President Trump Must Ask Congress to Draft Articles of Cyberwar Against Russia - or Else
On April 27th, 2017, Ars Technica did an in-depth post on how a Russian-controlled telecom hijacked financial services’ Internet traffic:
On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.
Anomalies in the border gateway protocol—which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks—are common and usually the result of human error. While it’s possible Wednesday’s five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident “curious” to engineers at network monitoring service BGPmon. What’s more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.
“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”
Normally, the network traffic bound for MasterCard, Visa, and the other affected companies passes through services providers that the companies hire and authorize. Using BGP routing tables, the authorized providers “announce” their ownership of the large blocks of IP addresses belonging to the client companies. On Wednesday afternoon at around 3:36pm Pacific time, however, Rostelecom suddenly announced its control of the blocks. As a result, traffic flowing into the affected networks started passing through Rostelecom’s routers. The hijacking lasted five to seven minutes. When it was over, normal routing was restored. The event is nicely captured in a graphic here, which uses BGPlay.
Right here is enough information to raise the alarm bells of everybody who uses Visa and MasterCard: Financial institutions who issue the cards, corporations and merchants who use the cards, and governments who use these cards as part of day-to-day business transactions. This hijacking of the transactions allowed Rostelcom to capture each and every packet as it flowed through the internet onto its intended source and destination. If you were all up in arms about the NSA spying on you, for a small period of time you have the Russians doing it. Lovely.
Now comes the question-why go through the trouble to capture the packets in the first place? Now that’s where things really start get frightening real quick. As you would normally expect with such critical data such as credit/debit card transactions, these packets are normally encrypted to the teeth-but as the Ars Technica article goes to point out, that may not necessarily be the case:
The hijacking could have allowed individuals in Russia to intercept or manipulate traffic flowing into the affected address space. Such interception or manipulation would be most easily done to data that wasn’t encrypted, but even in cases when it was encrypted, traffic might still be decrypted using attacks with names such as Logjam and DROWN, which work against outdated transport layer security implementations that some organizations still use.
Madory said that even if data couldn’t be decrypted, attackers could potentially use the diverted traffic to enumerate what parties were initiating connections to MasterCard and the other affected companies. The attacker could then target those parties, which may have weaker defenses.
Pretty scary stuff right there on it’s own. But remembering the words of former Interl chairman Andy Grove (“Only the paranoid survive”) let me paint a much darker picture: what if there were moles in both Visa and MasterCard’s key management group that were somehow compromised and managed to get access to the entire key management database and provided that to Rostelcom?
Game, set, match.
(Ok-the likelihood of being able to dump the entire key management databases of Visa and MasterCard is probably pretty remote, but as we have seen with the NSA screw-ups, it’s possible-but private industry tends to be hyper-vigilant on data security and locks data down extremely tight, so let’s put this on the shelf for now.)
Bottom line time: The apparent deliberate re-routing of our commercial payments system traffic, routing thousands (if not millions) of transactions across US borders into a foreign system by a state-controlled telecom, violating the privacy of millions of individuals, corporations and many governments (Including the US Government) cannot be ignored, and must be answered by the National Security Council, The National Security Agency, The Secretary of Commerce, The Office of the Comptroller of the Currency, The State Department , and lastly, by President Trump himself.
As far as I’m concerned, this was an act of war-and must be treated as such. Contact your Congressman and Senators about this. This is not a partisan issue-this is a National Security issue that we have ignored for far too long, and we must take action now-before it’s too late.