This week the US senate was exposed to a security report that spoke about a BGP Hijacking event that occurred in April 2010. It is all over the wires that there are claims that China “stole 15% of the Internet” – for 18 minutes – with China unsurprisingly denying these allegations.
While the politicians prattle on about whether or not China is stealing Internet traffic or if this was a geniunly innocent error, I am more interested in the fact that scaremongers talk about how “Experts fear sensitive data, such as the contents of email messages, could have been seen and viruses implanted”.
BGP hijacking is an old problem (the earliest referenced at WikiPedia was in 1997) and has been in use, albeit on a smaller scale, by spammers and malware writers for a long time already. This 2006 paper by Anirudh Ramachandran and Nick Feamster, discusses in detail how spammers use BGP hijacking to create short lived networks that have IP addresses not yet seen by any of the RBL services.
So why is such an old and well known problem still causing so much consternation?
I believe that it is because this is the first time most companies have really understood the potential ramifications of not securing their transmissions. Everybody knows that sending data across public infrastructure is dangerous, and what we’re seeing here is one huge, indiscriminate risk that could expose your organizations intellectual property quite by chance! It highlights that you don’t actually need to be the target of such an event in order to expose sensitive information; just in the wrong place at the wrong time.
Because of risks like this, encryption standards like TLS (Transport Layer Security) have become much more widely adopted over the past few years and various institutions have imposed encryption requirements on parties with whom they may share sensitive information. Any encrypted transmissions captured during a BGP hijacking would be useless without a costly and time-consuming cryptographic effort to decrypt it…
All of which makes it doubly important that we make use of the technologies that are available to us. Use your DLP (Data Leak Prevention) system to ensure that nothing leaves your control that shouldn’t, and use encryption standards like TLS to ensure maximum coverage for any data that does have to traverse the public Internet. And NEVER submit private information to unsecured websites.