WTF?!? UK’s nuclear weapons data + other sensitive internet traffic rerouted thru Ukraine+Russia

H

Housecarl

On TB every waking moment
WTF?!?!?!?..........:shkr:

For links see article source.....
Posted for fair use.....
http://www.belfasttelegraph.co.uk/t...raffic-rerouted-through-ukraine-31066133.html

UK’s nuclear weapons data and other sensitive internet traffic rerouted through Ukraine

14 March 2015

Internet data from the UK’s Atomic Weapons Establishment and other sensitive information was being sent through Ukraine, by mistake, all last week.

As well as the nuclear weapons body, which is “responsible for the design, manufacture and support of warheads for the United Kingdom’s nuclear deterrent”, traffic from the Post Office and elsewhere was accidentally being sent through Ukrainian and Russian addresses.

The BT internet traffic should was being rerouted through Ukrainian internet provider Vega, but security experts believe that the problem was a mistake.

Data would not normally be expected to flow that way, and the diversion through Ukraine is far from the most efficient route.

Fraudulent routing of this kind can allow criminals and other malicious agencies access to data but is relatively easy to do.

Dyn, which discovered the problem in Ukraine, says that since routing is based “entirely on trust, it’s relatively easy to commandeer IP address space that belongs to someone else”.

While most of the traffic that was flowing over the networks would have been encrypted and so wouldn't have been able to be read, users snooping on email traffic would have been able to see the IP addresses — and therefore the company and the potential location — of those involved. It’s impossible to tell whether any data was snooped on or lost as it was rerouted.

As well as endangering the security of internet users, such problems can also slow down or break internet connectivity. That could cause huge economic damage.

Some of the groups that had their internet rerouted included Virgin Money, Marks and Spencer and a range of UK government bodies, according to Dyn. Lockheed Martin, the US defense contractor, was also reportedly caught up in the rerouting with VPN service they were running.

The full trace route is below.

Trace from Houston, TX to Atomic Weapons Establishment at 03:22 Mar 12, 2015.

"1. *

2. 173.193.118.140 ae12.dar02.sr02.hou02.networklayer.com 2.948

3. 50.97.18.246 ae9.bbr02.sr02.hou02.networklayer.com 0.3

4. 173.192.18.220 ae3.bbr02.eq01.dal03.networklayer.com 8.133

5. 173.192.18.135 ae1.bbr01.tl01.atl01.networklayer.com 28.524

6. 173.192.18.152 ae0.bbr01.eq01.wdc02.networklayer.com 42.033

7. 173.192.18.195 ae7.bbr02.eq01.wdc02.networklayer.com 40.167

8. 50.97.18.215 ae0.bbr01.eq01.ams02.networklayer.com 118.838

9. 50.97.18.217 ae0.bbr02.xn01.fra01.networklayer.com 124.983

10. 50.97.18.218 ae7.bbr01.xn01.fra01.networklayer.com 124.133

11. 80.81.194.177 edge-3-2-5-231.kiev.ucomline.net 154.988

12. 87.245.247.157 ae2-241.RT.NTL.KIV.UA.retn.net 155.174

13. 87.245.233.238 ae2-10.RT.TC2.LON.UK.retn.net 158.221

14. 195.66.224.10 linx1.ukcore.bt.net 161.442

15. 194.72.31.130 (BTnet inter-pop routes, GB) 166.986

16. 62.172.103.89 core1-pos1-1.birmingham.ukcore.bt.net 163.205

17. 62.6.196.70 vhsaccess1-pos7-0.birmingham.fixed.bt.net 164.139

18.132.153.3.254 (Atomic Weapons Establishment, GB) 177.4 "
 
Last edited:
P

Possible Impact

TB Fanatic
logo-ars-technica-300x160.png

Strange snafu hijacks UK nuke maker’s traffic,
routes it through Ukraine

Lockheed, banks, and helicopter designer also affected
by border gateway mishap.


by Dan Goodin - Mar 13, 2015 11:13am CDT
http://arstechnica.com/security/201...acks-uk-nukes-makers-traffic-through-ukraine/



redirected-atomic-weapons-traffic-640x406.png



Internet traffic for 167 important British Telecom customers—including a UK defense
contractor that helps deliver the country's nuclear warhead program—were
mysteriously diverted to servers in Ukraine before being passed along to their final
destination.

The snafu may have allowed adversaries to eavesdrop on or tamper with
communications sent and received by the UK's Atomic Weapons Establishment, one
of the affected British Telecom customers. Other organizations with hijacked traffic
include defense contractor Lockheed Martin, Toronto Dominion Bank, Anglo-Italian
helicopter company AgustaWestland, and the UK Department for Environment,
according to a blog post published Friday by researchers from Dyn, a firm that helps
companies monitor and control their online infrastructure.

The diverted traffic appeared to be used to send e-mail and route virtual private
networks, as well as for other purposes. As the picture above illustrates, the
roundabout path caused the data to travel thousands of miles to the Ukrainian
capital of Kiev before turning around, retracing that route, and being delivered to its
normal hub in London. Unnecessarily sending the data to Kiev may have made it
possible for employees with privileged network access to Ukrainian telecom provider
Vega to monitor or tamper with data that wasn't encrypted end-to-end using strong
cryptography. The hijacking of the Atomic Weapons Establishment, Lockheed, and
the other 165 routes occurred over a 90-minute span on Thursday, while a handful
of British Telecom customers experienced diverted traffic for five days beginning
Saturday.

"The 167 hijacked prefixes (listed below) also included more innocuous networks like
those of Pepsi Cola (165.197.56.0/22) and Wal-Mart UK (161.163.166.0/24 and
161.163.177.0/24)," Dyn Director of Internet analysis Doug Madory wrote.
"However, these networks do host domains with 'VPN' and 'mail' in their names,
implying they provide important services for these companies. Does this list
represent some curious mistake or something more? Either way, it redirected a
portion of Internet traffic bound for networks, at a minimum resulting in poor
performance for some customers."


Man-in-the-middle attacks divert data on scale never before seen in the wild.


It's not the first time that significant chunks of Internet traffic have been diverted to
distant locations for unexplained reasons. In late 2013, Dyn researchers reported
that data belonging to financial institutions, government agencies, and network
service providers were mysteriously redirected to routers at Belarusian or Icelandic
service providers. The hijackings occurred during at least 38 distinct events over a
nine-month span that began in February of that year. The diversions are the result
of the implicit trust placed in the border gateway protocol used to exchange data
between large service providers and their customers, which include financial
institutions, governments, network service providers, pharmaceutical and aerospace
companies, and other sensitive organizations. As Ars explained in November, 2013:

The ease of altering or deleting authorized BGP routes, or of creating new ones, has
long been considered a potential Achilles Heel for the Internet. Indeed, in 2008,
YouTube became unreachable for virtually all Internet users after a Pakistani ISP
altered a route in a ham-fisted attempt to block the service in just that country.
Later that year, researchers at the Defcon hacker conference showed how BGP
routes could be manipulated to redirect huge swaths of Internet traffic. By diverting
it to unauthorized routers under control of hackers, they were then free to monitor
or tamper with any data that was unencrypted before sending it to its intended
recipient with little sign of what had just taken place.
"This year, that potential has become reality," Renesys researcher Jim
Cowie wrote. "We have actually observed live man-in-the-middle (MitM)
hijacks on more than 60 days so far this year. About 1,500 individual IP
blocks have been hijacked, in events lasting from minutes to days, by
attackers working from various countries."

At least one unidentified voice-over-IP provider has also been targeted.
In all, data destined for 150 cities have been intercepted. The attacks
are serious because they affect the Internet equivalents of a US
interstate that can carry data for hundreds of thousands or even millions
of people. And unlike the typical BGP glitches that arise from time to
time, the attacks observed by Renesys provide few outward signs to
users that anything is amiss.

"The recipient, perhaps sitting at home in a pleasant Virginia suburb
drinking his morning coffee, has no idea that someone in Minsk has the
ability to watch him surf the Web," Cowie wrote. "Even if he ran his own
traceroute to verify connectivity to the world, the paths he'd see would
be the usual ones. The reverse path, carrying content back to him from
all over the world, has been invisibly tampered with."





 
You must log in or register to reply here.
Top