Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet’s core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy.  The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

"It’s a huge issue. It’s at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago…. We described this to intelligence agencies and to the National Security Council, in detail."

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper’s network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel ) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network — say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data , and Alex Pilosov, CEO of Pilosoft , showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn’t exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.

(Read More )

I finally got a hold of someone on the online chat at Voipgo after trying nearly nonstop for days. The first support agent was rude to me and then closed the session in mid conversation. Sat on Q for another 20min and got to talk to a second agent this one a lot more polite. But was told I have to send an email to a second email address to get refunded and services turned off and that it would take a few days to get response on that. I was heated at this point and requested to talk to someone in management which he was unable to connect me to and said that they wouldn’t call me after I requested it. So finely I sent an email to that second address and told them how unhappy I was with both service and support. Requested refund for last 2 months (in which time I made a total of 1 successful crappy quality call) And warned them that if they do not respond quickly I will be contacting both my Bank and the Better Business Bureau.

*Note: Something that Voipgo will continue to deny up and down is you will get charge a foreign transaction fee by most bank and credit companies. So my $17.95/month was actually $17.95 + 0.52 = $18.47

So back in May of this year I was shopping around for VoIP services, I didn’t really have the need for it but thought it would be nice to have a phone at home as all I had was a cell phone at the time. After shopping around and talking to the various company’s that offer VoIP services I picked Voipgo .

First Impression
At first the service was great, had a few minor issues but they were dealt with quickly.. Calls were clear and there was no delays in the calls. Support was a pleasure to talk to and easy to get a hold of. This lasted for about 2 weeks..

Headache
I got 2 calls one day on the 3rd week from my dad and my girlfriend saying that calls to my Voip phone was not connecting or the phone would just ring forever during which time my phone would never ring.. Contacted support about the issue and they said it was fixed… I played tag with Support on this issue on and off for about a month, having the issue at lest 2-3 times a week..

After the first month of service call quality started degrading to the point that you couldn’t understand what I was saying on the phone. During this time there would be high peaks in delay in the call (say something and the other end wouldn’t hear it for about 5-10seconds). Then during the call audio started to *disappear* would say a whole sentence "Hey its hot here, hows the weather where your at?" and they would hear "Hey its .. here, …… weather …. your.." c’mon how do you have a decent conversation with that kind of phone clarity..  I contacted support countless times on this issue..

Then in July I had them move my service to a new server they put up in hopes to have some what better services.. Well I was sorely mistaken on that, things went from bad to worse. Server was down all the time, reset several times, and none of my current issues were resolved to top it off. Support was suddenly nearly impossible to get a hold of.

Enough Is Enough
ok so after finally getting fed up with my services I sent in a very heated email with priority set to high to Voipgo support on July 17, 2008.. Yesterday July 31, 2008 I *still* had not a single response to that email. I called support after work only to sit on hold for 25min and hang-up, then sat on hold for online support for 80min only to get a message that operator closed my session and refresh the page and support has been closed (offline) since. Now it is Aug 1, 2008 and I have observed Online support to be offline all day. When I call in there’s a message about experiencing high call volume and get placed on hold indefinitely. I will be giving them until Monday afternoon to give response or I will be debating legal taking action against them as its impossible to even cancel service.

Will post update.