Tag Archive for Iran

| April 30, 2015
Comments Off on Romania Leads IPv4 Market

Romania Leads IPv4 Market

Romania Leads IPv4 MarketI first wrote about the grey market in IPv4 addresses when Microsoft (MSFT) bought Nortel‘s IPv4 IP block back in 2011. A  recent article from CircleID proves the market has caught up with Bach Seat. In the CircleID article, Doug Madory, Director of Internet Analysis at Dyn reports that the market for IPv4 addresses is heating up especially in Europe.

RIPE’s IPv4 transfers

According to Dyn, statistics from RIPE, the European registrar, show that the IPv4 market has heated up. RIPE’s table of transfers of provider aggregatable (PA) IPv4 address clearly shows a rapidly increasing rate of transfers of IPv4 address blocks and unique IPv4 addresses.  In fact:

  • increasing rate of transfers of IPv4 address blocksFebruary 2015 saw the most organizational transfers (373).
  • November 2014 saw the most unique address transfers (nearly 2 million).
  • The number of transfers in the RIPE region far outpaces any other region.

Romania is a key player in IPv4

An analysis of the RIPE data by the author finds that Romania is a key player in the IPv4 market.

  • Romania Leads IPv4 MarketDuring 2014/15 1,069 (58%) transfers came from Romanian organizations.
  • 947 (51%) of all the blocks transferred in the RIPE region were from a single Romanian organization, namely, Jump.ro.
  • Jump is willing to sell large blocks of IPv4 address space (around $10/address) or lease smaller blocks for $0.50/address/year.
  • Of the 4,656 routed prefixes that make up the Saudi Arabia part of the Internet, 1,498 or almost a third of them were Romanian just a few months ago.
  • The Syrian state telecom got 5.155.0.0/16 from Romania’s Nav Telecom last August and Iranian telecoms bought over 1 million unique IP addresses in 85 transfers over the past year (80% from Jump.ro).
  • Saudi Telecom received 17 IPv4 transfers since September last year representing over 1.5 million IP addresses: 14 were from Romanian sources and the other 3 were from
  • Ukraine.  At $10/address, those addresses would have cost Saudi Telecom $15 million.

A side-effect of the IPv4 gray market is abetting the growth of global routing tables to dangerous levels. The first effects of this were seen in August 2014 when BGP routing tables grew to over 512,000 routes when many older routers could no longer properly track the routes. ZDNet explains that routes are typically kept in a specialized kind of memory called Tertiary Content Addressable Memory (TCAM) which has a limited capacity which fails when it is full.

The author asks what are the implications of all this? Now that the Romanians have demonstrated that there is a lucrative business to be had in selling off IPv4 address space, will we see ISPs in developing countries rush to sell off their address space for some quick cash?  If such sales result in the IPv4 space getting sliced more and more thinly, we can surely expect the global routing table to increase in size, perhaps dramatically, as a result.

Will this cause more router meltdowns?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| August 28, 2014
Comments Off on Millions of PC’s Still Have Stuxnet Bug

Millions of PC’s Still Have Stuxnet Bug

Millions of PC's Still Have Stuxnet BugLately, I have covered a few pieces of old IT business here, here, and here. And here is another piece of old business from Infosecurity Magazine. Tara Seals at Infosecurity Magazine recently pointed out new research from Kaspersky. They are reporting that there are 10’s of millions of systems that are still vulnerable to the most infamous malware families that enabled Stuxnet.

Patched in late 2010

RadarResearch by Kaspersky has found the vulnerability that allowed Stuxnet, Flame, and Gauss malware campaigns (CVE-2010-2568) is still being exploited. They are still being exploited despite the flaw having been patched in late 2010 by Microsoft. Kaspersky Lab reported more than 50 million detections on more than 19 million computers worldwide in the past eight months.

The lack of patching by IT administrators is surprising given that the vulnerability has an infamous history. The author explains that the vulnerability is an error in processing tags in Microsoft (MSFT) Windows OS. The flaw enabled the download of the random dynamic library without the user’s awareness. The vulnerability affects Windows XP, Vista, and Windows 7, as well as Windows Server 2003 and 2008.

Sality worm

MalwareThe first malware exploiting this vulnerability appeared in July 2010: the worm Sality. Sality generated vulnerable tags and distributed them through the LAN. Ms. Seals writes that if a user opens a folder containing one of these vulnerable tags, a malicious program immediately begins to launch. The summer of 2010 then saw the appearance of Stuxnet. Stuxnet is a computer worm that was specifically designed (likely by the US and Israel) to sabotage the uranium enrichment process at several factories in Iran. Subsequently, the state-sponsored Flame and Gauss spyware made use of the security hole.

Windows XP vulnerable to Stuxnet

Infosecurity Magazine dug into the statistics and found that most of the unpatched systems were running Microsoft’s outdated Windows XP. Kaspersky said the report.

Knife in the toasterThe lion’s share of detection’s (64.19%) registered .. involved XP and only 27.99% were on Windows 7 … Kaspersky Lab products protecting Windows Server 2003 and 2008 also regularly report detection of these exploits (3.99% and 1.58% detection’s respectively)

Kaspersky data suggests that the problem is self-inflicted.

The large number of detection’s coming from XP users suggests that most of these computers either don’t have an installed security solution or use a vulnerable version of Windows – or both.

Kaspersky also analyzed the geographical distribution of CVE-2010-2568 detections. According to Infosecurity, the top nations with the vulnerability were:

  1. Vietnam (42.45%)
  2. India (11.7%) and
  3. Algeria (5.52%)

Kaspersky researchers told the author, “So many users of outdated versions of Windows mean these exploits are effective even though almost four years have passed since the disclosure and patching of the vulnerability.”

rb-

C’mon, if you are going to use an orphaned operating system, update it as far as you can and get off it as fast as possible.

As Kaspersky pointed out, using an outdated version of an operating system is fraught with the risk of cyber-attacks involving exploits, special programs that target vulnerabilities in legitimate software to infect a computer with other dangerous malware.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| March 28, 2011
Comments Off on Cyber Attack on Google, Yahoo, Skype Certs

Cyber Attack on Google, Yahoo, Skype Certs

TechyEye says that the Iranian paramilitaryBasij” group appears to have its own cyber warfare division which is launching attacks on the websites of Iran’s “enemies.” TechEye says the paramilitary group is an arm of the Revolutionary Guard.

Iran flagThe Associated Press cites General Ali Fazli, acting commander of the Basij, in the state-owned IRAN paper as saying Iran’s cyber army consists of university teachers, students, and clerics. He said its attacks were a retaliation for similar attacks on Iran. The AP quotes Fazli, “As there are cyber attacks on us, so is our cyber army of the Basij, which includes university instructors and students, as well as clerics, attacking websites of the enemy … Without resorting to the power of the Basij, we would not have been able to monitor and confront our enemies.”

Iran has sought to master the digital world as a crucial step to prepare for what it calls “soft war”, which includes fighting against cyber attacks such as the Stuxnet computer worm that Iran said was aimed at sabotaging its uranium enrichment program.

Until now the secretive “Cyber Army” that emerged to fight opposition websites and blogs after President Mahmoud Ahmadinejad’s disputed re-election in 2009 was believed to be part of the Revolutionary Guard. However in February according to the AP, General Mohammad Ali Jafari, signaled that the Revolutionary Guard supports the cyber army, describing it as a “defensive, security, political and cultural need for all countries”. Jafari claimed at the time that the Guard has been successful in cyber warfare.

Comodo logoIn another article TechEye recounts a possible Iranian cyber-warfare success. The article identifies Iran as the “state player” which hacked important Certificate Authority (CA) certificate information at Comodo. Digital certificates are used to vouch for the authenticity of a site owner and secure encrypted communications between sites and their users. A government that controls Internet traffic inside its country would be able to use such a server to gain access to encrypted e-mail and chat conversations and collect user names and passwords for individuals’ accounts, Mikko H. Hypponen, chief research officer at F-Secure, said in a blog post.

Security researcher and Tor developer Jacob Appelbaum found the compromise and alerted  Google and Mozilla.  USERTRUST Network, a part of Comodo issued the compromised certificates. Writing from his blog Mr. Appelbaum initially suspected the hack “was taken by a state-level adversary.” Comodo confirmed the attack and issued a statement naming Iran as the country it suspects. According to the Comodo blog, the incident happened on March 15th, when unknown attackers managed to get access to one of the user accounts for the RA.

An attacker obtained the username and password of a Comodo Trusted Partner in Southern Europe.  We are not yet clear about the nature or the details of the breach suffered by that partner other than knowing that other online accounts (not with Comodo) held by that partner were also compromised at about the same time.

The attacker used the username and password to log in to the particular Comodo RA account and effect the fraudulent issue of the certificates.

F-Secure logoAccording to F-Secure, the targets included Google (GOOG), Microsoft (MSFT), and Yahoo (YHOO):

  • login.live.com,
  • mail.google.com,
  • www.google.com,
  • login.yahoo.com,
  • login.skype.com,
  • addons.mozilla.com, and
  • “Global Trustee.”

Google patched Chrome last week and Mozilla managed to include the blacklist in Firefox 4.

rb-

It appears that Comodo did the right thing and made a responsible disclosure. According to reports, immediately after the breach was identified, they contacted the browser publishers and domain owners and filled them in on the situation.

As for the why? There is speculation that the Iranians wanted to control their internal dissidents. If they compromise the certificates, they could set up man-in-the-middle attacks by faking some of the world’s leading sites.

Some are speculating that it was China and not Iran behind this attack. The logic being, if they are good enough to take out a security company’s certificates, they are smart enough to spoof a few IP addresses as a decoy for investigators.

What do you think?

Did Comodo act fast enough?

Are Certificate Authority structures to complex for their own good?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,