the whole world has been told how easy it is to take networks off the air. I’m not particularly concerned about a national government doing this deliberately, e.g., to prevent any "defamation" from being seen across the Internet. That sort of thing is noticed and dealt with fairly expeditiously. I am worried about freelance attacks by hacktivists or simple mischief makers who have compromised ISP routers.

I’ve been worrying about routing security for many years; in fact, it’s what got me interested in Internet security in the first place. We need to do something about the problem, such as deploying S-BGP. But deploying it will take years; we need to start soon, before sites more important than Youtube are hijacked.


Update: Here is an excellent timeline of the incident.
Tags: security