Events

TROOPERS14 Registration Open + TROOPERS13 Photos Online

Dear blog followers, TROOPERS speakers & attendees,
we hope you’re doing fine! Today we have a couple of great things to share with you:

TROOPERS14
Let’s start with a date. Get your calendar and mark March 17th – 21st 2014. It’s your TROOPERS14 holidays. One week full of high-end education, workshops, talks, reconnecting with friends, action, delicious food and one or the other party. You know the drill – more details further down.

Continue reading “TROOPERS14 Registration Open + TROOPERS13 Photos Online”

Continue reading
Breaking

Slides & Scripts from Antonios Atlasis’ “Advanced Attack Techniques against IPv6 Networks” Workshop

After his great presentations on IPv6 Extensions Headers and security problems related to fragmentation we had invited Antonios Atlasis to Heidelberg to give  this workshop at ERNW. It was a great experience with many fruitful discussions between the participants (mostly security practitioners from very large organizations planning to have their Internet edge IPv6 enabled within the next 6-12 months) and him/us. Antonios thankfully decided to make his slides and scripts available for those interested in further research on the topics (it should be noted that the scripts have not been tested thoroughly and he’s happy to receive feedback of any kind at antoniosDOTatlasisDOTgmailDOTcom). Today Marc (Heuse) gives his workshop on pentesting in the IPv6 age. Hopefully such events help to move things into the right direction in the IPv6 security space…

Best

Enno

Continue reading
Events

Impressions from the Google I/O Con

moscone
From 15th – 17th of May, the sixth Google I/O conference took place in San Francisco, California and I was one of the lucky guys attending. More then 5500 people, primarily web, mobile, and enterprise developers, attended this annual event. A lot of presentations included announcements of new and exciting technologies, APIs as well as of two new devices.

During the first minutes of the keynote some of Google’s managers announced that by now over 900 million Android devices are activated and that 48 billion apps are installed, which demonstrates that this market is still heavily growing. As the major part of the audience were (app-) developers, these numbers were received quite greatfully and euphoric.


Some of the presentations announced new services as well as new features and designs for existing services like:

  • Google Play Music All Access, which makes it possible to stream music legally for a monthly fee (comparable to spotify).
  • Underwater Streetview, where Google tries to capture all coral reefs worldwide in order to enable virtual diving.
  • The new user interface and features of Google+, which make it easier to use the social network while providing more functionalities (e.g. automated sorting and quality assurance of uploaded holiday pictures).
  • Google Maps, which now provides more intelligent localization features for target locations of users as well as clouds hovering over the world in realtime.
  • “Sign in with G+” which is a OAuth2 based Single Sign-On that can be used to replace all kind of web authentication mechanisms.

Of course, quite some talks dealt with the privacy critic project Google Glass, that had been introduced at last years I/O. From a technical point of view Google Glass is an interesting project not only due to its new “in-eye-projection” technology. Also the voice interface allows to easily control the device. By saying “OK Glass, take a picture” the user’s actual view is captured and directly uploaded – of course to Google servers. In addition, the integrated navigation system is an interesting feature which enables augmented navigation by means of semitransparent arrows being displayed directly in the users’ field of view. However, there is the other side of the coin: privacy. All data that is captured by the device is processed by Google’s servers. The fact, that one of the responsible Google managers answered the question, in which way Google handles the captured and GPS data, with “in the same way as Google handles all the other data that is collected by our other services”, does not calm at that point. It rather states that when considering Lawful Interception as it exists in almost all countries (and in particular in the USA), Google Glass can turn into a surveillance instrument par excellence. Of course this does not only imply an impact for owners of Google Glass but also for all other people being faced by people wearing Googles new toy. In fact, there is a tiny LED shining while the device is taking a video. However, this can easily be manipulated (e.g. with a sticker) and it is questionable if visibility of this LED is in appropriate proportion to the resolution of the integrated camera. In other words, it is possible to be filmed and photographed while walking in the streets without even being able to notice it. Since Glass is not publicly available so far we have some time left to think about how to deal with this…

fancy_io

All in all Google I/O was a very impressive and informative event. In some kind I felt amazed like a child when I saw all these crazy Android figures hanging around and being surrounded by remotely controlled zeppelins flying through the building.

Have a good weekend
Kevin

P.S.: All talks can be reviewd here.

Continue reading
Breaking

Analysis of Hypervisor Breakouts

In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road of rating the risk of hypervisor breakouts and giving appropriate recommendations (even though we do this on a regular base which, surprisingly often, leads to almost religious debates. I know I say this way too often:I’ll cover this topic in a future post ;)), but share a few observations of analyzing well-known examples of vulnerabilities that led to guest-to-host-escape scenarios. The following table provides an overview of the vulnerabilities in question:
Continue reading “Analysis of Hypervisor Breakouts”

Continue reading
Building

RA Guard (Evasion) – We Stand Corrected

Recently  Jozef Pivarník and Matěj Grégr published an excellent write-up on RA Guard & evasion techniques. Amongst others they tested the “undetermined-transport” ACL we described here and here. As it turns out the “workaround” for implementing undetermined-transport on platforms seemingly not supporting it, causes some bad collateral damage: the respective port does not forward any IPv6 packets any more (this was brought to my attention by Roberto Taccon). We had done some tests after applying it (by means of the “workaround”) but we had just looked at fragmented RA packets (which did not get through => test succeeded). So, frankly: the undetermined-transport trick does not make sense at all on the “unsupported platforms”…

Jim Small didn’t notice this either, in his great presentation at the North American IPv6 Summit (which, btw, to the best of our knowledge is the best overview of ACL approaches to counter common IPv6 attacks on the local link).

Furthermore it should be noted that Jozef and Matej describe some really interesting ways to evade current implementations, incl. an evasion variant merely based on extension headers (without fragmentation) that we hadn’t been aware of before. These will be included in these workshops.

Obviously much more research (and vendor scrutiny) is needed as for RA Guard…

have a great week everybody

Enno

Continue reading
Building

IPv6 Attacks & Pentesting Workshops

Due to “popular demand” and given Marc couldn’t join us at the IPv6 Security Summit (as flights into FRA were canceled that day due to snow) we decided to invite him and Antonios Atlasis another time, to present their knowledge, skills & voodoo in two workshops held in Heidelberg, in late June. More details can be found here.

See you all potentially at the Heise IPv6 Kongress, take care

Enno

 

Continue reading
Building

RA Guard Support

Hi,

on the [ipv6-ops] mailing list currently there’s some discussion about RA guard support on switches from different vendors.

Stefan, one of our students (btw: working on a topic similar to this session), quickly put together a preliminary list, based on publicly available information (read: the WWW ;-)). Some of you may find this useful; it can be found here. Furthermore on the list this link was mentioned which seems to provide some info as well (albeit potentially not very up-to-date).

If anyone of you has better/more information pls feel free to share by leaving a comment. The IPv6 security comment will thank you for that 😉

Best

Enno

Continue reading