Forums | MacLife
You are not logged in.
#1 2008-07-21 11:28 am
- Bat
- Adult's Play
- Royal Wombat
- From: Björk, Björk
- Registered: 2001-05-14
- Posts: 24076
IPv6 insecurity a danger
INTERNET PROTOCOL version 6 (IPv6) is placing many systems at risk of attack because networking software has IPv6 enabled but users don't know it, warns a security researcher.
Organisations and individuals which aren't yet aware that their networks and computers have IPv6 traffic already enabled won't have configured network protection systems to monitor it, explained Joe Klein of IPv6 integration consultancy Command Information.
"Essentially, we have systems that are wide open to a network," said Klein last Friday evening at the Hackers on Planet Earth (HOPE) conference held in New York City. "It's like having wireless on your network without knowing it."
...
Networking hardware and software vendors have been preparing their products for the transition to IPv6 for years, and many systems are already shipped with IPv6 enabled by default, even though it's not being widely used yet. Therefore, many systems have IPv6 traffic enabled without network administrators and individual users being aware of that. Most network safeguards like firewalls and intrusion detection systems are not properly set up yet to handle IPv6 traffic.
For networks and systems where this is the case, it can present potential vulnerabilities to malicious Internet traffic that uses IPv6 instead of IPv4. Not only might a remote attacker punch inbound IPv6 packets through IPv4 firewalls and past intrusion detection systems undetected, but an attacker who manages to defeat IPv4 security measures, or an internal user already inside a protected network, might transmit outbound data through firewalls and monitoring systems undetected using IPv6.
...
Some mobile phones that have Internet access capabilities have also been discovered to be potentially vulnerable, said Klein. He mentioned that Windows Mobile 5 and 6 users might be especially vulnerable because the software doesn't include a firewall, but he declined to name others until they could be contacted. Klein did say that Blackberries and Iphones are not vulnerable. A Microsoft spokesvole claimed that its Windows Mobile phones are safe.
Command Information provides a list of operating systems and products that it has found to have IPv6 traffic enabled by default:
Apple Airport Extreme
Apple MacIntosh OSX
BSD -- OpenBSD / NetBSD / FreeBSD
HP-UX 11v2
IBM AIX 6
IBM AS/400
IBM z/OS
Juniper 5.1
Linux 2.6 Kernel
Microsoft Vista
Microsoft Windows Mobile 5, 6
Open VMS
Various Cell Phones
Sun Solaris 2.8, 2.10
...
There's also a web page where users can test their systems to see whether IPv6 traffic is enabled.
Klein said that users should check with their firewall software vendors to find out whether they're protected from network attacks that employ IPv6. µ
If all economists were laid end to end, they would not reach a conclusion - George Bernard Shaw
"Fire up a colortini, sit back, relax, and watch the pictures, now, as they fly through the air."
Offline
#2 2008-07-22 9:19 am
- Bat
- Adult's Play
- Royal Wombat
- From: Björk, Björk
- Registered: 2001-05-14
- Posts: 24076
Re: IPv6 insecurity a danger
Also covered at DailyTech.
Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.
Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.
Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.
A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.
Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPPA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.
If all economists were laid end to end, they would not reach a conclusion - George Bernard Shaw
"Fire up a colortini, sit back, relax, and watch the pictures, now, as they fly through the air."
Offline
#3 2008-07-22 9:22 am
- Ribtorus
- Member
- Registered: 2002-07-11
- Posts: 13263
Re: IPv6 insecurity a danger
Sounds like a job for Steve Gibson!
It's not a movie.
Offline
