Building
by Enno Rey

Things to Consider When Starting Your IPv6 Deployment

Hi,

today I’m going to suspend the “Developing an Enterprise IPv6 Security Strategy” series for a moment and discuss some other aspects of IPv6 deployment.
We’ve been involved in a number of IPv6 projects in large organizations in the past few years and in many of those there was a planning phase in which several documents were created (often these include a road map, an address concept/plan and a security concept).
Point is: at some point it’s getting real ;-), read: IPv6 is actually enabled on some systems. Pretty much all enterprise customers we know start(ed) their IPv6 deployment “at the perimeter”, enabling IPv6 (usually in dual-stack mode) on some systems/services facing the Internet and/or external parties.
Unfortunately there’s a number of (seemingly small) things that can go wrong in this phase and “little errors” made today are probably meant to stay for a long time (in German we have the nice phrase “Nichts ist so dauerhaft wie ein Provisorium”, and I’m sure people with an IT operations background will understand this even without a translator…).
In this post I will hence lay out some things to consider when you enable IPv6 on perimeter elements for the first time. Continue reading “Things to Consider When Starting Your IPv6 Deployment”

Continue reading
Misc
by Niki Vonderwell

Another Perspective in Vulnerability Disclosure

As you know we (as in ERNW) are quite involved when it comes to vulnerability disclosure and we’ve tried to contribute to a discussion at several occasions, such as Reflections on Vulnerability Disclosure and ERNW Newsletter 50 Vulnerability Disclosure Reflections Case Study.

In this post I want to add (yet) another perspective, motivated by a disclosure procedure which just happened recently. Continue reading “Another Perspective in Vulnerability Disclosure”

Continue reading
Breaking
by Hendrik Schmidt

Security Analysis of VoLTE, Part 1

Hello everybody,
this time I’d like to share some thoughts and results about our telco research last year. We gathered a lot of information out of some projects we’d like to share and discuss with you. The following sections also provide an idea of the upcoming Telecommunication Security Workshop I will give with Kevin Redon at Troopers (click). The workshop will be about Radio Network Security (covered by Kevin) and security aspects of the Core Network (covered by myself), mainly focusing on Voice over LTE (VoLTE). That’s also the topic of today’s post.
Continue reading “Security Analysis of VoLTE, Part 1”

Continue reading
Building
by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 5: First Hop Security Features

In the previous parts of this series (part 1, part 2, part 3, part 4) we covered several aspects of IPv6 security, mainly on the infrastructure level. In today’s post I will follow up by briefly discussing so-called First Hop Security features.

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 5: First Hop Security Features”

Continue reading
Events
by Florian Grunow

DPRK’s RedStar OS on 32c3

Niklaus and me had the chance to talk about our research on RedStar OS on the 32nd Chaos Communication Congress in Hamburg this year. You can see the talk online at media.ccc.de or on Youtube.

We talked about the details of the watermarking mechanism that we found in July and additional features of RedStar OS like it’s “Virus Scanner” and the system architecture. During the days after our talk we were able to find watermarks applied by RedStar OS in the wild on some sites on the Internet. We can confirm at least 7 different instances of RedStar OS that have applied watermarks to JPGs. Cleaning up the data is work in progress and we will get back to you with the results! Niklaus has put our presentation and additional resources in the git. Feel free to join us in our research and make the world a safer place!

32c3 was amazing, as every time! Big thanks to all the volunteers who made this possible. Niklaus and I enjoyed every second! 🙂

Hope to see some of you at Troopers 16 in March 2016!

Cheers,

Florian

Continue reading
Building
by Enno Rey

Developing an Enterprise IPv6 Security Strategy / Part 4: Traffic Filtering in IPv6 Networks (II)

In this part of our little series (part 1, part 2, part 3) we continue discussing IPv6 specific filtering of network traffic, namely at intersection points.

As stated in the 1st part, a number of potential security problems in IPv6 networks are related to Extension Headers of IPv6, in particular when combined with fragmentation. At the same time, as of today (December 2015) there is no Internet service or application that actually needs those headers.

Continue reading “Developing an Enterprise IPv6 Security Strategy / Part 4: Traffic Filtering in IPv6 Networks (II)”

Continue reading