backtop


Print 34 comment(s) - last by Bytre.. on Jul 24 at 12:27 AM

Your precious firewall can't save you now!

Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.

A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.

Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein. “It's like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002 post from Lance Spitzer of the Honeynet project observed a hacker that broke in to a Solaris-based honeypot through normal means, enabled IPv6 connectivity in the OS, and then set up a tunnel out of the network that went into another country. The break-in was only discovered due to network packet-sniffing, and even then Spitzer says he was unable to decode the data being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act of tunneling often circumvents firewalls by nature.

“Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as it can – a widget on Command Interface’s web site estimates that the internet will run out of IPv4 addresses in about two and a half years – some fear that technological progress may be outpacing the security that keeps it safe.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: If ya dont need it...
By spuddyt on 7/22/2008 9:17:04 AM , Rating: 2
question from an ignorant person:
being an end user who plays games online and watches stuff on youtube and generally surfs the net, would turning it off affect me? (i'm pretty sure I know how to turn it off, I just don't know what it does, and I'm quite happy to disable useless crap)


RE: If ya dont need it...
By drebo on 7/22/2008 9:43:20 AM , Rating: 5
Probably not. As stated in the article, the only way someone can make use of the IPv6 link local address you get for turning IPv6 on would be to compromise your system the regular way and then set up a tunnel out into the IPv6 world.

If you're behind a NAT firewall, this is a very unlikely occurrance.

This article is FUD of the highest degree.


RE: If ya dont need it...
By omnicronx on 7/22/2008 10:38:05 AM , Rating: 2
quote:
If you're behind a NAT firewall, this is a very unlikely occurrance.
My guess is that this article is not talking about casual users just behind a firewall, but for say a server running linux or windows 2008 with IPv6 enabled, in which it on the DMZ. As far as the network admin would know, their IPv4 security scheme of which ports to allow would be setup perfectly fine, but leaving IPv6 access open to everyone.


RE: If ya dont need it...
By drebo on 7/22/2008 11:37:44 AM , Rating: 3
Except that if the network is not configured to automatically provision IPv6 (think DHCP), the only IPv6 address that the system is going to have is its link local address, which is not usable by anything not on the same wire (comparable to the 169.254.0.0/16 IPv4 addresses). An intruder STILL must compromise the system via IPv4 in order to make use of the IPv6 stack to open a back door into the system.


RE: If ya dont need it...
By trejrco on 7/22/2008 12:51:45 PM , Rating: 2
Not always correct; any Win* OS includes several IPv6-in-IPv4 tunneling mechanisms that provide global IPv6 connectivity (bi-directional, that is)

/TJ


RE: If ya dont need it...
By drebo on 7/22/2008 12:59:18 PM , Rating: 5
That's my point, though. If those tunneling protocols are not set up (and they are not set up by default), then there is no way to gain access to the IPv6 stack of a computer without having already compromised the computer.

The only IPv6 addressing set up by default on a computer is the link local address, which is not accessible except by other devices on the same wire. And by the same wire, I mean the same physical wire, not the same subnet.


RE: If ya dont need it...
By trejrco on 7/23/2008 12:05:01 PM , Rating: 2
BUT THEY ARE SETUP AND ENABLED BY DEFAULT.
(Note - In WinXP, you must enable IPv6 first, in Vista it is already done)

If you get a public (non-NATed) IPv4 address, your machine is running 6to4 ... bidirectional IPv6 access, no user intervention required.

ISATAP is also lit-up by default, looking for an ISATAP router and (if found, or if on public IPv4 address) ... bidirectional IPv6 access, no user intervention required.

And, finally, Teredo. It is lit-up and running by default, possibly needed a manually configured Teredo Server (platform specific) and yielding bidirectional IPv6 access that is able to traverse IPv4 NAT / Stateful Firewalls, (sometimes) no user intervention required.

/TJ


RE: If ya dont need it...
By trejrco on 7/22/2008 12:50:15 PM , Rating: 3
I disagree on several points. IMHO, the article is not FUD - it is attempting to raise awareness of a real concern.

In short - various IPv6-in-IPv4 tunneling mechanisms exist, some light-up automatically and some even work through NATs/PATs/StatefulFWs. Additionally, most installed IPv4 host-based FW products do not filter Protocol 41 nor UDP/3544 and this needs to change ... this is just starting to change (finally).

Some wise person once said something to the effect of - "Just because you don't understand the threat doesn't mean it isn't there" ... good words for those of us in Information Security to keep close to heart.
/TJ


RE: If ya dont need it...
By drebo on 7/22/2008 6:30:18 PM , Rating: 3
quote:
"Just because you don't understand the threat doesn't mean it isn't there"


By that same token, just because you don't understand the technology does not mean it is a threat.

IPv6 to IPv4 tunneling protocols are NOT enabled by default on any system which supports IPv6. Not Windows XP, not Windows Vista, not Linux, not MacOS X. Which brings us back to the same point: the system must have already been compromised in order to exploit its IPv6 stack as a back door. There is no other way about it.

IPv6 is no more or less vulnerable under any circumstance than IPv4, even when the two are coexisting or when one of the two is not being used.


RE: If ya dont need it...
By trejrco on 7/23/2008 12:09:50 PM , Rating: 2
quote:
By that same token, just because you don't understand the technology does not mean it is a threat.

Indeed, but I do understand the technology.
quote:

IPv6 to IPv4 tunneling protocols are NOT enabled by default on any system which supports IPv6. Not Windows XP, not Windows Vista, not Linux, not MacOS X. Which brings us back to the same point: the system must have already been compromised in order to exploit its IPv6 stack as a back door. There is no other way about it.

Yes, they are. Sorry, but you are 100% wrong.
See my previous comments.

Or, see for yourself - in WinXP, enable IPv6 and look at the tunnel interfaces that light up, ready to work.
One will start with 2002::/16 if you have a public IPv4 address; that is 6to4.
Another one will include "5efe" in the Interface ID portion of the address, that is ISATAP.
Take a peek for Teredo also, it is there (with some potential qualifiers / caveats).

/TJ


RE: If ya dont need it...
By mindless1 on 7/23/2008 2:26:50 PM , Rating: 2
You seem to be overlooking something, that we're talking about compromised systems. The hacker being mindful of this will plan out the attack, it's not just a vulnerability based on some random chance events. What is enabled by default or built into the OS is not necessarily important.


RE: If ya dont need it...
By wvh on 7/22/2008 8:11:05 PM , Rating: 2
Many NAT firewalls happily take IPv6 addresses, and start forwarding/generating router advertisements. I've had systems pick up IPv6 addresses unknown to me after upstream started propagating them, and it's my job. I wouldn't be surprised if there were loads of people left vulnerable after their ISP started pushing IPv6 addresses to customers' systems.

The problem is that many options in home NATs often default to "on" in an attempt to be easy to configure by unsuspecting users, not to mention servers in open networks (in relation to each other, like in shared hosting locations for instance).


RE: If ya dont need it...
By darkpaw on 7/22/2008 10:04:01 AM , Rating: 2
Disabling it wouldn't affect you one bit. IPv6 isn't used by any ISPs afaik, it's mostly used on a trial basis by large companies, universities, etc. As mentioned by the other poster, if you are behind a NAT firewall, most definitely you're not using IPv6 so might as well kill it.

It's usually one of the first things I turn off on a Vista install on my home systems, followed by useless crap like tablet services (well useless on a desktop at least).


RE: If ya dont need it...
By elFarto on 7/22/2008 11:15:55 AM , Rating: 2
I have an IPv6 address via 6to4. That gives each IPv4 address 2^80 address. Good luck finding the 2 addresses that are actually in use within that.

Unfortunately thanks to Windows XP x64, I don't get to use it that much due to it's preference of A records over AAAA records when it's using a 6to4 address.

Regards
elFarto


RE: If ya dont need it...
By trejrco on 7/22/2008 12:53:02 PM , Rating: 2
That is actually a good thing - it is almost always better to use *native* IPv4 vs. *tunneled* IPv6. Having it there for IPv6-only services is what is critical ... and you can modify that behavior, if you want IPv6 to always be preferred to IPv4 ...

/TJ


RE: If ya dont need it...
By Bytre on 7/24/2008 12:27:36 AM , Rating: 2
IPv6 is used broadly by ISPs in Japan.

Norton's windows firewall and IPS has supported IPv6 for a couple years, I'm sure some of the other IPv4 firewalls do as well.


"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki