Why?

• Because I use the Internet
• Because I'm a target
• Because most people don't know
• Because it's a fun conversation to have over drinks with security guys
• Maybe/hopefully you'll continue this conversation instead of just arguing!

Ground Rules

• Must be non-obvious and must be directly related to the Internet.  Not:
  • ...the President or any other gov'ernment official
  • ...or someone involved with SCADA Systems/Brick and mortar
• Must be in control of some infrastructure or software, etc
• Must have the largest or widest negative impact possible for the least amount of work and least likelihood of being stopped
• No magic - must be real and dangerous
• They can't be "bad" people
• You can't take this list too seriously

How I Got Started

• Started thinking about core technologies that everything relies on
• Made a big list
• Shopped it around to dozens of security experts
• Assigned an arbitrary, unscientific, hand-wavy, risk-rating system of my own design
• Ranked them in order of how scared I am of them personally

#10

• John Doe at C|Net
• Job: Network Engineer
• Why: Controls com.com
• Impact: Largest collection point of typo traffic both for web adn email.
  • Doesn't require anything overt or even indefensible

#9

• Giorgio Maone of NoScript
• Job: Consultant
• Why: Controls NoScript
• Impact: Nearly every security researcher on the planet - complete compromise.  In general the most paranoid people on earth would be compromised.
  • Builds arbitrary whitelists (ebay.com)
  • Has changed functionality to subvert Adblock Plus

#8

• Eddy Nigg at StartCom Ltd...
  • or John Doe at SSL Cert Reseller
• Job: Developer/QA
• Why: Has access to create wildcard SSL certs for any domain
• Impact: Would allow an attacker to steal any information they were able to man in the middle.
  • Previously demonstrated bad security
  • Much smaller and therefore less controlled than Verisign or Thawt

#7

• John Doe at Authorize.net
• Job: Network admin/Server admin
• Why: Has the ability to see the vast majority of online transactions.
• Impact: Would allow an attacker to get PII and credit card information for the bulk of the US online shopping population and many international shoppers as well

#6 (RSnake recants this one after dinner last night)

• John Doe at Mozilla
• Job: Has check-in access
• Why: Has the ability to change functionality within the browser, including installing new SSL certs.
• Impact: Would allow the attacker to man in the middle and read all SSL traffic.
  • Almost no documentation
  • The verification process is very open and subject to tampering - meaning the update mechanism isn't probably much better

#5

• Chirag and Floyd at Adwords
• Job: Whomever checks in code
• Why: Has access to millions of websites because it is XSS
• Impact: Can be leveraged for stealing cookies and hijacking web functionality
  • Is embedded in millions of web pages
  • Is already obfuscated heavily
  • Is seen daily by the bulk of the Internet population
  • Begs the question about CDNs in particular

#4

• John Doe at Google's Postini
• Job: Programmer/Server admin
• Why: Controls and can view the bulk of the world's email - including Gmail
• Impact: Would enable attacker to steal credentials, spoof conversations, tamper with data, introduce malware, etc
  • More dangerous than Adwords because it's passive

#3

• John Doe at 1 Wilshire
• Job: NOC Monkey
• Why: One of the largest peering centers on the west coast
• Impact: Can tamper with machines, install malware, inject malicious traffic, intercept communications, etc...
  • Most amount of data links in one physical location
  • CIA has already demonstrated interest in choke points in San Francisco as outed by Mark Klein

#2

• John Doe at gtei.net
• Job: Network Admin/Server Admin
• Why: Controls 4.2.2.2 and 4.2.2.3
• Impact: Can be used to subvert a huge chunk of Internet traffic by giving erroneous DNS answers
  • Used by default in many devices
  • Used by tons of individuals and companies who are lazy
  • Can be used in very targeted attacks for a very short period of time

#1

• John Doe at iDefense
• Job: Security Engineer/Consultant
• Why: Consults for and is owned by Verisign, who owns Network Solutions, who controls authoritative DNS for ".com"
• Impact: Would allow the bulk of the Internet traffic to be modified
  • Heavily monitored and protected but still could lead to temporary and targeted compromise
  • More dangerous than 4.2.2.2 because it controls all of .com and not just a subset of users

Disappointed?  Upset?

The room is full of people who care that your feelings are hurt.

The List

1. John Doe at iDefense
2. John Doe at gtei.net
3. John Doe at 1 Wilshire
4. John Doe at Google's Postini
5. Chirag and Floyd at Adwords
6. John Doe at Mozilla
7. John Doe at Authorize.net
8. Eddy Nigg at StartCom Ltd.
9. Giorgio Maone of NoScript
10. John Doe at C|Net

Questions/Comments?

• Robert Hansen
  • Robert_at_sectheory d0t c0m
  • http://www.sectheory.com
  • http://ha.ckers.org/
  • Detecting Malice
    • http://www.detectmalice.com/
  • XSS Book: XSS Exploits and Defense
    • ISBN: 1597491543

• ISPs’ “advanced network management” practices are changing the way that bits are transmitted across the internet
• Content of online communications is now inspected as it travels between endpoints
• ISP customer contracts require users to consent to the monitoring of their online activities
• ISPs claim increasing Internet traffic is leading to network congestion that requires new non-standard network mgmt practices
• Many ISPs are introducing network systems that identify traffic by type or application to delay “low-priority” bits
• One HD video download is roughly equivalent to visiting 35,000 web pages
• A few users account for most of the downstream traffic.  Upstream disparity is even greater.
• Mandatory and non-negotiable ISP customer contracts authorize the wholesale inspection of user communications.
• As a condition of service, customers (individuals and businesses) must consent to this inspection

Deep Packet Inspection

• Network-level appliance that captures Internet traffic on ingress and egress.
• Examination of the packet’s header information and payload (content).
• Analysis of (up to) all 7 layers of the OSI model
• Network-based parental controls, spam filtering, detection and protection against adware, spyware, malware, or viruses
• Network-based bandwidth prioritization
• Filtering of IP, child porn, and provider or government-determined “unacceptable” or “illegal” speech
• Targeted advertising through monitoring and data-mining
• Enforcement of “Net Neutrality” based “nondiscrimination” imperative

Network-Level Targeted Advertising

• In 2006 and 2007 Phorm and British Telecom began secretly monitoring 54,000 Internet users and testing DPI-facilitated targeted advertising
• By the end of 2009, all British Telecom Internet users will be monitored and presented with targeted ads
• In 2008, NebuAd partnered with 30 American ISPs to track users on the Internet and perform targeted advertising
• Network-level targeted advertising uses DPI to monitor everything that users transmit or receive over their Internet access connections
  • Web browsing
  • E-mail
  • IM
  • Downloads
  • Applications and Devices
• Advertising systems generate a profile which is then sold

No Way to Opt-Out of DPI

• ISPs claim that users can opt-out of targeted advertising by installing a cookie that will turn off the ads, but not the tracking
  • Purging cookies will re-opt-in users
  • Disabling cookies will default to opt-in
• ISPs provide now way for users to opt-out of the underlying DPI
• New DPI systems can block, segregate, or defeat user encryption

DPI: Privacy Implications

• Consent to monitoring is a waiver of privacy rights
  • Including automated, non-human inspection
• All privileges are waived on an inspection network
• Private communications will be available to others through a 3rd party subpoena to the ISP with a showing of mere relevance, and without user notice
• ISP TOS require businesses to consent to the monitoring of their online communications
• Information gleaned from inspection can be used for any and all purposes by the ISP
• Trade secrets, proprietary information, confidential communications, transaction records, customer lists, etc are all exposed
• Businesses risk violating customer privacy laws
  • Allowing third party access to medical, tax, financial, and credit records is often prohibited

Solutions to Protect Privacy on the Internet

• DPI has legitimate uses and need not be banned
• However, wiretapping without a warrant should require express, voluntary (opt-in) and informed user consent
• Full and complete disclosure of inspection practices and legal consequences to users
• Educated and voluntary consent is OK
• Requiring consent as a condition of receiving service is not voluntary
• Intrusive regulation by industry-captured regulators is the wrong way
• Need an administrative or legislative declaration of a public policy against internet access contracts that fail to disclose practices and privacy implications and/or require waiver of privacy rights as a condition of service
• Privacy is preserved without regulation

Our max inbound Internet throughput was 285 Mbps, about double our usual peak.  We saw a ni.com Web site performance degradation of about 25% for less than two hours according to our Keynote stats.  ni.com ASPs were affected proportionately which indicates the slowdown was Internet-wide and not unique to our specific Internet connection here in Austin.  The slowdown was less pronounced internationally, but still visible.  So in summary - not a global holocaust, but a noticeable bump.

Cacti graphs showing our Internet connection traffic:

Keynote graph of several of our Web assets, showing global response time in seconds:Looking at the traffic specifically, there were two main standouts.  We had TCP 1935, which is Flash RTMP, peaking around 85 Mbps, and UDP 8247, which is a special CNN port (they use a plugin called "Octoshape" with their Flash streaming), peaking at 50 Mbps.   We have an overall presence of about 2500 people here at our Austin HQ on an average day, but we can't tell exactly how many were streaming.  (Our NetQoS setup shows us there were 13,600 'flows,' but every time a stream stops and starts that creates a new one - and the streams were hiccupping like crazy.  We'd have to do a bunch of Excel work to figure out max concurrent, and have better things to do.)

In terms of the streaming provider breakdown - since everyone uses Akamai now, the vast majority showed as "Akamai".  We could probably dig more to find out, but we don't really care all that much.  And, many of the sources were overwhelmed, which helped some.

We just wanted to share the data, in case anyone finds it helpful or interesting.

For those of you just catching up, WEP is an almost 10 year old wireless protocol whose intent was to encrypt your wireless transmissions.  The problem is that WEP uses a user-defined key along with an "initialization vector" (IV) to generate the RC4 traffic key used to encrypt your data.  If I can gather enough of these IV's, then I can figure out what the key is and your network is now pwned.  I can speed up this process by injecting my own packets and I can get your key in under 3 minutes.  How's that for security? 

So, why is anyone still using WEP?  It was deprecated as a wireless privacy mechanism back in 2004.  It is easily cracked and provides slightly more security than running an open wireless network.  All that and when you buy a new wireless router it's most likely still pre-configured with WEP enabled.  On some of these older models better encryption standards such as WPA or WPA2 aren't even options.  With much of the wireless network setup falling into the hands of novice users, some of the responsibility lies with the router manufacturers for even allowing them to use WEP.  The rest, in my opinion, is on the users themselves, who put up these networks without being educated enough to do so.  You wouldn't put a door on your home without making sure the locks worked, would you?  How about buying a car where everyone with that model vehicle had your same key?  I think you get the picture.