Print 34 comment(s) - last by Bytre.. on Jul 24 at 12:27 AM

Your precious firewall can't save you now!

Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.

A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.

Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein. “It's like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002 post from Lance Spitzer of the Honeynet project observed a hacker that broke in to a Solaris-based honeypot through normal means, enabled IPv6 connectivity in the OS, and then set up a tunnel out of the network that went into another country. The break-in was only discovered due to network packet-sniffing, and even then Spitzer says he was unable to decode the data being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act of tunneling often circumvents firewalls by nature.

“Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as it can – a widget on Command Interface’s web site estimates that the internet will run out of IPv4 addresses in about two and a half years – some fear that technological progress may be outpacing the security that keeps it safe.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Old news
By wvh on 7/22/2008 8:01:44 PM , Rating: 2
I remember reading a similar article around 2000, when I was experimenting with IPv6 (and it still isn't in "real" use!).

While I was anxiously waiting for system services to get IPv6 support back then, now I'm actually bothered that so many servers open IPv6 listeners without any notification or warning in the documentation.

The switch has been taking way too long – I wonder if it will ever happen – and maintaining double firewall rulesets and networking tool arguments isn't a sustainable option.

Someone should coordinate an IPv4 "pull the plug" scenario or cancel IPv6 altogether.

RE: Old news
By trejrco on 7/23/2008 12:20:50 PM , Rating: 2
Someone should coordinate an IPv4 "pull the plug" scenario or cancel IPv6 altogether.

Agreed; been taking way too long. To the point we will face severe IPv4 address shortages before IPv6 is widely deployed, leading to new implementations of NAT in IPv6 :(.
For all of it's benefits, *this* is the downside with an open collective like the Internet - there is no central authority who could do/mandate such a thing.

It is up to all of the users, the content providers and the service providers to "collectively" make this happen.


RE: Old news
By Yawgm0th on 7/23/2008 1:48:00 PM , Rating: 2
Agreed; been taking way too long. To the point we will face severe IPv4 address shortages before IPv6 is widely deployed, leading to new implementations of NAT in IPv6 :(.

ICANN has the authority to do just that.

It will be a long time before we run out of IPv4 addresses. By the time it happens, the technology will be in place to make the switch quickly, and probably even easily.

"The Space Elevator will be built about 50 years after everyone stops laughing" -- Sir Arthur C. Clarke

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki