Berkeley CSUA MOTD:Entry 54396
Berkeley CSUA MOTD
2018/10/15 [General] UID:1000 Activity:popular

2012/5/21-7/20 [Computer/Networking] UID:54396 Activity:nil
5/21    New attach based on TCP sequence number interference: [ars technica]
2018/10/15 [General] UID:1000 Activity:popular

You may also be interested in these entries...
2013/8/22-10/28 [Computer/Companies/Yahoo, Industry/SiliconValley] UID:54732 Activity:nil
        Y! is back to #1! Marissa, you are SEXY!!!
        \_ how the heck do you only have 225M uniq vis/month when there
           are over 1 billion internet devices out there?
           \_ You think that every single Internet user goes to Y!?
        \_ Tall blonde skinny pasty, not my type at all -former Y!
2013/6/26-8/13 [Computer/SW/WWW/Browsers, Computer/Networking, Computer/Domains] UID:54697 Activity:nil
6/26    This ones for you psb -ausman
        \- that's pretty good. i wish someone had put the idea to be before i saw
           it on the internet, so see if i'd have put the 9 justices in the same
           boxes. JOHN PAUL STEVENS >> All the sitting justices. --psb
        \- that's pretty good. i wish someone had put the idea to be before i
2012/4/2-6/4 [Computer/SW/Languages/Java, Computer/SW/RevisionControl] UID:54353 Activity:nil
4/02    We use Perforce at work for revision control. It seems to work okay.
        Lately, a lot of the newer developers are saying that Perforce
        sucks and we should switch to Mercurial or Git. I have done some
        searching on the Internet and some others have this opinion. Added
        advantage is that Mercurial and Git are free. However, there would
        be some work to switch for the sysadmins and the developers.
2012/4/26-6/4 [Computer/Networking] UID:54371 Activity:nil
4/26    I see that soda has an ipv6 address but ipv6 traffic from this box
        doesn't actually work (ping6 <DEAD><DEAD>, ping6
        Is this expected to work?
        \_ Soda doesn't have a real IPv6 address.  The IPv6 addresses you see
           in ifconfig are just link-local addresses; any IPv6-capable machine
           will autogenerate these, whether or not it's connected to an IPv6
Cache (7302 bytes) ->
Cisco Systems' ASA 5500 series is one of many firewalls that drops data packets that contains invalid TCP sequence numbers. The feature can leak data that can be used to hijack connections. Cisco Systems Computer scientists have identified a vulnerability in the network of AT&T and at least 47 other cellular carriers that allows attackers to surreptitiously hijack the Internet connections of smartphone users and inject malicious content into the traffic passing between them and trusted websites. The attack, which doesn't require an adversary to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users. It can also be used to direct people to fraudulent banking websites and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps. Ironically, the vulnerability is introduced by a class of firewalls cellular carriers use. While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with Internet connections. "It breaks the common assumption that communication is relatively safe on encrypted/protected WiFi or cellular networks that encrypt the wireless traffic. In fact, since our attack does not rely on sniffing traffic, it works regardless of the access technology as long as no application-layer protection is enabled." The researchers tested their attack on Android-powered smartphones manufactured by HTC, Samsung, and Motorola. When the devices were connected to a "nation-wide carrier" that used sequence number-checking, the researchers were able to able to hijack connections to online services including Facebook, Twitter, Windows Live Messenger, and the AdMob advertising network. They could also spoof traffic from four unidentified banks and an unnamed Android app that gives real-time stock quotes. Zhiyun Qian, a recent PhD recipient and one of the coauthors of the paper, told Ars the attack will also work against computers connected to networks using cellular cards or smartphone tethers. He said there's no reason to believe iOS devices from Apple can't be hijacked as well. This week's paper reports that of 150 worldwide carriers tested, 48 were found to use firewalls that allowed the researchers to deduce the TCP sequence numbers needed to hijack end-user connections. Android app the researchers released, Ars was able to identify AT&T as the US carrier referred to in the paper. Company representatives issued a statement that read, "The report does not provide enough detail for us to confirm a conclusion but we plan to take a look at the issues it raises." Playing outside of the sandbox Qian and fellow co-author Professor Z Morley Mao have devised a buffet of possible attacks depending on which required elements are satisfied in a given exploit scenario. They labeled the most potent of the attacks on-site TCP hijacking. It relies on a lightweight piece of malware that must first be installed on a victim's phone that has Internet access as its sole privilege. With help from the malicious app, the attacker queries firewalls AT&T and other carriers use to drop all data packets that contain sequence numbers out of a range considered to be valid for a current connection. By testing which packets are permitted to go through and which ones are blocked, attackers can quickly deduce an acceptable number and append it to the malicious data to camouflage its fraudulent source. "What that means is that we're able to completely hijack the connection, so that the original server, say the Facebook server, will be completely cut off from the communication, and we can inject whatever malicious content we want," Qian told Ars. While Android apps are contained in a security sandbox that prevents them from accessing code and data used by other apps, he said the circuitous route taken by the lightweight malware effectively breaks out of this barrier, allowing the attackers to tamper with the phone's Web browser and other protected apps. Zhiyun Qian and Z Morley Mao Another variant of the attack relies on intermediate routers that help funnel data through a carrier network. The monotonically incrementing 16-bit headers known as IPIDs act as side channels for inferring how many packets a target system has sent. By examining the values in the headers before and after sending spoofed probing packets, attackers can deduce sequence numbers by inferring if they successfully passed through the firewall. Still another variation of the attack doesn't rely on any malware at all. An off-site TCP injection/hijacking exploit, for instance, relies on a technique known as URL phishing, which lures a user to a malicious intermediate webpage before sending him to what appears to be a legitimate target website. When certain conditions are met, the attack can replace the content of the site with arbitrary traffic, or if the user is logged in to the targeted site, can inject JavaScript into the pages that steals authentication cookies or performs actions on behalf of the victim. The required ingredient The required ingredient in all the attacks is a firewall on the carrier network that keeps track of sequence numbers for connections the end user has made with other address on the Internet. Firewalls that drop sequence numbers are manufactured by a variety of companies, including Cisco Systems, Juniper, and Check Point. "They all build on top of the sequence number inference," Qian said of the attacks. "Without the sequence number, all of these attacks would not be possible, so you can think of sequence number inference as a building block for all of these attacks." TCP sequence numbers were designed to help computers to reassemble packets that arrive out-of-sequence into their proper order. As researchers devised attacks in the late 1990s that used sequence numbers to hijack connections, the scheme was revised to give the numbers pseudo-random characteristics so they'd be hard for attackers to predict. Qian and Mao said they are the first known researchers to devise a TCP sequence number inference attack using the state kept on middleboxes. Qian said online services can go a long way towards repelling the attacks by encrypting sessions using the secure sockets layer (SSL) or transport layer security (TLS) protocols, since almost all of the exploits he and Mao devised work against pages and apps that transmit content in plaintext. But even when Web traffic is encrypted, sequence number inference can be used to mount denial-of-service attacks. Of course, the attacks could be more effectively prevented if carriers removed sequence number-checking functions from the firewalls they use. Qian said he's not sure that move is feasible because the carriers rely on the features to conserve resources by summarily dropping arbitrarily packets that enter their networks. "However, the carriers may have their own reasons not to." Dan Goodin / Dan is the IT Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.