Border Gateway Protocol (BGP) is not about showing your passport when you come from Mexico into the United States.  It’s about the internet.  It’s about the very core of the internet and how billions of randomly placed computers can somehow all communicate together.

When your typical every day web surfer types in the name of the website they want to go to (like InsanIT.net) what happens is that a Domain Name System (DNS) server looks up the name of the website that you want to go to, and returns back to you the actual IP address for that website.  Because the internet doesn’t connect to other computers by names.  It connects to other computers by specific IP address numbers.  But people don’t want to type in 127.000.000.001 to go to a website.  They want to type in InsanIT.net.  So a DNS server is just a big lookup table that automatically tells your computer that InsanIT.net is actually address 127.0.0.1.  (For those who aren’t aware of this, 127.0.0.1 is not actually InsanIT.net’s IP address.)

How does that relate to BCP?  I’m getting there.

The shortest distance between two points is a straight line.  But the fastest distance between two points takes a complicated look-up procedure.  Because you don’t want the loading of the webpage data to have to go from here to Shanghai and back just to get to you,you want the fastest possible route between your network and the computer that holds the web page you want.  So what happens is that when your request for the address 127.0.0.1 (to continue the above example) comes to your Internet Service Provider (ISP) to hit the great wide internet, the ISP’s typically has a router that consults a BGP table for the fastest route from you to the webpage that you want.

Now that BGP table is like any train station or bus route table in that it shows the best way for you to get from Point A to Point B.  But how is that table made?  It’s “easy”.  The table is made from “advertisements” of Autonomous Systems (AS).  Say I’m a big internet pipeline layer.  I have a BGP router.  I tell my BGP router to advertise to ISPs that my great wide internet pipe can deliver to Address A through Address C at a blazing speed.  ISPs pick up my announcements (in a completely automated way) and build their tables.

Now, here’s the kicker.  Here is where Wired has an interesting if not scary point.  Who says that I’m telling the truth?  Who says that my BGP router really can deliver the fastest route?  Well?  No one does.  It’s just assumed that all BGP routers are honest.  That’s how the BGP is flawed.  By design it figures that every BGP router tells the truth.

Why is this so important?  What is the worst that could happen then if my BGP router is intentionally lying?  So it just takes a little longer for my web page to load?

No.

What Pakistan semi-accidentally proved is that such a simple trick can be used not just to slow down the flow of information on the internet, but to completely block a website from being accessed by potentially  anyone.

That’s bad enough.

But at the recent DEFCON 16 “Tony” Kapela (data center and network director at 5Nines Data) and Alex Pilosov (CEO of Pilosoft) showed to us that it’s much much worse than that.

It turns out that you don’t have to break the internet when you do something like this.  You can actually engineer it to make the web page request go through, to keep the data truckin’ on.  But you still get to read all of that data as it passes on by.  You can snoop to your little heart’s content, with no one the wiser.  This isn’t just web pages we’re talking about.  It’s “secure” internet shopping and all of your credit card data.  It’s every last email.  It’s corporate espionage.  For any unencrypted data it’s a complete breakdown of all security.  The only potentially safe data is encrypted data.  And even that’s not 100% guaranteed as encryptions can be broken.

But, in fact, it can be even more malicious than that.  You can theoretically alter the data as it passes through.  You could, say, change what loads on a webpage.  Or what comes through in an email.  You could literally control what people see, and all without anyone’s knowing.

THAT is what has Wired (and so many security-conscious people) in an uproar.  The Border Gateway Protocol is inherently unsafe.  It takes a little more knowledge than usual to perform this kind of hack, and requires you to buy a BGP router and put yourself into the system, but it isn’t beyond the realm of possibility.  And once you’re in, you’re golden, because there are no errors.  Everything looks completely legit.  All because the BGP architecture is completely based on trust.

Stephen Kent (chief scientist for information security at BBN Technologies) has been working on solutions to fix this very issue for years.  He has even privately demonstrated a similar BGP interception for the Departments of Defense and Homeland Security.

So rest assured that this issue is not being ignored.  There are several possible solutions.  One day the BGP system will be based less on trust and more on security.

But until then, don’t ever assume that the internet is safe.  Your best approach is still the most simple approach: encrypt your important data.  Security doesn’t just happen.  You have to make it happen.

The world is a scary place. The internet is no different. Everyone is out to get you. Everyone wants to hurt you. And they’re always thinking up horrible new methods to do it.

Okay, so yeah, that’s just a tad over the top. No, life isn’t really that bad. But yes, there really are hackers out there in the world trying to be mean and nasty.

Just ask Adobe. What is more internet than Adobe’s Flash providing all sorts of goofy little Flash applets all over the intarweb? Well Symantec has found a weakness in it. An exploited weakness. With at least 20,000 web pages found to carry links to a site that hosts malicious Flash applets that exploit the weakness. Not good. Fortunately, it’s only Adobe’s own Flash Player stand-alone application that is vulnerable. Internet browsers like Internet Explorer, Firefox, et cetera that support Flash plug-ins aren’t vulnerable. They’re safe. Still, not such a great moment for Adobe.

Speaking of the internet, what about one of the biggest ISPs out there, Comcast? Well just a couple days ago, for a mere few hours, Comcast.net was hacked by a couple of losers who redirected the webpage to one with text that read, “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” Wondrous stuff that. Just the hack of the ages there. Fortunately Comcast fixed everything by Thursday and is working with the police, even if they are stymied.

Still, a hack is a hack, and of all businesses out there to be well protected, you’d have thought one of the great cable ISPs like Comcast.net would have held up better than that. Oh well.

And speaking of ISPs and hacks, let’s jump across the pond to everyone’s favorite BT Home Hub wi-fi internet router, which has yet another security hole. When left on the default settings. You see, to combat stupidity from being a factor in hacking the device, recently the default administrator password from “admin” to the device’s serial number. Each being unique and relatively harder to guess than “admin”, it seemed a fairly intelligent way to go. And since it’s stamped on the device you never have to go far to find where you wrote it down. Except that, according to GNUCitizen, it’s not actually all that difficult to request the serial number from the device over a network connection. Hmm. Not so brilliant then. Just yet another reason to change from the default settings to actually secure ones. Good advice for everyone out there, not just for BT Home Hub owners.

In fact, when was the last time you Windows users patched your bugs and holes? You naughty naughty lot. Automatic Updating should be fixing it for you. If you haven’t turned it off that is. Why do I ask? Well, according to a new study by Akamai, China and the US lead the way for denial of service and exploit traffic in 2008. Yes, that’s right. Exploits. As in your computer has a security hole the size of Texas that was fixed years ago, but because you don’t think updating is worth it, you got hacked and now hackers are sending out traffic from your computer. Goodness knows that the past years have seen a great number of really effective worms, viruses, and Trojans for Windows PCs. All of them with fixes. Have you updated your computer with those fixes? Because in the world of always-on-line high-speed internet, if you’re not part of the solution, you really are part of the problem. Update your PC today. With Windows it’s just as simple as turning on your Automatic Updates. Or clicking on that little Windows Update button. It’s never been easier. Protect yourself. Protect us all. Update your PC. Please!

So yes, hubs, computers, even cell phones can be hacked.

Cell phones?

Yes, that’s right, cell phones.

Such as a bug found in Motorola’s RAZR firmware allows intentionally malformed JPG images to execute whatever code a hacker’s little black heart desires. Fortunately, after a year of working on it, Motorola finally has a fix. Yipee! Way to keep on top of things Motorola!

But all is not lost. It’s a scary scary world, but there are plenty of folks out there finding the security holes. And plenty of people fixing them. Or telling you how to protect yourself from them. It’s a scary place, but we’re here to help. If you let us.