{"id":8528,"date":"2015-08-06T10:32:27","date_gmt":"2015-08-06T14:32:27","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8528"},"modified":"2015-08-06T10:32:27","modified_gmt":"2015-08-06T14:32:27","slug":"attackers-could-use-internet-route-hijacking-to-get-fraudulent-https-certificates","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/08\/06\/attackers-could-use-internet-route-hijacking-to-get-fraudulent-https-certificates\/","title":{"rendered":"Attackers could use Internet route hijacking to get fraudulent HTTPS certificates"},"content":{"rendered":"<p>Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that secures communications between users and websites.<\/p>\n<p>The Border Gateway Protocol (BGP), which is used by computer network operators to exchange information about which Internet Protocol (IP) addresses they own and how they should be routed, was designed at a time when the Internet was small and operators trusted each other implicitly, without any form of validation.<\/p>\n<p>If one operator, or autonomous system (AS), advertises routes for a block of IP addresses that it doesn\u2019t own and its upstream provider passes on the information to others, the traffic intended for those addresses might get sent to the rogue operator.<\/p>\n<p>Such incidents are called BGP hijacking, when done intentionally by a malicious actor, or route leaking, when caused by human error or misconfiguration, and are increasingly common. Their impact can be local or global, depending on their particular circumstances.<\/p>\n<p>While there are best security practices that could prevent such incidents, they are not implemented by all network operators around the world. The networks where these security practices are not implemented are also the ones that are most likely to have vulnerable border gateway routers that hackers could attack.<\/p>\n<p>At the Black Hat security conference in Las Vegas Wednesday there were two talks dedicated to BGP hijacking, highlighting the importance of this topic to the security community. In one of them, a Russian security researcher, named Artyom Gavrichenkov, showed how attackers could perform a BGP hijacking attack that would affect only a small geographic region, but which could help them trick a certificate authority to issue a valid certificate for a domain name they don\u2019t own.<\/p>\n<p>In order for this to work, the attackers would need to pick a target website whose IP address is part of an AS located in a different region of the world. For example attackers in Asia could decide to target Facebook. They would then need to pick a local certificate authority (CA) that is very close to the rogue autonomous system from where the attack will originate.<\/p>\n<p>The goal of the attack would be to make the certificate authority\u2019s ISP believe that Facebook\u2019s IP address is owned by the rogue AS instead of Facebook\u2019s real AS. The goal of picking a far away target is to lower the chances that the real AS will notice the hijacking\u2014essentially that a small portion of the Internet believes Facebook is part of a different network.<\/p>\n<p>The process of obtaining a TLS certificate for a domain involves proving that the person who requested the certificate has control of the domain name. This check can be done in an automated manner in several ways: by uploading a special CA-provided page to the server where the domain name is hosted so that the CA can check if it exists, by sending an email to the email address listed in the domain\u2019s WHOIS record or by creating a Domain Name System TXT record for the domain. Only one of these methods is enough to confirm ownership.<\/p>\n<p>Creating a page on the server that hosts the domain is the easiest check to pass by using a BGP hijacking attack. The attacker would need to set up a Web server, create the page, then advertise rogue routes for Facebook\u2019s IP address. Those routes will propagate regionally affecting the certificate authority and tricking it into believing the page was actually hosted on Facebook\u2019s domain. The CA would then issue the SSL certificate.<\/p>\n<p>The fraudulent, but nevertheless valid digital certificate, could then be used to launch man-in-the-middle attacks against Facebook users anywhere in the world, not just the region where the BGP hijacking happened.<\/p>\n<p>The current digital certificate infrastructure that underpins secure communications on the Web doesn\u2019t take routing flaws into consideration, Gavrichenkov said. And because it is built into everything, from desktop computers to embedded devices and mobile phones, it can\u2019t be easily changed, he said.<\/p>\n<p>The underlying problem is with the Internet routing protocol and the lack of implementation of recommended security practices. However, the BGP hijacking issue has been known for a very long time and the researcher believes it\u2019s unlikely to be fixed anytime soon either.<\/p>\n<p>Efforts like the Certificate Transparency framework proposed by Google, or the certificate pinning mechanisms implemented in some browsers could help detect when rogue certificates are issued, but that\u2019s more of a workaround than a fix since they\u2019re not widely adopted yet.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2960552\/security\/attackers-could-use-internet-route-hijacking-to-get-fraudulent-https-certificates.html\" target=\"_blank\">Attackers could use Internet route hijacking to get fraudulent HTTPS certificates | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,10],"tags":[180,494,541],"class_list":["post-8528","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-certificates","tag-https","tag-internet-protocol"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-2dy","jetpack-related-posts":[{"id":5710,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/10\/microsoft-pushes-out-massive-security-update-for-internet-explorer\/","url_meta":{"origin":8528,"position":0},"title":"Microsoft pushes out massive security update for Internet Explorer","author":"NCCT","date":"June 10, 2014","format":false,"excerpt":"Microsoft pushes out massive security update for Internet Explorer Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5958,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/10\/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users\/","url_meta":{"origin":8528,"position":1},"title":"Crypto certificates impersonating Google and Yahoo pose threat to Windows users","author":"NCCT","date":"July 10, 2014","format":false,"excerpt":"People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties. A blog post published Tuesday by Google security engineer Adam Langley said\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":3175,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/13\/security-team-pries-open-secrets-of-chinese-hacker-gang\/","url_meta":{"origin":8528,"position":2},"title":"Security team pries open secrets of Chinese hacker gang","author":"NCCT","date":"August 13, 2013","format":false,"excerpt":"A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers. The remote-access Trojan, or RAT, tagged as \"Comfoo\"\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":3067,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/31\/some-home-automation-systems-are-rife-with-holes-security-experts-say\/","url_meta":{"origin":8528,"position":3},"title":"Some home automation systems are rife with holes, security experts say","author":"NCCT","date":"July 31, 2013","format":false,"excerpt":"A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave. Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights, and other sensitive\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2013\/07\/veralite-copy-100048275-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2013\/07\/veralite-copy-100048275-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2013\/07\/veralite-copy-100048275-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":7586,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/06\/sneaky-linux-malware-comes-with-sophisticated-custom-built-rootkit\/","url_meta":{"origin":8528,"position":4},"title":"Sneaky Linux malware comes with sophisticated custom-built rootkit","author":"NCCT","date":"February 6, 2015","format":false,"excerpt":"A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that\u2019s custom built for each infection. The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. However, it has since evolved and new versions were\u2026","rel":"","context":"In &quot;Linux&quot;","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9452,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/19\/internal-bug-discovery-security-now-693\/","url_meta":{"origin":8528,"position":5},"title":"Internal Bug Discovery &#8211; Security Now 693","author":"NCCT","date":"November 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ClVI9PMQGCY Australia vs Encryption, Google+ Bugs Hasten its Demise -- Australia's recently passed anti-encryption legislation -- Details of a couple more mega-breaches including a bit of Marriott follow-up -- A welcome call for legislation from Microsoft -- A new twist on online advertising click fraud -- The DHS is interested\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ClVI9PMQGCY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=8528"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8528\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=8528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=8528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=8528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}