Just recently on the NANOG mailing list a discussion popped up titled “SNMP DDoS: the vulnerability you might not know you have“.
There’s a couple of points here:
Continue reading “SNMP Reflected Amplification DDoS Attacks”
Continue readingAuthor: Enno Rey
Responsible Disclosure and Academic Freedom, Again
Reading this article from the Guardian, on this guy apparently being banned from fully discussing research results in his talk at upcoming USENIX Security, leaves me scratching my head once more. Things might (as so often) be more complex than they seem, but this looks like yet-another misconception as for the contribution of security research (and its public discussion) to the greater good of us all. Which is unfortunate for the speakers (I’ve been in a similar situation once, receiving a threatening legal letter from a very large organization one day before one of our Black Hat presentations and can tell you that stuff like that doesn’t add to one’s anticipation of the talk or the event…), for the audience (including some ERNW guys who will be a USENIX-SEC, so, btw, expect a summary post here) and for the whole community of security researchers.
Ross Anderson from the University of Cambridge (so just ~ 100 miles from Birmingham, where Flavio Garcia works) formerly gave a very nice response when one of his students was approached in a similar fashion. Based on the publicly available information, the judge in the above case did not follow this reasoning. Which I think, is not a good thing for all of us.
Still, have a great remainder of the weekend everybody,
Enno
Continue readingIPv6 Hackers Meeting @ IETF 87, Berlin
Next to IETF 87 going on in Berlin in a few days there will be an informal meeting of the “IPv6 Hackers” on Tuesday. We really look forward to personally meet a number of people who we (so far) only know from the associated mailing list or similar machine-enhanced exchange. We hope to contribute as well. Based on the stuff of this workshop from the IPv6 Security Summit at Troopers13 we might give a short project presentation along the lines of “Some Notes on Testing the Real-World IPv6 Capabilities of Commercial Security Products”, providing an overview of some testing done on commercial gear, together with a discussion of testing approaches, tools and key aspects.
I currently discuss this potential input with the guy who gratefully organized the meeting. In any case I encourage everybody interested in IPv6 security to show up there (you don’t have to be registered to IETF 87) as there’s not much that can substitute meeting in person to discuss how to make the IPv6 world a safer place.
best
Enno
Continue readingSome Notes on Types of Security Controls & the Way they’re Implemented in Enterprise Environments
Welcome back, Dear Reader,
in this post I’d like to share some reflections on the (potentially inefficient) way some security controls can be observed to be deployed in complex organisations and what this may mean for the future of those controls.
In general the space of security controls can be categorized according to different schemes, such as:
- By fundamental principle (preventive, detective, reactive, corrective, deterrent, compensating etc. security controls. see for example this overview or this one or some illustration here).
- By “state of matter” (e.g. components, implementation, operations. again, for some supplemental information look at this one).
- By type of admission: whitelisting vs. blacklisting (some general discussion here, the respective Schneier-Ranum Face-Off to be found here, and this is only Bruce’s half, but with a number of comments).
- Related to the overall architecture of implementation: centralized vs. distributed.
For today’s topic I’ll just focus on the latter two and will introduce those shortly.
Continue readingGanz Gallien?
“Nein! Ein von unbeugsamen Galliern bevölkertes Dorf hört nicht auf, dem Eindringling Widerstand zu leisten.”
This is a famous quote pretty much every German kid used to know. Not sure if this still applies though, my three haven’t touched Asterix comics so far. Anyhow, you might ask why I cite this.
Simple answer: see this recent article from the Guardian on a Utah-based ISP “resisting some pressure”. That’s the spirit…
Have a great Sunday everybody,
Enno
Continue readingSlides & Scripts from Antonios Atlasis’ “Advanced Attack Techniques against IPv6 Networks” Workshop
After his great presentations on IPv6 Extensions Headers and security problems related to fragmentation we had invited Antonios Atlasis to Heidelberg to give this workshop at ERNW. It was a great experience with many fruitful discussions between the participants (mostly security practitioners from very large organizations planning to have their Internet edge IPv6 enabled within the next 6-12 months) and him/us. Antonios thankfully decided to make his slides and scripts available for those interested in further research on the topics (it should be noted that the scripts have not been tested thoroughly and he’s happy to receive feedback of any kind at antoniosDOTatlasisDOTgmailDOTcom). Today Marc (Heuse) gives his workshop on pentesting in the IPv6 age. Hopefully such events help to move things into the right direction in the IPv6 security space…
Best
Enno
Continue readingMicrosoft Doc “Best Practices for Securing Active Directory”
Hi,
MS just released a new guide on securing Active Directory. At the first glance seems a fairly comprehensive document to me.
At this occasion I may furthermore draw your attention to our (German language) newsletter no. 40 covering hardening MS Windows Server 2008 + AD.
have a good one,
Enno
Continue readingTroopers13 Videos Online
Hi,
as we’ve received quite some requests re: the videos from Troopers 2013: the YouTube playlist can be found here.
Have fun (and learn something ;-)) watching, cu next year
Enno
Continue readingRA Guard (Evasion) – We Stand Corrected
Recently Jozef Pivarník and Matěj Grégr published an excellent write-up on RA Guard & evasion techniques. Amongst others they tested the “undetermined-transport” ACL we described here and here. As it turns out the “workaround” for implementing undetermined-transport on platforms seemingly not supporting it, causes some bad collateral damage: the respective port does not forward any IPv6 packets any more (this was brought to my attention by Roberto Taccon). We had done some tests after applying it (by means of the “workaround”) but we had just looked at fragmented RA packets (which did not get through => test succeeded). So, frankly: the undetermined-transport trick does not make sense at all on the “unsupported platforms”…
Jim Small didn’t notice this either, in his great presentation at the North American IPv6 Summit (which, btw, to the best of our knowledge is the best overview of ACL approaches to counter common IPv6 attacks on the local link).
Furthermore it should be noted that Jozef and Matej describe some really interesting ways to evade current implementations, incl. an evasion variant merely based on extension headers (without fragmentation) that we hadn’t been aware of before. These will be included in these workshops.
Obviously much more research (and vendor scrutiny) is needed as for RA Guard…
have a great week everybody
Enno
Continue readingIPv6 Attacks & Pentesting Workshops
Due to “popular demand” and given Marc couldn’t join us at the IPv6 Security Summit (as flights into FRA were canceled that day due to snow) we decided to invite him and Antonios Atlasis another time, to present their knowledge, skills & voodoo in two workshops held in Heidelberg, in late June. More details can be found here.
See you all potentially at the Heise IPv6 Kongress, take care
Enno
Continue reading