How a Nigerian ISP Accidentally Knocked Google Offline

Last Monday evening — 12 November 2018 — Google and a number of other services experienced a 74 minute outage. It’s not the first time this has happened; and while there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another.

Our logs show that at 21:12 UTC on Monday, a Nigerian ISP, MainOne, accidentally misconfigured part of their network causing a "route leak". This resulted in Google and a number of other networks being routed over unusual network paths. Incidents like this actually happen quite frequently, but in this case, the traffic flows generated by Google users were so great that they overwhelmed the intermediary networks — resulting in numerous services (but predominantly Google) unreachable.

You might be surprised to learn that an error by an ISP somewhere in the world could result in Google and other services going offline. This blog post explains how that can happen and what the Internet community is doing to try to fix this fragility.

What Is A Route Leak, And How Does One Happen?

When traffic is routed outside of regular and optimal routing paths, this is known as a “route leak”. An explanation of how they happen requires a little bit more context.

Every network and network provider on the Internet has their own Autonomous System (AS) number. This number is unique and indicates the part of the Internet that that organization controls. Of note for the following explanation Google’s primary AS Number is 15169. That's Google's corner of the Internet and where Google traffic should end up... by the fastest path.

A Typical view of how Google/AS15169’s routes are propagated to Tier-1 Networks.As seen above, Google is directly connected to most of the Tier-1 networks (the largest networks link large swathes of the Internet). When everything is working as it should be, Google’s AS Path, the route packets take from network to network to reach their destination, is actually very simple. For example, in the diagram above, if you were a customer of Cogent and you were trying to get to Google, the AS Path that you would see is “174 6453 15169”. That string of numbers is like a sequence of waypoints: start on AS 174 (Cogent), go to Tata (AS 6453), then go to Google (AS 15169). So, Cogent subscribers reach Google via Tata, a huge Tier-1 provider.

During the incident, MainOne misconfigured their routing as reflected in the AS Path : “20485 4809 37282 15169”. As a result of this misconfiguration, any networks that MainOne peered with (i.e. were directly connected to) potentially had their routes leaked through this erroneous path. For example, the Cogent customer in the paragraph above (AS 174) wouldn’t have gone via Tata (AS 6453) as they should have. Instead, they were routed first through TransTelecom (a Russian Carrier, AS 20485), then to China Telecom CN2 (a cross border Chinese carrier, AS 4809), then on to MainOne (the Nigerian ISP that misconfigured everything, AS 37282), and only then were they finally handed off to Google (AS 15169). In other words,  a user in London could have had their traffic go from Russia to China to Nigeria — and only then got to Google.

But… Why Did This Impact So Many People?

The root cause of this was MainOne misconfiguring their routing. As mentioned earlier, incidents like this actually happen quite frequently. The impact of this misconfiguration should have been limited to MainOne and its customers.

However, what took this from relatively isolated and turned it into a much broader one is because CN2 — China Telecom’s premium cross-border carrier — was not filtering the routing that MainOne provided to them. In other words, MainOne told CN2 that it had authority to route Google’s IP addresses. Most networks verify this, and if it is incorrect, filter it out. CN2 did not — it simply trusted MainOne. As a result of this, MainOne’s misconfiguration propagated to a substantially larger network. Compounding this, it is likely that the Russian network TransTelecom behaved similarly towards CN2 as CN2 had behaved towards MainOne — they trusted without any verification of the routing paths that CN2 gave to them. 

This demonstrates how much trust is involved in the underlying connections that make up the Internet. It's a network of networks (an internet!) that works by cooperation between different entities (countries and companies).

This is how a routing mistake made in Nigeria then propagated through China and then through Russia. Given the amount of traffic involved, the networks were overwhelmed and Google was unreachable.

It is worth explicitly stating: the fact that Google traffic was routed through Russia and China before going getting to Nigeria and only then hitting the correct destination made it appear to some people that the misconfiguration was nefarious. We do not believe this to be the case. Instead, this incident reflects a mistake that was not caught by appropriate network filtering. There was too much trust and not enough verification across a number of networks: this is a systemic problem that makes the Internet more vulnerable to mistakes than it should be.


The internet's screen door strikes again – so get patching

Adobe has emitted software updates to address a critical vulnerability in Flash Player for Windows, Mac, and Linux.

PC owners and admins will want to upgrade their copies of Flash to version or later in order to get the patch – or just dump the damn thing all together.

The November 20 security update addresses a single flaw, designated CVE-2018-15981. It is a type confusion bug that can be exploited to achieve remote code execution. Basically, an attacker could slip the exploit code into a Flash .swf file, put it on a web page, and covertly install malware on any vulnerable machine that visits the page.

Because Adobe does not maintain a fixed patching schedule for Flash Player, this isn't technically considered an out-of-band band-aid. However, the update does come just one week after Adobe pushed out a handful of fixes for Patch Tuesday, including one for an information disclosure vulnerability in Flash Player.

That Adobe would post another update just one week after their last patch should underscore that CVE-2018-15981 is a serious enough vulnerability to be a priority fix for users and admins.

After installing this latest fix, those who are tired of the constant security threats might also want to consider taking the advice of multiple security experts and developers and at least disable Flash by default if not permanently.

The notoriously vulnerable plugin has long since been surpassed by HTML5, and most major websites have already transitioned away from Flash, leaving it only really useful for specific sites and applications.

Even Adobe wants to kill off Flash. The Photoshop giant has said that by 2020 it plans to formally retire the plugin once and for all. 


Fake cryptocurrency wallets found on Play Store

Attackers are not only interested in mobile banking credentials and credit cards information to get access to victim’s funds, but also in cryptocurrency. Recently, I found four fake applications on Google Play Store that tried to trick users either in to luring their credentials or impersonating cryptocurrency wallets. These threats imitate legitimate services for NEO, Tether and MetaMask. I reported these apps to Google security team and they were promptly removed.


These four apps are divided in to two categories. The first one is phishing category where malicious app after launch requests from the user his private key and wallet password. That is the case for fake MetaMask app.
The second category are fake wallets. In this category I found three more apps created by the same attacker – NEO WalletTether Wallet.

Fake cryptocurrency wallets do not create new wallet by generating public address and private key. These malicious apps only display attacker’s public address without user’s access to private key. Private key is owned by the bad guy. Once the fake app is launched, user thinks that app already generated his public address where user can deposit his cryptocurrency. If user send his funds to this wallet, he is not able to withdraw them because, he doesn’t own private key. For this purpose, I created two different accounts, however in both of them app assign me the same public address, including the QR code.


Analysis of fake Cryptocurrency wallets discovered on Google Play Store.

  1. Disclose of two fake wallets on official App Store
  2. Demonstration of the apps functionality
  3. Legitimate VS fake wallets
  4. Code analysis
  5. How to stay safe

What concerns me the most is that these fake wallets were created using Drag-n-Drop app builder service without any coding knowledge required. That means that – once Bitcoin price rises and starts to make it into front pages – than literally anyone can “develop” simple but effective malicious app either to steal credentials or impersonate cryptocurrency wallet.

Read Original Article...

How data bundle prices changed over five years

Data bundle pricing has seen volatility over the past few years, with consumers increasingly calling for prices to come down.

A new report from the Independent  Authority of South Africa (ICASA) compares bundle price fluctuations from SA's four major operators over the past five years.
ICASA has published its latest "-annual Report on the Analysis of Tariff Notifications", with the latest  to 30 June 2018. The regulator provides analysis of the price trends between 2013 and 2018 for prepaid data bundles, valid for 30 days, for operators MTN, Vodacom, Cell C and Telkom Mobile.

When looking at a 100MB data bundle, the figures reveal pricing was volatile during the period of 2013 to 2017. Vodacom, MTN and Telkom Mobile charged relatively the same rate for 100MB in 2013. However, Cell C charged 50% less when compared to its competitors.

The graph below shows a major spike in 2014 by Vodacom, which increased its 100MB data bundle by 69% from R29 to R49, while its competitors' prices remained constant. Vodacom then dropped this rate back down to R29 in 2015.

MTN increased its 100MB bundle by 20.7%, from R29 to R35 in 2015, making it relatively expensive when compared to Cell C and Telkom Mobile. Now, in 2018, all four operators charge the same rate of R29.

In 2013, Cell C's 500MB data bundle, priced at R75, was the cheapest when compared to Vodacom, MTN and Telkom Mobile, which charged R99, R119 and R95, respectively. In 2014, MTN dropped its 500MB by 16.8% from R119 to R99, at the same time Vodacom raised the price of 500MB by 60.6% from R99 to R159. Cell C's prices remained the cheapest in 2014.

From 2015, Telkom Mobile reduced its price by 27.4% from R95 to R69 and has remained the cheapest in the market to date. Cell C increased its 500MB data bundle by 13.3% from R75 to R85 and Vodacom took its price back down to R99. However, MTN increased its 500MB data bundle by 6.1% from R99 to R105.

In 2018, MTN discontinued its 500MB data bundle in the market, as per the notification filed with ICASA on 11 April. The operator is now instead offering a 600MB bundle at R99, which is 6% lower than the rate of the 500MB data bundle which was priced at R105.

500MB data bundle price trends for 2013 to 2018

The popular 1GB bundle has also seen some major changes over the years. In 2013, Telkom Mobile charged the highest price for a 1GB data bundle, at R180 per 1GB. Vodacom and MTN charged R149 and Cell C's 1GB bundle cost R155.

As with the previous bundles, 2014 saw a price spike from Vodacom, which increased its price by 87.2% from R149 to R279. This price was then dropped by Vodacom in 2015 back to R149 and has remained unchanged since.

In 2015, Telkom dramatically reduced its price by 45%, from R180 to R99, and it remained unchanged until 2018, when the price increased by R1 to R100. Vodacom, MTN and Cell C all charge R149 for a 1GB data bundle in 2018.

1GB data bundle price trends for 2013 to 2018

When getting into the higher GB bundles, Telkom Mobile had by far the highest prices on specific bundles five years ago, whereas today it is considered the cheapest mobile operator by most.

MTN was the cheapest 2GB data bundle charging R245 in 2013, followed by Vodacom at R249. Cell C and Telkom Mobile had the most expensive 2GB data bundle price, charging R310 and R349, respectively.

In 2014, Telkom's price dropped radically and it has been charging the cheapest price for a 2GB data bundle since then. In 2014, Cell C also dropped its price to R249, where it has stayed since. Vodacom's price has remained constant over the five years at R249.

ICASA says from 2015 to 2018, 2GB data bundle prices remained relatively stable. In 2018, MTN revised its pricing strategy by discontinuing the 2GB bundle and replaced it with a 1.5GB bundle charged at R189. MTN stated the discontinuation of the 2GB data bundle "was due to commercial reasons".

2GB prepaid data bundle prices over five years

When it comes to 3GB data bundles, all four operators have kept their pricing the same over a period of five years.

The below graph shows the operators with the smaller market share were the cheapest when compared to the bigger operators.

For 3GB, MTN has been the most expensive over the five years, charging R330 for a bundle; Vodacom and Cell C have been charging R299 since 2013; and Telkom has been charging R199.

3GB data bundle prices 2014 vs 2018 period

The 5GB bundle prices show the most dramatic changes when it comes to Telkom Mobile's pricing. In 2013, Telkom charged a whopping R819 for 5GB of data. In 2015, Telkom decreased this drastically to R299.

ICASA says "the action was observed as Telkom Mobile's strategy to attract customers and increase its market share". The price for 5GB on Telkom's network has remained unchanged since.

MTN, Vodacom and Cell C's prices were stable over the period at R430, R399 and R399, respectively.

5GB data bundle prices trends 2013 to 2018

The price trend of Vodacom and Telkom Mobile's 10GB data bundles remained unchanged over a four-year period, at R599 and R499, respectively.

MTN's 10GB data bundle, however, has been declining since 2016 and is currently the lowest at R405. Cell C increased its 10GB data bundle prices by 9.1% from R549 to R599 between 2016 and 2018.

10GB data bundle over a period of four years

In 2015, MTN's 20GB data bundle was the most expensive at R1 250, followed by Cell C, which charged R1 099 and Vodacom at R999. Telkom Mobile had the cheapest bundle offering at R899.

However, MTN reduced its 20GB data bundle by 28.1% from R1 250 in 2017 to R899 in 2018. Cell C also revised its pricing strategy by reducing its 20GB data bundle from R1 099 to R799 in 2017. Telkom's price came down from R899 in 2017 to R599 in 2018. Vodacom's 20GB data bundle price has remained unchanged at R999 since 2015.

20GB data bundle price for the period 2015 to 2018



Somebody got a little trigger happy with the big red Windows Update button last week as a broken Intel audio driver was unleashed on users “by mistake”.

It has been a hellish couple of weeks for the Windows giant following the launch of the troubled October update for its flagship operating system. Not content with Display Audio issuesmysterious file deletions and borking HP computers thanks to a “known incompatibility” with drivers for an obscure bit of hardware (aka the “keyboard”), it seems audio is next in the firing line.

The issue was an updated driver, taking the Intel Audio Controller to version, which left some users shouting on social media while their PCs remained stubbornly silent.

As a sad-faced engineer in a high-visibility vest reset the “days without a Windows Update incident” clock back to zero, Microsoft rapidly pulled the update to work out what was happening.

According to the software giant, the Intel driver was “incorrectly pushed to devices via Windows Update” and advice was published on manually rolling back the borked update.

Microsoft pushed out an update to fix the broken update for version 1709, 1803 and 1809 of Windows 10 over the weekend in the form of KB4468550. Some users, however, may believe that letting the Windows Update bull loose in their OS china shop to glue back together what it broke last time may be a step too far.

Microsoft is to be commended for its swift action in identifying and dealing with the problem. This does not, however, excuse the pushing out of code via Windows Update that, once again, left a portion of users with broken computers. We’ve contacted Microsoft to find out how this driver found its way into the update package and will update when we get a response.

Apple Repairs and Service
Member of the Internet Defense League

BitcoinCash Accepted