Grand Theft BGP | TechSNAP 121 | Jupiter Broadcasting

A BGP hack reroutes the traffic of banks, Amazon and many others. We’ll explain how this can happen, and why we don’t see it more often.

Plus an Interview with Brendan Gregg author of a new book that focuses on Systems Performance in the Enterprise and the Cloud, plus a big batch of your questions, our answers, and much much more!

Thanks to:

GoDaddy.com

Use our code tech249 to score .COM for $2.49!

Get private registration FOR FREE with a .COM! code: free5

UnitySync

Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

Direct Download:

RSS Feeds:

BGP hijack used to redirect traffic destin for online banking

On 24 July 2013 a number of specific IP addresses were maliciously mis-routed to an ISP in the Netherlands
This is especially unusual because most all BGP routes are /24 or larger (because routers only have so much RAM in which to hold the routing table for the entire Internet), and most of these were specific /32s (a single IP address).
This might be considering a mistake or something, however the owners of the specific IP addresses suggest otherwise:
- AMAZON-AES – Amazon.com, Inc.
- AS-7743 – JPMorgan Chase & Co.
- ASN-BBT-ASN – Branch Banking and Trust Company
- BANK-OF-AMERICA Bank of America
- CEGETEL-AS Societe Francaise du Radiotelephone S.A
- FIRSTBANK – FIRSTBANK
- HSBC-HK-AS HSBC HongKong
- PFG-ASN-1 – The Principal Financial Group
- PNCBANK – PNC Bank
- REGIONS-ASN-1 – REGIONS FINANCIAL CORPORATION
The ISP, NedZone.nl normally announced about 30 prefixes of various sizes between /18 and /24, but on the date in question, they were announcing 369, most all of which were smaller than /24 (usually the smallest that would be announced)
It is most likely this was caused by a malicious customer, rather than NedZone or one of it’s Employees
The attack appears to have been an attempt to run a MITM attack against online banking
RIPE AS Dashabout for AS25459, showing list of prefixes announced in the last 30 days
HE BGP Looking Glass AS25459 Prefixes

Digital Ocean Cloud ‘Droplets’ found to be reusing same SSH private keys

While using Digital Ocean’s cloud server to write a comparison of Ansible and Salt, two different administration/orchestration tools, Joshua Lund discovered that many of his ‘Droplets’ had the same SSH fingerprint
While rapidly creating and destroying Droplets, he ended up with the same ip address, and noticed that he did not receive an SSH fingerprint mismatch, warning him that this server is not the same as the one that resided at this IP address previously
Upon further investigation he found that the SSH keys appeared to be part of the base image, rather than being generated on first boot
While this was likely a simple oversight while creating the images, or an attempt to make the droplets boot faster by foregoing the SSH key generation, it is a significant security issue
This means someone could replace your droplet with their own and have the same SSH private key (and therefore fingerprint), if you or one of your old users connected to your old IP which now belonged to someone else, they could capture your password or otherwise perform a MITM attack
The issue was reported to Digital Ocean and they responded the same day
The immediate fix did not resolve all instances of the issue, but within 7 days the issue had been resolved
Digital Ocean then started working with their customers to have them replace their SSH host keys with unique ones
6 weeks later a public security advisory was issued
If you do not install the OS your self, it may be a good idea to regenerate the SSH keys as part of the initial setup process
Official Advisory
On a future Episode of TechSNAP we’ll talk about SSHFP DNS records and maintaining a system wide ssh_known_hosts file

Interview with Brendan Gregg

[asa]0133390098[/asa]

Feedback:

Directory Dive: