Building – Page 10 – Insinuator.net

January 4, 2015 by Matthias Luft

Some Design Aspects of Hacking Challenges

We’re currently starting the preparation for the Troopers15 PacketWars Challenge, and since I’ve participated in quite some CTF games and have been involved in the preparation of a number of PacketWars Battles, I thought I’d write down some thoughts on the design of hacking challenges.

First of all, my experience is limited almost exclusively to attack-defend-CTFs or interactive war games (such as PacketWars or CCDC). While thinking about this blogpost, I also came across several terms which are used, so I decided to give a short summary:

Continue reading “Some Design Aspects of Hacking Challenges”

Building

December 30, 2014 by Matthias Luft

Hardening Against Local PrivEsc: Protecting Your Links

Following up on this post, we want to provide some details on two rather new (well, compared to its lifespan) Linux kernel parameters — and emphasize the need to enable those:

fs.protected_hardlinks
fs.protected_symlinks

Continue reading “Hardening Against Local PrivEsc: Protecting Your Links”

Building

December 22, 2014 by Enno Rey

IPv6 Hardening Guide for Windows Servers

After we recently released the “Linux IPv6 Hardening Guide” we got a number of suggestions “could you pls provide a similar document for $OS?” (btw: thanks to you all for the overwhelming interest in the Linux document and the active discussion of ip6tables rule approaches on the ipv6hackers mailing list).

Continue reading “IPv6 Hardening Guide for Windows Servers”

Building

December 17, 2014 by Enno Rey

IPv6 Hardening Guide for Linux Servers

We were recently approached by a customer asking us for support along the lines of “do you have any recommendations as for strict hardening of IPv6 parameters on Linux systems?”. It turned out that the systems in question process quite sensitive data and are located in certain, not too big network segments with very high security requirements.

Continue reading “IPv6 Hardening Guide for Linux Servers”

Building

December 1, 2014 by Enno Rey

Security Implications of Using IPv6 GUAs Only

When planning for IPv6 addressing, many organizations – rightfully & wisely – decide to go with global unicast addresses (GUAs) only (hence not to use unique local addresses/ULAs as of RFC 4193 at all), in order to avoid address selection hell or just for simplicity & consistency reasons. This post discusses security implications and complementary security controls of such an approach.

Continue reading “Security Implications of Using IPv6 GUAs Only”

Building

November 28, 2014 by Enno Rey

IPv6 in RFIs/Tendering Processes

In one of our customer environments each vendor offering an IT product/solution is asked to fill out a questionnaire collecting information on a number of technical parameters with regard to their product[s]. We were recently asked to come up with a proposal of 8 to 10 IPv6-related questions to be added to the questionnaire/process. Here’s what we suggested:

Continue reading “IPv6 in RFIs/Tendering Processes”

Building

November 27, 2014 by Enno Rey

MLD Considered Harmful?

This is a guest post from Antonios Atlasis.

On Thursday the 20^th Enno, Jayson and I had the pleasure to present our latest research results regarding MLD at Deepsec 2014, both from vendors’ implementation perspective as well as regarding protocol design flaws (some preliminary results as well as our testing methodology were discussed here and here).

For refreshing out memory, in a nutshell, the purpose of MLD, a subprotocol of IPv6, is to inform routers about the presence of nodes which are interested in receiving specific multicast traffic (RFC 2710). The newer version of MLD, MLDv2 adds the ability for source address selection (RFC 3810).

Continue reading “MLD Considered Harmful?”

Building

November 14, 2014 by Enno Rey

MLD to Be Reconsidered?

This is guest post from Antonios Atlasis.

Following my September post about the connection between MLD and Neighbor Discovery, as well as Enno’s introduction about our upcoming talk at DeepSec, I would like to try to enlighten you about this with some technical details. First, we have some facts:

MLD is pre-enabled in most modern Operating Systems.
MLD traffic is sent out-of the-box during the stack initialization, as well as periodically.
They also interact with/respond to MLD Queries without any further configuration.

Continue reading “MLD to Be Reconsidered?”

Building

November 13, 2014 by Enno Rey

Protocol Properties & Attack Vectors

Next week, at DeepSec, we’re going to give a talk about Multicast Listener Discovery (MLD), a component of IPv6 which is realized by means of ICMPv6 messages. There are two versions of MLD (mainly specified in RFC 2710 and RFC 3810 respectively) and while MLD is technically implemented by ICMPv6 exchanges, these specifications describe a whole set of rules and communication formats, hence we can safely talk about “the MLD protocol”.

Now, you might ask: how does one tackle the task of examining the security “of a protocol”?

Continue reading “Protocol Properties & Attack Vectors”

Building

November 6, 2014 by Enno Rey

Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region

To contribute to the current debate on IPv6 route deaggregation & “strict-filtering” performed by certain ISPs we just released a white paper on “Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region“. I will give a talk on the overall topic later today at the Routing Working Group. We sincerely hope that the IPv6 community becomes aware of the inherent issues, and that practical solutions can be found which consider & meet the needs of the different parties involved.

Best

Enno