If you're looking for something to fear in IT security, don't look at the NSA: Look at the Man in the Middle.
As a general rule, if you're using the Internet you're vulnerable to a man-in-the-middle attack. They're malicious, dangerous, hard to detect, and according to an article in Wired, it's entirely possible that you've already been a victim. Got your attention yet?
The reason these attacks are possible is a technology that makes the Internet perform as well as it does: BGP (Border Gateway Protocol). If you're not up on BGP, here's a short tutorial: When you send packets of data out into the Internet they could take a nearly limitless combination of hops between routers to reach their destination. Instead of a random series of steps, though, they'll generally take the most efficient route from your electronic doorstep to their destination. How do they know what that efficient route looks like? They know because the routers talk to one another through the language of BGP.
One of the first parts of that talking is an advertisement: A router will electronically shout to the world its identity, performance, and relationships. This advertisement will go to its neighbors -- those routers a single hop away -- but they can, under the right circumstances, go much farther than that. These advertisements are what tie the Internet into a smoothly performing whole. They also provide the key to the sort of exploit that has caught a number of companies (and governments).
Disguising one router as another is complicated and difficult. Advertising one router as another is much easier. And by advertising just the right information (or misinformation) about yourself, you can insert a new node in data routes, sniff all the traffic that passes, change or store some of it, and send everything to its intended destination with no obvious indications of misdoing. The folks at Renesys discovered what was happening and wrote about it in great detail. It's fascinating reading and well worth discussing with your network team.
Normally, this is the part of the article where I come in with the "and here's what you do to protect yourself" suggestions. Unfortunately, there's not a lot that you can do to fully protect yourself against a BGP-based man-in-the-middle attack. You can have your network team carefully watch routing logs to see if there are any unanticipated increases in latency or hop count, or you could have your in-house BGP expert work with his or her peer network to keep track of all the published routes around your network.
Of course, the problem is that you probably don't have a real in-house BGP expert on staff. High-level BGP is one of the most arcane of all the network disciplines because it involves not just technology expertise but human-to-human communications and trust. I know some world-class BGP experts, and they're network ninjas -- they move like the wind through enterprise networks, making things better and then leaving for the next assignment.
So learn all you can about BGP, encrypt all you can, watch your logs like a hawk, and hire a ninja. It's a short list that is, frankly, about all you can do about this major new threat. Now, have a nice weekend. You're welcome.
— Curtis Franklin Jr., Executive Editor, Enterprise Efficiency