Academic rigour, journalistic flair
For curious minds
Expert news and views
Debate and ideas
From the curious to the serious

Hot Topics

27 July 2011, 2.28pm AEST

Evil descends on the NBN? Erm, not quite

Another day, another hacking exploit makes headlines. This time it’s a “self-taught, lone hacker”, David Cecil, apparently known online as “Evil”, who allegedly broke into Platform Networks' site, one of 13 service providers for the National Broadband Network (NBN). Cecil, from Cowra in New South Wales…

Author

Philip Branch

Senior Lecturer in Telecommunications at Swinburne University of Technology

Disclosure Statement

Philip Branch does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

The Conversation provides independent analysis and commentary from academics and researchers.

Founding and Strategic Partners are CSIRO, Melbourne, Monash, RMIT, UTS and UWA. Members are Deakin, Flinders, Murdoch, QUT, Swinburne, UniSA, UTAS, and VU.

Member of The Conversation.

Articles by This Author

17 April 2012 Think your Mac’s beyond malware attack? Alas, those days are gone

2 March 2012 Could Anonymous really shut down the internet?

11 August 2011 Hackers squeeze BlackBerry for spilling juice on London riots

19 July 2011 Pentagon, LulzSec, News of The World … we live in interesting times for hacking

16 June 2011 LulzSec takes down CIA website in the name of fun, fun, fun

Aapone-20110727000334346321-nbn_hacker_orange_court-original-1311736286 — Great headlines … shame about the reality. Australian Federal Police/AAP

Another day, another hacking exploit makes headlines.

This time it’s a “self-taught, lone hacker”, David Cecil, apparently known online as “Evil”, who allegedly broke into Platform Networks' site, one of 13 service providers for the National Broadband Network (NBN).

Cecil, from Cowra in New South Wales, has been charged with 48 counts of unauthorised access to, or modification of, restricted data.

He has also been charged with one count of unauthorised modification of data to cause impairment.

He is currently being held in custody and will appear in court again this Friday.

It’s still a little early to understand what exactly “Evil” is accused of doing to Platform Networks’ site but the strategy from the mainstream media has been to equate Platform Networks directly with the NBN.

“Self-taught hacker charged over NBN attack” reports the ABC. “NBN System Compromised” reports the Sydney Morning Herald.

And yet, in a statement this morning, the Australian Federal Police’s (AFP) Cyber Crime Coordinator, Brad Marden, said:

“[These attacks] wouldn’t have had a direct impact on the NBN itself. [Platform Networks] is actually a company that is contracted to the NBN to produce services for them.”

So what’s going on?

Parts of Platform Networks operations may have been compromised, although Platform Networks spokespeople say they notified the AFP as soon as they became aware of the attacks, in December 2010.

The important point, though, is that attacking Platform Networks is not the same as attacking the NBN.

Platform Networks is a Virtual Service Provider that purchases services from other companies and resells them adding additional services such as domain name resolution, web hosting, email and the like.

Among the services the company resells are different forms of network access including ADSL, 3G wireless and, from October this year, access to the NBN.

Evil, an unemployed truck driver who told online friends he had no computer skills, is suspected of mapping Platform Networks’ internal network and may have compromised a domain name server – the device that maps a domain name such as www.theconversation.edu.au to an IP address such as 122.100.15.243.

Loss of domain name services would certainly have inconvenienced Platform Network’s customers, but it is very unlikely the NBN services were ever under threat.

The NBN provides quite low level services. The company responsible for building the NBN – NBN Co – doesn’t care whether their infrastructure is carrying internet traffic or something else.

All the internet services are provided by companies such as Platform Networks.

The interesting thing about this story is not that the NBN may have been under threat or even that someone managed to break into Platform Networks.

Hacking is not that difficult to do. It is much easier to carry out an attack than to defend against them.

What’s interesting is that Platform Networks picked up the hack very early on, had procedures in place to track it, and worked closely with the AFP to gather evidence to bring it to court.

Perhaps the real story will come when details emerge as to how Platform Networks dealt with the hack when it was detected.

You are free to republish this article, as long as you follow some simple guidelines, which are summarised here:

You can’t edit our material unless you have the author’s express permission or you are adjusting for relative changes in time, location and editorial style. To make material edits, please contact us
You can run the first few lines of the article only, if you say: “Read the full article at The Conversation” with a link back to the article page on our site.
You must link to us and include links from our story, as well as our page view counter.
You can put our articles on pages with ads, but you can’t sell our material separately.
You can republish individual articles, but you can’t automatically republish all of our articles unless approved by us.
You have to credit our authors and partner institutions in the byline. We prefer “Author Name, Institution” (for example “Bruce Mapstone, CSIRO”).
You have to credit The Conversation and link back to our home page as provided in the HTML.

The full article is available here as HTML.

Join the conversation

Comments (7)

Permalink

2

10 months ago

Craig S Wright

(PhD; Adjunct Lecturer in Computer Science at Charles Sturt University)

insightful unconstructive

“Loss of domain name services would certainly have inconvenienced Platform Network’s customers, but it is very unlikely the NBN services were ever under threat.”

This is an incredibly ignorant statement.

DNS is the foundation of the internet in many ways. Users do not remember host IP addresses, they remember names. An attacker who can compromise a DNS server OWNS the network.

For instance, if an attacker changed www.westpac.com.au from its real IP address to one pointed to a rouge system proxy that captured user logins, even SSL and encryption would not help. After all, the user is being redirected to the correct domain name and SSL ONLY validates a domain name.

So, what could somebody do when they have compromised a DNS server on a network?
1 Capture and redirect traffic, usernames and passwords
2 Change data on the fly and subvert information
3 engage in MiTM (man in the middle) attacks against systems

Basically, when DNS falls, EVERYTHING on the internet fails.
1. Permalink
  
  In reply to Craig S Wright, 9 months ago
  
  Philip Branch
  
  (Senior Lecturer in Telecommunications at Swinburne University of Technology)
  
  insightful unconstructive
  
  That's a fairly harsh comment Craig. As someone who used to work for a Domain Name registrar I think I have a reasonably good grasp of the importance of domain names.
  
  I don't accept that my comment was in the least bit ignorant. From what I can see Platform Networks handled this well. They seem to be an organisation who have systems in place to manage hacks like this. If someone did briefly gain control of their DNS system then, given how they handled everything else, I would expect them to be in a position to restore their DNS system as soon as the first complaining phone calls came in. So "inconvenienced" is, I think, an appropriate description.
  1. Permalink
    
    In reply to Philip Branch, 9 months ago
    
    Craig S Wright
    
    (PhD; Adjunct Lecturer in Computer Science at Charles Sturt University)
    
    insightful unconstructive
    
    I admit, I was a little grumpier than I sould have been that night.
    
    From what I see, the only reason this was "handled well" was that the person attacking them had no idea really. He was not particularly skilled and the DNS servers were not secured well.
    
    The comment made by Platform Network's managing director David Hooton of "Privacy-wise there's certainly not been any issues at all. This has been basically DNS servers and items which have been not containing customer data at all." Was totally ridiculous.
    
    Basically, give me DNS and I own your systems. I can do this in a manner that you and the clients of a system have no idea of (even with SSL (other than when a client cert is implemented and that is rare as).
    
    You may think their security is OK, but I think it was terrible. Too many holes from the analysis I saw.
    
    If a decent attacker had found that system, they would have basically owned it for a long time without detection based on the systems deployed.
    1. Permalink
      
      In reply to Craig S Wright, 9 months ago
      
      Craig S Wright
      
      (PhD; Adjunct Lecturer in Computer Science at Charles Sturt University)
      
      insightful unconstructive
      
      Better... One report.
      "Mr Hooton declined to discuss how the company planned to defend itself against future hacking.
      
      "That's something which is an operational security item that we can't really discuss. Privacy-wise there's certainly not been any issues at all. This has been basically DNS servers and items which have been not containing customer data at all."
      
      Basically translated, "I have no idea so I will fail back to security by obscurity"
      
      Maybe a visit to CIS (http://www.cisecurity.org/) would help them, they could learn the basics of locking down a server. Nothing difficult.They failed the first time.
2. Permalink
  
  In reply to Craig S Wright, 10 months ago
  
  Matthew Phipps
  
  (logged in via Twitter)
  
  insightful unconstructive
  
  I'm afraid that is an "incredibly ignorant statement" itself. Despite your credentials, I don't think you understand how SSL/TLS works. Let me break it down:
  
  When you access Foobar Bank at "https://foobar.com", you receive a TLS certificate. This certificate contains a public key and some metadata. This metadata could contain a full-fledged EV certificate with a real name, address and phone number plus the assurance that the site is owned by a real-world, traceable legal entity. Or it could contain…
  
  show full comment
  
  I'm afraid that is an "incredibly ignorant statement" itself. Despite your credentials, I don't think you understand how SSL/TLS works. Let me break it down:
  
  When you access Foobar Bank at "https://foobar.com", you receive a TLS certificate. This certificate contains a public key and some metadata. This metadata could contain a full-fledged EV certificate with a real name, address and phone number plus the assurance that the site is owned by a real-world, traceable legal entity. Or it could contain a hostname and nothing more. But the only difference between the two is that the former gives you someone to sue: security-wise, they're exactly the same!
  
  This is because both are presumably signed by a reputable CA, and forging a reputable CA's signature is mathematically almost impossible. Which prevents a fake, DNS-redirected site from using a fraudulent certificate: nowadays browsers scream bloody murder if a signature fails to validate.
  
  "Aha," you say, "but since the real certificate is publicly available, why can't the fake site just use the real certificate?" Well, it could, but it wouldn't help. Sure, the browser would happily accept such a certificate. But immediately afterwards, the browser would start encrypting communications using the public key in the certificate. Since such traffic can only be decrypted by the private key that only the real Foobar Bank server possesses, the fake site will be unable to read or reply to it and the handshake will fail anyway.
  
  "Very well," you say, "but why can't the fake site just get their own certificate for the hostname?" That's because reputable CAs aren't nearly stupid enough to sell multiple certificates for the same site to anyone who doesn't already hold the private key. It's like any other kind of key: if you present your key to a car dealership and ask for a duplicate, they'll be happy to sell you one. But *I* certainly can't walk in and ask for a key to *your* car!
  
  As for what constitutes a "reputable" CA: each of the major browsers is bundled with a few dozen root certificates corresponding to each major CA, by agreement between the browser publishers and the CAs. The idea being, "If it's good enough for Microsoft/ Mozilla/Apple/Google, it's good enough for me."
  
  The point is, while the system is not foolproof, it has done an incredible job thus far protecting the gigantic e-commerce market. Yes, its security model does occasionally spring a leak. But DNS-redirection is not one of them. While I agree that an attack on DNS is indeed a serious security problem, it doesn't stop you from being able to trust your padlock.
  
  The other point is, it's 1:30 AM over here, so I assure you I'm not nearly as cranky as I may sound, at least not during reasonable hours!
  1. Permalink
    
    In reply to Matthew Phipps, 10 months ago
    
    Craig S Wright
    
    (PhD; Adjunct Lecturer in Computer Science at Charles Sturt University)
    
    insightful unconstructive
    
    Hi Mathew,
    “Despite your credentials, I don't think you understand how SSL/TLS works” Actually I know how it works extremely well.
    
    “could contain a full-fledged EV certificate”
    Yes it “could” but most users do not actually know the difference in the first place. What you will find is that it is rare for a user to check the certificate and the signing chan. Even if they do, there have been social engineering attacks that have resulted in fake Microsoft CA certs and more. Most sites do not use EV…
    
    show full comment
    
    Hi Mathew,
    “Despite your credentials, I don't think you understand how SSL/TLS works” Actually I know how it works extremely well.
    
    “could contain a full-fledged EV certificate”
    Yes it “could” but most users do not actually know the difference in the first place. What you will find is that it is rare for a user to check the certificate and the signing chan. Even if they do, there have been social engineering attacks that have resulted in fake Microsoft CA certs and more. Most sites do not use EV certificates and on top of that, users do not understand them well.
    
    On top of that, it is not difficult to obtain a CA certificate for a domain you do not own.
    
    “The point is, while the system is not foolproof, it has done an incredible job thus far protecting the gigantic e-commerce market.”
    
    Actually, all the certificate does is validate the domain name. It is not too difficult to create a certificate for a domain you do not own. I have done this on several occasions for Pen Testing clients.
    
    An article on this topic follows:
    http://www.betanews.com/article/Security-researcher-Trivially-easy-to-buy-SSL-certificate-for-domain-you-dont-own/1270072287
    
    “While I agree that an attack on DNS is indeed a serious security problem, it doesn't stop you from being able to trust your padlock.”
    Actually – it does. DNSSEC helps mitigate some of this type of attack by implementing a key based authentication system for DNS. There was a little of this on Bruce Schneier’s Blog (http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html).
    
    Peter Burkholder had a good paper well back in 2002 as published on the SANS reading room (and things have progressed from here):
    http://www.sans.org/reading_room/whitepapers/threats/ssl-man-in-the-middle-attacks_480
    
    Have a look at the following as well….
    http://crypto.stanford.edu/ssl-mitm/
    
    Then I would suggest having a read of the recent research by Moxie Marlinspike ( some of which was published at Black Hat 2009 such as - Defeating SSL).
    
    I teach Penetration testing including offering the SEC 660 Advanced Pen Test class from SANS. I use DNS subversion when demonstrating these attacks to clients and students all the time. DNS is the key to SSL unless DNSSEec us used and the issue for NBN was that they have not implemented this control.
    
    All the best.
    1. Permalink
      
      In reply to Craig S Wright, 10 months ago
      
      Craig S Wright
      
      (PhD; Adjunct Lecturer in Computer Science at Charles Sturt University)
      
      insightful unconstructive
      
      On another note, I have a class scheduled for SEC 660 where we will be demonstrating attacks against DNS and SSL/TLS based web servers and other systems.
      
      We will take the students through attacking DNS and using this to create a transparent SSL-MitM Proxy (that is man-in-the-middle) and actually teach them how to do this.If you do not believe this is possible, come along and learn just how erasy it really is.
      
      This is why DNSSEC is so critical.
      
      See the link for details.
      
      http://www.sans.org/mentor/details.php?nid=25839

Hot Topics

Evil descends on the NBN? Erm, not quite

Republish

Join the conversation

Comments (7)

Craig S Wright

Philip Branch

Craig S Wright

Craig S Wright

Matthew Phipps

Craig S Wright

Craig S Wright

Sections

Founding Partners

Strategic Partners

About us