Archive

Archive for the ‘General’ Category

YBGIBG Security

August 23, 2012 Leave a comment

For the last year, I have been reading many books about start-ups. Currently I am reading a book called “The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses”; a book which in October 2011, debuted at #2 on the New York Times Best Seller list, with CNBC stating that it had “already [become] a must-read for any entrepreneur”.

Throughout this and other books, I see the topic of security risks and protecting customer Information ignored and dismissed.

I guess the meme IBGYBG (I’ll be gone, you’ll be gone) discussed in Thomas L. Friedman’s “Why How Matters”, The New York Times, October 14 2008, applies to the security of business systems and networks.

To paraphrase Mr. Friedman with a security spin, “We got away from the basics — from the fundamentals of prudent security, where the company or organization maintains some kind of personal responsibility for, and personal interest in, whether the person receiving the private data can actually protect it. Instead, we fell into what some people call YBG IBG security: “you’ll be gone and I’ll be gone” before the compromises happen.

What do you think B-School graduates, ‘C-Suite’ set and entrepreneur community? Am I being too hard?

Advertisements

“I’m an IPv6 PC”

June 2, 2012 3 comments

Just this week, I ran in to an old friend and IPv6 colleague Sean Siler, the IPv6 lead for Microsoft.  You may have seen Sean play “PC” on the Microsoft parody (1) of the Apple advertisement  “I’m a Mac” and “I’m a PC” (2).

During our discussion, we covered which products Microsoft considers as supporting IPv6 and which ones just don’t meet minimal requirements.  Here is the list of Microsoft products he provided me as supporting IPv6:

And if your favorite product or operations system is on the following list, it is time to upgrade before you start supporting IPv6. To repeat, these products WILL NOT support IPv6:

  • Windows 1.x to 3.x
  • Windows NT 3.1 to 4.0
  • Windows 2000, Professional, Server, Advanced Server and Data Server
  • Windows XP, all productrs
  • Windows Server 2003 products
  • Windows Vista, all
  • Windows CE, Mobile, Windows Mobile all
  • MS OS/2
  • Internet Information Services (IIS)
    • Windows Server 2003 or earlier
  • Exchange
    • Microsoft Exchange 2007 SP0 (or earlier) AND
    • Windows Server 2003 and earlier
  • Domain Name Servers
    • Windows Server 2003 and earlier

Products not listed have a good probability of not working, so I would strongly suggest contacting Microsoft for the current status.

Microsoft has done much work to bring IPv6 into parity with their core products, but not for every product. As Sean put it to me, if a customer requests help, Microsoft will prioritize product capability, features and upgraded schedules.  In short, contact Microsoft today to ensure the product you depend on supports IPv6.

Sadly we did not have more time to talk, as Sean had a meeting with a customer on the topic of IPv6 implementation.  In my eyes, Sean is  “IPv6 PC”.  This blog post is complete… now where is my copy of the South Park Mac vs. PC vs. Linux parody (4)?

 ——————————————

(1) I’M A PC [I am a PC]: Full Ad, http://www.youtube.com/watch?v=9V7NoRjI0H0

(2) All Apple “I’m a Mac I’m a PC” Ads,  http://www.youtube.com/watch?NR=1&feature=endscreen&v=BwzLrqehjKs

(3) Microsoft Common Engineering Criteria, http://www.microsoft.com/cec/en/us/cec-overview.aspx#data-ipv6

(4) South Park Mac vs. PC vs. Linux, http://www.youtube.com/watch?v=0-22EpQOm8c&feature=related

——————————————

Microsoft IPv6 Resources:

Apple ignores IPv6 Security in recent guide?

June 1, 2012 Leave a comment

I was perusing the news today, and discovered that Apple produced a security guide for iOS (1).  Excited by the idea that Apple would disclose technical details on the security and features for their products, I grabbed a copy of the document and read it.  I was hoping Apple would discuss how IPv6 was implemented and which security controls could be applied to create a more secure system. I was wrong.

Then I typed ‘Apple security guide’ and reviewed a group of links sorted by versions of Apple firewalls, thinking they would have security features for IPv6. Reviewing the guide for Snow Leopard I discovered the best IPv6 on Apple products is a disabled IPv6.

Lastly, I reviewed the IPv6 Ready Logo Program – a list of products which have been tested for their compliance and interoperability with IPv6 – and discovered that it recommends disabling IPv6 on the Apple Operating system and IOS.

Wonder if Apple customers joining the IPv6 World Launch Day on June 6th will understand that a secure Mac is one which IPv6 should be disabled.

——————-

(1) iOS Security Guide, https://threatpost.com/en_us/blogs/apple-details-ios-security-features-new-guide-053112

(2) Mac OS X Security Guide, http://www.apple.com/support/security/guides/

(3) IPv6 World Launch Day, http://www.worldipv6launch.org/

(4) IPv6 Ready guides, https://www.ipv6ready.org/db/index.php/public/?o=6

Wireless Telegraph Vulnerability

June 1, 2012 Leave a comment

I am constantly amazed at the things I find on the Internet. One example of this is the two vulnerabilities in the Marconi Wireless Telegraph that were posted to the Open Source Vulnerability Database (OSVDB), which is a place to find security vulnerabilities in vendor’s products.

The first was OSVDB ID: 79399, Marconi Wireless Telegraph, “Transmitted Message Remote Disclosure”, published 06/01/1903 and acknowledged by the vendor a day later, but not posted on the OSVDB until 12/27/2011. The other was the OSVDB ID: 79400 Marconi Wireless Telegraph, “Crafted Transmission Message Spoofing” with the same publication date as the one prior.

If you have read my blog post in the past, these vulnerabilities are the reason I call myself and this blog Scientific Hooliganism. Thanks to whoever posted these, it made my day!

No IPv6 on WordPress, but there are options…

May 30, 2012 Leave a comment

Today I reviewed my blog entries, hosting services, domain names, videos and slides I have created for over 8 years. Once I was complete, only one thing still needed to be tested –  the ability for WordPress to support IPv6. Well they failed and I needed a method to ‘proxy’ my site through an IPv6 to IPv4 infrastructure. The solution was CloudFlare, a provider that frontends IPv4-only websites allowing them to be accessible via IPv6.

The process was quick and easy, took a short time to set it up including making CloudFlare the hosting service for my domain DNS.

Upside: quick and easy

Downside:

        Turning the hosting of my domain names over to another vendor,

        IPv4-only code running under IPv6 is now vulnerable

        CloudFlare’s inability to support DNSSec.

Anyway, for the short term this seems the only solution.

Categories: General, IPv6, Security

I want IPv6, but…

May 29, 2012 Leave a comment

Ok, I am not a big fan of Teredo, a tunneling technique that rides IPv6 inside UDP packets over IPv4, but there are times when it is required.  Let’s first start with a time when it should not be used and that is when you are an authorized user on an enterprise and need IPv6. In this case call your IT department.

When should it be used? Anytime that you need to connect to IPv6, but the local switch, upstream router, network firewall or ISP does not support IPv6.  Here are methods to enable IPv6:

  • Windows XP – enable Ipv6
  • Vista,  Windows 7 and Window 8 – IPv6 is enable by default; your IT department might have disabled it by default in all cases. Call your IT department.
  • Linux Ubuntu/Debian – “sudo apt-get install miredo” is enough to have IPv6 connectivity. There is no configuration needed.

Is my connection end-to-end, ready for IPv6?

May 29, 2012 Leave a comment

When speaking and consulting around North America, I am often asked the question, how do I know whether I am running IPv6?

This is actually a complex question, and the test you need will depend on your purpose. The simplest test will try the routability of your packet to a test website with the result of providing your current unicast IPv6 address. Websites that fit this model include:

Note: If you are unable to obtain a simple IPv6 address, ensure the following:

  1. Does your operating system support IPv6?
  2. Is IPv6 enabled on your system?
  3. Does the host have a firewall which is blocking IPv6?
  4. Does your switch support IPv6?
  5. Is your router capable of supporting IPv6? Is it configured for IPv6?
  6. Is your firewall capable of supporting IPv6? Is it configured for IPv6?
  7. Is your ISP capable of supporting IPv6? Have they configured your network connection?

* details on how to do the above steps will be explored in a future posting

The second level not only validates the routability, but also validates the DNS, traceroute, and a few other features. These include:

The last and most complete tests are found on sites I use to troubleshot and tune customer’s networks and include the following:

If you find others, please post them under comments.

Categories: General, IPv6 Tags: ,