'Tis a Fragile Thing
After the peering point between the two US Tier 1 ISPs, Cogent and Level 3, was recently cut (see columns from two and three weeks ago), it started a lot of people thinking about the fragility of the Internet, and what could happen in the future if the gentlemen's agreements that keep the backbone operating cease. A little over a week ago, an unintentional outage affected a large number of American Internet users. Tier 1 ISPs Verio and Level 3 were affected this time, with routing services going awry, effectively making their complete networks vanish from the Internet.
The actual equipment that makes up the core of the Internet, the network routers, rely upon routing tables to direct the traffic that flows through them. These tables are like mini network maps, and allow the routers to pass the information to the appropriate system so that it can be passed to the destination as efficiently as possible. In the recent outage, it was claimed by Level 3 that a software upgrade had damaged the routing tables, which resulted in the effective blockage of the information that was passing through their network.
Technically, the routers started to 'flap' as they cycled between two invalid routing tables in a vain attempt to get the traffic they were holding to a valid destination. As routers went offline, it started a cascading failure, with more routers unable to pass traffic to a valid location, which then forced them to flap between their alternate routing tables, which also became invalid, taking them offline as well. The total outage was around 2-3 hours, as by that time other routers had updated their tables to route around the Level 3 and Verio networks, and the Level 3 systems were being brought back online. The remaining network segments would continue to carry increased load until the full systems could be re-established.
While this is the second time within a month that Level 3 have been involved in a blackout of a portion of the Internet, they are not struggling to keep up, just yet, but they are reported to be suffering financially even with a stable revenue and customer base. The bigger problem is for the lower-tier ISPs, who had to explain to irate customers that the Internet was down (as far as they could go), and that there was nothing that could be done about it. Unfortunately, their reputation and reliability would have taken a hit, and it is possible that these ISPs have lost customers as a result.
Some observers claim that these recent events are strong cases for ensuring that network access for large companies is 'multi-homed', which means that their network traffic can pass through a number of Tier 1 providers when it arrives on the Internet backbone. This allows for continued network access in the case that one of the Tier 1 providers suffers an outage. Selection of a multi-homed ISP as the network connection for end users will also help maintain network connectivity in the case of an outage.
When the Internet is up and running, one of the increasing uses for it is online banking / financial transactions. The US Federal Financial Institutions Examination Council (FFIEC) has recently called for US banks to have implemented two factor authentication for online banking, by the end of 2006. It is expected that the most common implementations will probably be a variant of the key fob model, as applied by RSA Security's SecurID, or a one-time password model as applied by a number of European banks.
Concerns have been expressed about the cost and reliability of these added features, and whether the costs will be passed through to the consumers in the long run. The security of most methods has also been called into question as both methods of authentication will travel over the same channel (i.e. the Internet). This single channel of use still allows for spoofing attacks (phishing), where the attacker needs to position themselves between the bank and the user, pretending to be the user to the bank, and the bank to the user. Until recently, it was considered impractical to perform this sort of attack against the newer two-factor authentication models, however a successful phishing attack in Europe has shown this to be false.
Proper two channel methods, such as using SMS or voice calls, introduces significant overhead to the transaction process, which ultimately is likely to be passed on to the client, and can still be bypassed through social engineering or the theft of the mobile (one of the most commonly lost / stolen personal items).
By making random capture of this information more difficult for attackers it makes it more likely that any time that the security model is breached the banks will blame the victims for failing to apply the security model correctly. While an increased level of personal responsibility will go a long way, it is still important to consider that attackers can still operate happily. Human nature being what it is, any time that access controls are tightened, more people will go out of their way to make their access a little easier. That might mean taping their password to their key fob or password sheet and carrying it with them everywhere (all they need to do is lose it / get mugged).
Cynical observers have pointed out that it may not be for the best interest of the consumers (that is only a happy coincidence), and that it is the insurance behind the banks (FDIC) that is pushing for the improved security models, ostensibly to protect the financial institutions against the losses. Unfortunately, the methods only improve the complexity of the required attacks by a minimal level.
It is also highly likely that this will see a new form of phishing attack introduced, the real time attack, where the attacker is actively manipulating the account while the user is trying to log in (a derived man-in-the-middle attack).
31 October 2005
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.