Schneier on Security

Role call: anyone spot those in their fail2ban logs?

Update: http://wikileaks.org/wiki/... ("Emergency cleansing by BND after Wikileaks disclosure")

http://wikileaks.org/wiki/...

It seems that within three days after publication of the 13 Nov Wikileaks article, T-Systems had the allocations of these IP ranges deleted in the RIPE database, effectively moving them into larger, more anonymous pools.

Hardly earth-shattering intelligence -- I'd bet a substantial sum that all governments know each other's IP address ranges, broken out by department and agency. So keeping this sort of thing secret is weak protection, principally from amateurs and small-time criminals.

I do think the Wikipedia angle is fascinating, though. Knowing the ownership of an IP range allows anyone to mine the Wikipedia edits database for contributions from that source. This was known, but the potential for side-channel intelligence leakage is something I'd never heard of before. It would be fun to do this more systematically, to see how the intelligence establishments of the US, UK, France, Russia, China, etc. have cast their reflections in Wikipedia.

Expecting any significant amount of security from keeping secret which IP's you use is pretty sad for the foreign intelligence agency of one of the richest countries in the world.

@jeroen:

if it was only that.

.~. (writing from 84.133.*.*)

@Carlo Graziani
>It would be fun to do this more systematically, to see how the intelligence establishments of the US, UK, France, Russia, China, etc. have cast their reflections in Wikipedia.

Unless they use Tor or something similar to do this...

@jeroen:
they are probably worried about datamining.

We know that the IP ranges include BND web proxy or NAT box used for surfing by BND people.

Now, THIS becomes a SERIOUS PROBLEM. What if some Google employee looks up searches done by BND in the last years ?
This could reveal persons BND is interested in (I'm sure BND googles their suspects !). This applies to social networking websites, webmail sites, ... name it yourself.

German law enforcement set up this trap for themselves: data retention (Vorratsdatenspeicherung) enforces long-term storage of web server logs.

So even if it wasn´t their secret IP range, they should also send demanding letters from T-Systems to Wikileaks and move these IP-ranges.

There´s nothing like plausible misinformation....

@SR71: That was my first thought, too.

It is not important that the IP-range has been moved now, because logs kept on forum-sites, npd, whatever will still be there and can be checked against those IPs, searches etc. - everything is tracable now with just one supporter having access to logs.

@ SR71, Kaukomieli,

"It is not important that the IP-range has been moved now, because logs kept on forum-sites"

You have missed two points which are even more important.

1, At some point the IP addressess would have been subject to a traceroute. Now even thought the IP addressess have been changed how much of the tracerout path is still valid?

And can therfore be used to re-localise the physical interfaces...

2, knowing the past searches etc made from those IP addressess will due to the difficulty of changing the behaviour act a s a significant indicator of future trafic from the new unknown IP addressess (ie loging into hotmail account xxxx from IP address X.Y.Z.0 not A.B.C.0).

Combine these two and the new IP address range could be unmasked in just a few days...

As has been noted in the past security by obscurity is illusory at best...

@Kaukomieli:

right, I can think of zillion possibilites how people having acces to certain web server logs could reveal sensitive information via simple datamining, knowing past BND IP ranges:

* Say, BND employees submitted some private orders from work computers, like ordering a book from amazon or renting a DVD. Looking for orders from the BND IP ranges could reveal home addresses and names of BND employees (bad);
* Booking a car for inspection or otherwise filling some car information online could reveal BND car number plates;
* Online bookings of flights from BND IP ranges could reveal BND agents and their undercover identities (booking a flight for an undercover agent from BND computer sounds like a silly thing to do, but people do silly things)
* BND employees who checked private webmail from work could have revealed their private emails and their home addresses (any "order confirmation" email usually has the home address inside).
* ...

What is really bad about it is that BND has no idea who will use this information, how the informaiton will be used, and which of zillion risks are real.

On the other hand, wasn't it BND who built this brave new world for us? Welcome too, BND!

Bummer. Maybe they can try to make "possession" of certain IPs without a license illegal. :)

There are some interesting ideas being presented about how hostile parties could use the IP address information.

I wonder how long it will take for corporate IT departments to realise that they face similar threats. Should personal webmail etc be banned from corporate IP addresses as a security measure?

C'mon, guys, IP address ranges for government TLAs are easily discoverable, and are public information. For example:

I, kazoo > host www.cia.gov
www.cia.gov has address 198.81.129.136
I, kazoo > whois 198.81.129.136
[Querying whois.arin.net]
[whois.arin.net]
ANS Communications, Inc BLK198-15-ANS (NET-198-80-0-0-1)
198.80.0.0 - 198.81.255.255
Central Intelligence Agency OIT-BLK1 (NET-198-81-128-0-1)
198.81.128.0 - 198.81.191.255
I, kazoo > whois '\!NET-198-81-128-0-1'
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Central Intelligence Agency
OrgID: CIA-1
Address: GCS, ND1
City: Washington
StateProv: DC
PostalCode: 20505
Country: US

NetRange: 198.81.128.0 - 198.81.191.255
CIDR: 198.81.128.0/18
NetName: OIT-BLK1
NetHandle: NET-198-81-128-0-1
Parent: NET-198-80-0-0-1
NetType: Reassigned
Comment:
RegDate: 1997-02-11
Updated: 1998-03-30

RTechHandle: ANM3-ORG-ARIN
RTechName: Central Intelligence Agency
RTechPhone: +1-703-874-5401
RTechEmail: edsn@ucia.gov

OrgTechHandle: DW1276-ARIN
OrgTechName: Wheelock, David
OrgTechPhone: +1-703-613-9840
OrgTechEmail: davidw@ucia.gov

The "Sensitive Information About IP Blocks Leaked" story is a non-story. The "Weblogs May Be Datamined for Access by Spooks" story _may_ be a story. However, my guess is that those intelligence agencies with publically-known IP addess ranges have regulations about employee Internet usage and outbound-traffic-monitoring programs designed to prevent this sort of leakage, precisely because they are aware of the risk. It is agencies who think they are safe because their IP address range is secret that are exposed to this risk.

Here are some Wikiscanner hits:

http://wikiscanner.virgil.gr/f.php?...
http://wikiscanner.virgil.gr/f.php?...

(I tried every range in the document and only found these)

@Russell Coker,

They already are for some of us. Though I'm told it's for fear of viruses from attachments, not fear of associating the home and work addresses.

@Carlo Graziani

> IP address ranges for government TLAs are easily discoverable, and are public information.

Not if these guys use a "cover company", as they did.
However this company was not registered in the "Handelsregister" and used a post-box address (at a location not far away from the "known" BND headquarter).

@Carlo, Wikileaks != Wikipedia. Same basic technology (MediaWiki), different data.

Yeah all of us have those old huge iprange txts with fbi, nsa sipr, niprnet blocks which are still in use so what.

You can't do to much against a complete blackhole network where there are no services, but ddos them or do datamining on google get the whois infos, send trojans to their mails what their mailgw pbly cut down. With a little more work figure out what pages do they watch usually and pwn one of those servers load it up with 0day mpack and hope for the best.

Messing with govs and gov agencies is pointless unless you have a very good reason to do it. People would think omg el8 haxxors pwned BND and pulled the names of all their agents. I doubt you would find anything interesting there but junk data. Even if you would you couldn't use it on your own.

That's why threats coming from the inside on those networks because an outsider looking for needle in the haystack and even if he put a lot of time in it and finds it probably can't use it.

The interesting part in knowing these IPs is not the possibility to "pwn" a host. As stated earlier in comments, the real threat is data mining and correlation of data.
Agencies like BND do the very same thing. The agencies must put their trust into the telcos that they have secured their data retention systems, and that any leak is detected. Not to mention Google, even though they will do no evil.

It seems PDF format poor design (in terms of security) is currently the second cause of data leakage... after, duh, dumb users... :)

Web server logs are not enforced by data retention laws in Germany. On the contrary: storing IP addresses in Germany is forbidden by privacy law, although no-one seems to care, not even official federal sites, also because it's the default for most servers and no-one bothers to switch that.

Data retention is about something else: the storage of the IP address to person mapping, i.e., your Internet provider needs to store at what time which IP address was allocated to which account (=person).

Further, all anonymizers must store the remapping of IP addresses (so that they are not anonymizing anymore).

To counter-act this, everyone (you might be 'asked' to hand over your logs) should either switch off their server logs, or at least remove the IP addresses. The Apache module mod_removeip does this. It's easy. Install it now, you do not need to spy on IPs!

Additionally, data retention forces large (>1000 clients IIRC) email providers to store who sent emails to who. If you run your own dedicated server, you do not need to do this.

Please don't mix this up, I know its strange and confusing and even contradicting rules, but without a good distinction, arguments cannot succeed.

@WikiWonder: You might want to read the actual article at WikiLeaks. They describe fun that they had looking for Wikipedia edits from the BND IP range.

@Carlo Graziani
Yup. I don't know wether there are English sources on that.
An example is this: http://de.wikipedia.org/w/index.php?...

"It is well-known underhand that many offshore branches of the Goethe-Institut serve as inofficial domiciles of the BND."

changed to

"Offshore branches of the Goethe-Institut do not serve as inofficial domiciles for the BND, though."

I am German but I still hope, the translation is accurate.

@Carlo Graziani:
> It would be fun to do this more systematically, to see how the intelligence establishments of the US, UK, France, Russia, China, etc. have cast their reflections in Wikipedia.

If you drill into the Wikipedia edits made from the BND IP ranges, they are certainly not intelligence operations. They are some bored office worker making comments about his favourite football (soccer) teams.