Web filters threaten national security
- 04 May, 2009 15:51
- Comments 12
Dan Kaminsky Credit: Dave Bullock/http://eecue.com
Internet heavyweights have attacked the federal government's Internet content filtering plans and claimed it opens vulnerabilities that could threaten national security.
Renowned security experts reproached the Australian government for pushing ahead with the national clean-feed Internet scheme. They say a nation-wide Internet filtering is both technically infeasible and morally reprehensible, and have called on the public to disrupt the government's plans if they are actioned after the current trials.
National cyber-security received a significant boost under the government's $300 billion Defence White Paper. Security researcher Dan Kaminsky, famous for revealing the DNS Cache-poisoning attack and extent of infection from Sony's obfuscated rootkit, said the filters open a security hole which has been used to cripple entire ISP networks.
“The problem is [the government is] putting a really sensitive piece of code in a really dangerous place. The bottom line is that these active man-in-the-middle filters seem like a great idea at the time, until there is a security vulnerability,” Kaminsky said in a Web video from the recent RSA conference in the US.
“We've found major security vulnerabilities in filters put in front of ISPs and they basically corrupted the entire network for that ISP.
“I'd hate to see that affect an entire country,” he said.
Internode network engineer Mark Newton, a vocal critic of Web filtering, said the architecture of Web filters is vulnerable to hacking.
“If the network is configured to trust the censorware server, then a hacker can cause traffic flows from all over the network to divert to it,” Newton said. “The attack, which may normally take down a Web site, can have create profound privacy risks to users.”
Blacklist arbitration, more than a moral issue, has the potential to destabilise the government's scheme because effectiveness of the filters relies on clear definitions of illegal content.
Marcus Ranum, renown security designer and chief of security at Tenable Network Security, says opponents should hammer the media regulator with ambiguous content, similar to the methods used to unveil information on the blacklist.
“The best forum of civil disobedience and social protest is to look for weird edge-cases and to challenge them and consume their time,” Ranum said. “Saturate [them] with legitimate well-thought out appeals in the grey area that will make the censor's brain melt.”
Edge-cases delivered “courteously, politely, ruthlessly and cleverly” will disrupt the clarity of content arbitration, he said, and call to question the government's ability to make moral decisions about online content.
Newton said the dissenting public will be inspired to break the system if it is enforced against popular opinion.
Experts said the technology is too rigid to work with ambiguous child exploitation laws, which made recent headlines when it was revealed teenagers 'sexting' or uploading sexually explicit images to social networking sites could be charged.
“Maturity is a trajectory. When are unilaterally treating [the public] like a child, they are raising themselves as being vastly more responsible.. I don't think government are more typically more moral than their constituents,” he said.
Spire Security research director Peter Lindstrom said the size and diversity of Australia's population is unsuited to an umbrella Web filter.
“I don't see a real reason to apply these controls across a population as diverse and disparate as Australia... there is so much ambiguity in deciding what is appropriate and legitimate that it's hard to see how an entire nation-state can make that decision for its population,” Lindstrom said.
Credit to Wade Millican and Donal O Duibhir for the RSA Web video. | at nodecity.com for the Web video.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- Govt undeterred by blacklist leaks
- Optus joins Federal Government's contentious Internet filter trial
- Cyber-warfare gets Defence priority
- Slideshow: How DNS cache poisoning works
- Sony rootkit may lead to regulation – Computerworld US
- Content filtering video – nodecity.com
- new
- Australia's Web blacklist leaked
- Wade Millican's Web site
- Donal O Duibhir - nodecity
-
Customer service still dogs Telstra
-
Customer service still dogs Telstra
-
Foxtel subscriber base grows
-
Obama's H-1B answer in forum may haunt him
-
NBN a pie in the sky: Morgan
-
Office 2007 for Dummies
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Microsoft Office
-
Office 2007 All-In-One Desk Reference for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
Windows 7 for Seniors for Dummies®
-
Teach Yourself Visually Windows 7
-
Windows 7 for Dummies® Dvd+book Bundle
-
MYOB Software for Dummies 6E Australian Edition
Comments
Anonymous
man in the middle??
Who is feeding Dan Kaminsky with his information?
I have seen no references to "man in the middle" scenarios for the URL blacklist filtering, other than on some blogs?
Anonymous
MITM Man in the Middle
No matter the technology used to policy-map or forward individual IP addresses to an application level content scrubber, or to actively scan for peer2peer(which is being tested in the trials), there exists a piece of code on an existing or new device that sits in the data path acting as a shunt and or scrubber. Essentially all filters become MITM "Man in the Middle" at differing levels on all flows.
This "piece of code" can be leveraged in many ways, especially when the management control plane becomes involved. Recent reports show more than 87 percent of domains share their IP addresses with one or more other domains and over two thirds share their IP with 50 or more domains. Citation: Cyber Law Harvard, Edelman, IP Sharing paper.
Potato pot-at-o
Anonymous
MITM Man in the Middle??
Not so with URL filters that only port replicate and/or parse the URLs.
You are referring to just one format of filtering, being IP based filters.
To my knowledge of all relevant releases and the current ACMA list format, these are all URL based? Has nothjing to do with IP mapping, MITM, IP forwarding etc.
Anonymous
Feeding Kaminsky?
How do you come up with that? It's not new and has been covered before by ban (dot) this (dot) url in interview with Matthew Strahan.
S
Re: MITM
<cite>Not so with URL filters that only port replicate and/or parse the URLs.</cite>
If this was the case then the filters would have to scan every single piece of data passed through the entire network on port 80, this is simply not feasible for a system that encompasses a large ISP.
Instead, the method being used by most of the trials is likely to involve routing <strong>the IPs</strong> of all blacklisted sites through a censorbox to filter only what is required.
Regardless of the method used the censorbox is acting as a "man in the middle" for at LEAST the servers hosting the blacklisted sites, and as Newton said if trusted, the censorbox could request the rest of the network to divert any traffic through it if it was compromised. If fully compromised this would make a perfect man in the middle attack providing the attacker ability to scrutinise all web traffic to any location they desire, a significant security/privacy risk.
Tim B
"I don't think government are
<cite>"I don't think government are more typically more moral than their constituents"</cite>
I would have to agree with that... Just look how many political figures turn out to be pedophiles, alcoholics, liers, general weirdos (like the chair sniffer), etc.
And yet here are the incompetent parents and technologically illiterate suggesting we should just sit and listen to what they tell us is wrong and right...
Also, as for the man in the middle thing... It doesn't matter what type of filter it is, it's got to get it's rules from somewhere. If someone wants to deny access to a site, all they have to do is inject it into the list somehow. Easiest place would be in the line it gets updated from (ie, the middle).
Anonymous
'Man in the middle' refers to a type of security attack where the attacked inserts themselves between 2 points and relays messages between the points, appearing to each point as the other. E.g. The attacher looks like Point B from Point A's perspective.
Any data sent between the 2 points can be viewed by the attacker.
Any sort of filter is placed by definition at the position of a 'man in the middle' attacker, and if a filter is hacked all data travelling thru it is compromised.
A national filter would place all data at risk and present hackers will a single point to target to gain access to <strong>everything</strong> sent by Australians online.
Anonymous
MITM by URL parsing on a router? Document an example please.
Incorrect, large scale URL filtering is being used by various telcos and carriers internationally... Up to millions of users per site... Some earnest research will help you find some such examples.
You may want it to be IP filtering, as this is easier to attack, but that does not mean that it will be...
By this thinking every device on the internet is a MITM attack target? Including this website, your modem, your internet provider, his routers, the switches they use etc.
A little bit doomsday I would contend.
That would only make the case for internet and URL filtering stronger, as they deliver a layer of real protection that far outweighs any degree of URL filtering vulnerability that you could actually document here...
It would interesting if you could actually document some cases of mainstream URL only filters being compromised by a MITM attack. Theories are easy to formulate and promulgate...
Remember, many URL filters only use an existing router or such device to parse out the URL. You would suggesting that this device is vulnerable? That would need some documentation...
I have not seen a mainstream router URL parsing vulnerabilty in modern routers as yet, but you may have a case I have not seen. Please share this.
Anonymous
Who do you like...?
Ok, you do not like parents, politicians, technologically illiterate. Who's left? The technologically literate non-parents...
As for filters, not all filters are inline, and thus there are no devices to attack, no accessible lists to inject something into.
However, if you can compromise the router at an ISP, then you may be able to interrupt the access or deny process.
However I can assure you that if someone has compromised the routers at an ISP, EG at iiNet or Internode, then those ISPs have far greater problems than a disruption to the filtering...
Anonymous
Poor Dan Kaminsky
He hasn't been getting much media attention lately. Maybe this will boost his profile a bit.
Anonymous
Hijacks
So apart from wholesale BGP hijacks which our ISPs *should* not tolerate, the 'out of band' or *deity* help us 'in band' device will tell routers what prefixes to shunt either manually or automatically as per other DDOS solutions.
Here is an example of widescale hijacking of a different sort.
http://www.wired.com/threatlevel/2008/08/revealed-the-in/
Search around for Pakistan and Youtube etc. also. Point is; trusting devices and people? Automating and manual. Scaleability? Slash 32 prefixes should then be updated by hand under change control and review process and how many thousands of sites will the public submit to ACMA, let alone get to the classification board?
This should not be just a technical debate though. Punish the remote ISP's, not the local ones?
Anonymous
ISP router vulnerabilities...?
Well it looks like our problems are not URL filters, it looks like the ISP routers are the massive security threat.
So easy to exploit BGP functionality, surely the ISP engineers have known about this?
Thanks for that data and that link, it is important that the market knows that their ISPs routers are open, vulnerable and subject to hijacks and attacks so easily.
That would represent a major threat to national security.
Post new comment