dslreports logo
 
    All Forums Hot Topics Gallery
spc
view:
topics flat nest 
Comments on news posted 2011-08-05 12:23:25: Earlier this year, ICSI researcher Nicholas Weaver told me he and other Berkeley researchers had discovered some strange ISP shenanigans related to search traffic hijacking that went well beyond the traditional DNS Redirection ad services we've talke.. ..

page: 1 · 2 · 3 · next

DataRiker
Premium Member
join:2002-05-19
00000

1 recommendation

DataRiker

Premium Member

Simple solution

»encrypted.google.com/

I also recommend firefox users try HTTPS-Everywhere

hayabusa3303
Over 200 mph
Premium Member
join:2005-06-29
Florence, SC

1 recommendation

hayabusa3303

Premium Member

humm

They want to track us, make a buck and cap us to death and charge us up the ass if we go over? Keep up the good work ISP's. Your business model is slowly going to crap.
mleland
Premium Member
join:2002-12-17
Westwood, CA

mleland

Premium Member

Wire tap laws?

Just imagine if the old phone company didn't have to follow wire tapping laws. It is clearly WAY past time for a MAJOR update to the wire tapping(privacy) laws.

Yes I know all about warrant-less wire tapping.... We are talking about a private company here using that data for profit without any notification or consent... not the gov't for criminal activity.

firephoto
Truth and reality matters
Premium Member
join:2003-03-18
Brewster, WA

1 recommendation

firephoto

Premium Member

Don't use ISP DNS

Use a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS.
nweaver
join:2010-01-13
Napa, CA

nweaver

Member

Questions answered in this thread...

I'm one of the Netalyzr developers, and will attempt to answer questions in this thread. I may have intermittent connectivity, so please be patient.

SkellBasher
Yes Sorto, I'll take my Prozac
join:2000-10-22
Niagara Falls, NY

1 edit

SkellBasher

Member

Paxfire is shady

Although I'm not at one of the ISPs listed, we use Paxfire appliances for DNS redirection for our customers. (I hate it, but my objections were overruled by our owner.)

Even though we ONLY use them for NXDOMAIN redirection, we've caught them performing this search hijacking in the past. The first time, they told me that they were requested to make the change by an individual that hadn't worked for us in 3 years. I raised hell about it, and they reverted it. Since then, I've been watching for it, and they've made 'configuration mistakes' to turn this back on more than a few times.

I very much suspect that they're intentionally turning this on without ISP knowledge to increase revenues, reverting it when they get caught.

EDIT: I wasn't running a check for Bing, since it's almost never used. I decided to look, and sure enough, they were proxying Bing without our consent.

Shady shady... can't wait to get rid of them.
nweaver
join:2010-01-13
Napa, CA

nweaver to mleland

Member

to mleland

Re: Wire tap laws?

The legal complaint specifically concerns the wiretap act amongst other complaints.

birdfeedr
MVM
join:2001-08-11
Warwick, RI

birdfeedr to nweaver

MVM

to nweaver

Re: Questions answered in this thread...

Will changing DNS servers fix this problem?

Verizon is not on the current list of ISPs, but there's no assurance they won't try to tap that revenue stream in the future.
kaila
join:2000-10-11
Lincolnshire, IL

kaila to DataRiker

Member

to DataRiker

Re: Simple solution

Not sure about this, but couldn't SSL still be vulnerable to man-in-the-middle type attacks if ISP's are proxying the traffic.

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

No.

SSL uses endpoint mutual authentication.

gettagrip
@141.191.20.x

gettagrip to hayabusa3303

Anon

to hayabusa3303

Re: humm

Keep up the good work ISP's. Your business model is quickly going to crap.

FTFY
firedrakes
join:2009-01-29
Arcadia, FL

firedrakes to SkellBasher

Member

to SkellBasher

Re: Paxfire is shady

seen it happen more then once. with this company

toby
Troy Mcclure
join:2001-11-13
Seattle, WA

toby to DataRiker

Member

to DataRiker

Re: Simple solution

Thanks, great software to use, just installed it. Coming back to this site redirected it to secure.dslreports.com

byteme
@141.191.20.x

byteme to firephoto

Anon

to firephoto

Re: Don't use ISP DNS

My TWC provided router seems to be missing (by design) the option to choose my own DNS server. Any suggestions as to how I can get around this?

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to birdfeedr

Premium Member

to birdfeedr

Re: Questions answered in this thread...

said by birdfeedr:

Will changing DNS servers fix this problem?...

Not using your ISP's DNS servers will only help with NXDOMAIN redirection. It will not stop packet inspection that redirects traffic based on the search engine (that you think you are using) and/or the search terms being used.
openbox9
Premium Member
join:2004-01-26
71144

openbox9 to hayabusa3303

Premium Member

to hayabusa3303

Re: humm

Actually, the business model is improving. It's the consumers' approval of the business model that is deteriorating.
openbox9

openbox9 to byteme

Premium Member

to byteme

Re: Don't use ISP DNS

Identify the DNS server addresses on your local computer(s)...or use a different router
nweaver
join:2010-01-13
Napa, CA

nweaver to birdfeedr

Member

to birdfeedr

Re: Questions answered in this thread...

YES, changing DNS fixes this problem.

THIS particular tampering was based on changing DNS results from the recursive resolver, so using a third-party DNS (eg, Google Public DNS) fixes the problem.

dcurrey
Premium Member
join:2004-06-29
Mason, OH

dcurrey to byteme

Premium Member

to byteme

Re: Don't use ISP DNS

Change DNS in your computers.

See »store.opendns.com/setup/ ··· omputer/ to setup with open dns

You could just change servers to 4.2.2.1 and 4.2.2.2 for level 3. 8.8.8.8 and 8.8.4.4 for google. Think I have them right.
openbox9
Premium Member
join:2004-01-26
71144

openbox9 to SkellBasher

Premium Member

to SkellBasher

Re: Paxfire is shady

So external companies have access to devices on your network to make configuration changes? Wow.

SkellBasher
Yes Sorto, I'll take my Prozac
join:2000-10-22
Niagara Falls, NY

SkellBasher

Member

That's how they're setup, yes, inline with the DNS servers.

It's a terrible solution, and one that I objected to mightily. However, I was overruled by people who sign my checks.
openbox9
Premium Member
join:2004-01-26
71144

openbox9

Premium Member

I can't believe any knowledgeable network security officer would go for something like that.
InfinityDev
join:2005-06-30
USA

InfinityDev to firephoto

Member

to firephoto

side note: Profile your DNS servers

On a side note: profile your DNS servers you plan to use. I use opendns for the extra features like anti-phishing help, but choosing ones that perform better than your ISP's will help.

This utility from SecurityNow podcaster Steve Gibson can help:
»www.grc.com/dns/benchmark.htm
InfinityDev

InfinityDev to kaila

Member

to kaila

Re: Simple solution

Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm

SkellBasher
Yes Sorto, I'll take my Prozac
join:2000-10-22
Niagara Falls, NY

SkellBasher to openbox9

Member

to openbox9

Re: Paxfire is shady

I laid out the (significant) risks. The owner overruled me, and said to do it anyways. My only option to not put this in place was to quit, and that wasn't an option.

I made significant network changes because of this to ensure that the remainder of the network was protected, and the only things they could reach were walled off from everything else. I also have things setup in such a way that if they do anything I don't like, I can disconnect their equipment within seconds, and move us back to 'clean' DNS infrastructure. I've done this a few times, and Paxfire starts screaming instantly because revenues stop.

It sucks, but unless the bank lets me skip a few mortgage payments, it's what I have to do.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3 to DataRiker

Premium Member

to DataRiker

Re: Simple solution

said by DataRiker:

»encrypted.google.com/

I also recommend firefox users try HTTPS-Everywhere

This is done at the DNS layer, SSL doesn't matter.
Matt3

Matt3 to firephoto

Premium Member

to firephoto

Re: Don't use ISP DNS

said by firephoto:

Use a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS.

Excellent suggestion for stopping this type of hijacking.
zefie
join:2007-07-18
Hudson, NY

1 edit

zefie to DataRiker

Member

to DataRiker

Re: Simple solution

Just installed it. Irony is this site fails it. At least for me.

secure.dslreports.com uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

Edit: Oddly only Firefox (v5.0.1, fresh install) is doing it.

thedragonmas
Premium Member
join:2007-12-28
Albany, GA

thedragonmas to birdfeedr

Premium Member

to birdfeedr

Re: Questions answered in this thread...

is this what mediacom has been doing?
»Mediacom redirect service-opted out, still hijacks searches..
rahvin112
join:2002-05-24
Sandy, UT

rahvin112 to InfinityDev

Member

to InfinityDev

Re: Simple solution

There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Though there is speculation that if a government provided a proxy node they could potentially identify some users. The probability is extremely low that this would succeed due to the onion routing, though it is technically possible. The only issue to deal with is that TOR is slow (because of the onion routing). TOR has been a documented resource in allowing people in oppressive totalitarian regimes to bypass the censorship regimes and provide real information flow.

The beauty of TOR over generalized proxy's is that the traffic is routed through multiple proxies before source and destination, thus shielding both sides from oppressive government (or ISP in this case) action.
page: 1 · 2 · 3 · next