Latest Hacker Target: Routers

By Rutrell Yasin

Bored with initiating traffic-flooding attacks that take down Web servers, hackers are focusing on router vulnerabilities that could let them divert large amounts of traffic to Internet wastelands, security experts warn.

Just when you believed your Gmail was safe, hackers have discovered a way to hijack your e-mail accounts. This was exposed some months back when Gmail client support started getting anxious letters about the quantity of spam received in their Gmail accounts. This phenomenon is due to hackers hijacking your Gmail account employing a system called Cross Site Request Forgery ( CSRF ), Methodologies specifies that you click a link on a dummy hacker site, spam mail or a pop up ad while logged into your Gmail account. This action can transplant a digital spy in the guise of a cookie or java script code into your P.C .

When your Gmail account is open, this digital spy tricks your browser into sending an invisible request to Gmail servers.

This request might be to download your account info, your contact list, or your e-mails. So long as you kept your Gmail account open the digital spy could download information uninterrupted till you signed out of your account. This system could also load spam and other hacker scripts into your Gmail account. The robbed info would be used to steal other account info. Or hackers can profit by selling the Gmail account data to spammers for the best price. Google was in a position to make a response to the Gmail issue fast by tightening up their security structure. However the CSRF attack can work also with your Google Toolbar and other internet sites, not only Gmail. If hackers may be able to hijack your Gmail accounts, this technology might be used to ask fiscal info when you are a doing online transactions.

there were reports that CSRF attacks managed to initiate the transfer cash by embedding a java script code in the internet browsers during web banking activity.

The vulnerability lies in the Border Gateway Protocol, which translates routing tables from different vendors' equipment. BGP has been used in commercial routers since 1994, and the security problems have been known for at least two years, but experts say they're seeing more router break-in kits being shared on Internet Relay Chat networks frequented by hackers.

Similar kits have helped hackers temporarily take down several ISPs and prominent Web sites in recent years us-ing packet-flooding attacks. Router attacks aimed at ISPs are even more attractive to hackers, because routers control not merely Web site traffic, but all Internet traffic managed by an ISP--even pass-along traffic originating from other ISPs.

Enterprises and carriers alike are ill-prepared to address the threat, said Carlos Recalde, a director of telecommunications at KPMG.

"I'm concerned with attackers launching something specifically on my Cisco routers," Recalde said.

The KPMG IT staff is resorting to internally developed scripts that map out router images periodically to track changes in configurations. Although the use of such scripts can help reveal the path of destruction, it can't prevent the intrusion itself, Recalde said.

"It doesn't protect against an outright attack, which would happen so fast that no one knows what happened," he said.Experts caution IT shops not to use default passwords to administer their routers, a practice that's far too common, said a spokesman for the CERT Coordination Center, a security watchdog. CERT advocates an added layer of authentication using public key infrastructure (PKI) technology, which requires not only a password, but also a unique identifier like a smart card to access network administration tools. This way, a hacker armed with only a password sniffer can't access routing tables.

Cisco, the dominant vendor of Internet routers, didn't respond to inquiries about its plans to secure its routers.

Everybody's Job
Securing the routing infrastructure isn't only a job for router vendors and their customers, Recalde said. Carriers such as AT&T and WorldCom also must make sure their network traffic isn't hijacked, he said.

Carriers and ISPs can implement stronger authentication, filters to direct traffic and tools to detect and trace attacks, but the bottom line is that protocols such as BGP need enhanced security, said Jim Lippard, director of computer network security at carrier Global Crossing.

To add some protection to routers, carriers and enterprises should make special peering arrangements with other ISPs and lock out traffic from all other networks, Lippard said. This way, messages can't be spoofed from just any carrier.

To ensure that reliable routing information is sent to other carriers' routers, Global Crossing is using an authentication method called Message Digest (MD5), which supports BGP. When a router sends updates to another router, MD5 compresses a public key while it's being transmitted, preventing the key from being read until it reaches the neighboring router.

Router vendors also have built-in filters that let carriers control the routes a customer's traffic can take. The filters help carriers set limits on which IP addresses can be used on other ISP networks.

Tougher Measures
But while these measures can prevent someone from impersonating a customer to view that individual's personal data, they won't protect against someone sending spoofed traffic claiming to be another customer and overwhelming the router with data, Lippard said.

Within the past year, Arbor Networks, Asta Networks and Mazu Networks have developed technology that can warn of imminent router attacks through the use of agents that sit on the network and look for traffic anomalies. But there's nothing available to prevent these attacks from happening in the first place, Lippard said.

Efforts are under way to incorporate digital certificates and other PKI technology to strengthen BGP security.

The Secure BGP Project, led by BBN Technologies, a Verizon company, has developed with the Defense Department a test version of a protocol called S-BGP.

S-BGP uses PKI to authenticate the ownership of an IP address block, Autonomous System numbers and the BGP router's identity. IPSec is also used to encrypt data and let BGP routers authenticate one another for traffic exchange.

Whereas MD5 is a simple authentication method, S-BGP provides multilayer security, enabling ISPs to digitally sign and encrypt all kinds of configuration data, Lippard said.

But a big stumbling block for S-BGP is that Internet registries, router vendors and ISPs all have to agree to implement the protocol for it to be effective.

"For S-BGP to fly, you have to go through the IETF standards process, and then the vendors have to implement it," Lippard said.

Meantime, IT shops should perform "periodic vulnerability assessment checks against their routers," said Todd Hudspeth, principal security architect at Espiria, a consultancy. Network administra-tors often make inadvertent changes to router parameters during maintenance, which could leave them exposed.

In addition, companies should deploy technology that lets them at least detect abnormal traffic patterns and adjust to spikes in bandwidth use. Weather.com recently deployed Lancope Inc.'s StealthWatch security appliance, which analyzes data patterns in high-speed networks to determine whether traffic is legitimate, said Don Agronow, vice president of quality control and site operations.

Earlier this year, the company was hit by a denial-of-service attack that shut down operations for several hours when the routers of its hosting facility, operated by Exodus, were clogged with bogus traffic. Recently, Weather.com switched to WorldCom. "It's important to have an ISP as a partner," Agronow said, noting that WorldCom appears to be experienced in handling such attacks.

Still, Agronow worries that a skilled malicious hacker could wreak havoc on any Web site by attacking the routing infrastructure