The BIGGEST security flaw: Users.
Today, the 15th of May, many of the users having a blog hosted by the huge norwegian bloghosting-provider blogg.no experienced beeing “hacked”.
For a while, it seemed like it was blogg.no itself which got hacked, due to bad security. But later, they published a message and disabled login to the sites, explaining the issue:
Vi har dessverre hatt problemer med hackere crackere i dag, og blogg.no er tatt ned for sikkerhets skyld til vi har fått oversikt over problemet.
Oppdatering:
Det har blitt sendt ut falske e-poster til våre brukere med oppfordring til å installere en “sikkerhetsmodul” for blogg.no. E-postene har lenket til en side utenfor vår kontroll hvor brukerene har måttet skrive inn brukernavn og passord til blogg.no. Denne siden har sett ut som våre sider, og brukeren har i god tro skrevet inn brukernavn og passord, som dermed har havnet i feil hender.
- E-posten og siden som lenkes til er falsk og IKKE fra blogg.no. Blogg.no sender ALDRI ut en e-post som resulterer i at man må skrive inn brukernavn eller passord.
- ALLE som har vært inne på nevnte side MÅ ta kontakt med oss på info@blogg.no.
- Alle som har evt. opplysninger om dette bes ta kontakt med oss på info@blogg.no.
- Vi fortsetter å holde blogg.no nede inntil videre.
A short translation:
“We’ve had problems with hackers crackers today, and blogg.no is taken down because of security concerns until we have control over the problem.
Update:
It has been sent out fake e-mails to our users encouraging them to install an “security module” for blogg.no.
The emails has linked to a site outside our control where the users had to type in their username and password for
blogg.no. This page has looked like our pages, and the users has in good faith typed in username and password…”
As the title of this posting says: The users are, and will always be, the biggest security flaw of internet and technology.
One should follow certain rules on the net:
- Do NOT trust that the emails you recieve, is really from the sender you think! Unless using some kind of signing.
- Do NOT use the same password for every site and login you have. I plan on posting a note about this sometime in the future.
- Do NOT make use of the “Secret Question”- and “Answer”-sollution most of the pages provide. It’s really a huge security flaw. I could explain this futher, if anyone needs it…
- Do NOT give away your username and/or password to anyone.
- BE paranoid! Be very, very paranoid.
- DO use a secure password. A password should be at least 8 characters long, unique, not a name or a dictionary word, and should contain both lowercase and uppercase letters, in addition to numbers, and preferably special characters (!”#¤%&/=?-_<>|).
IPv6 – the forgotten protocol?
IPv6, the next generation IP protocol (as opposed to IP version 4), has been “just around the corner” in many years now. Every modern operating system has included support for IPv6, and network vendors has added this to their equipment. But not many ISP’s has started providing IPv6 yet, and thus very few IT-departments has taken IPv6 into account when setting up their network and firewalls.
The problem is that IPv6 exists in the OS by default, if not explicit disabled. And there is seldom any firewall configured to disable IPv6-access.
That leaves a HUGE security hole, WIDE OPEN!
Ok, I won’t exagurate. Since ISP’s do not route IPv6 yet, and hence do not offer any wide-routeable adresses, the problem is not *HUGE*. But, it’s a fact that by default, all IPv6 hosts on the same network could reach each other, using the link-local addresses, configured by the system by default.
The link-local address is guarranteed to be unique, by picking an address using the EUI-64 algorithm. This algorithm uses the network adapters MAC address, so the address will be unique. For example, a system with MAC 11:22:33:44:55:66 would get a link-local address of fe80:0000:0000:0000:1122:33FF:FE44:5566 (or fe80::1122:33FF:FE44:5566 for short).
Try performing a local IPv6 node discovery yourself, on a network with other hosts:
# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1 # ip neigh | grep ^fe80
I tried this on one of my servers, located with a hosting provider on a huge network, and found more than 700 hosts with enabled IPv6! And by trying to connect to these using telnet on different ports, I managed to connect to everything from open telnet (tcp/23), ssh (tcp/22), web (tcp/80) and smtp (tcp/25). And while some of these may be intentional, I would bet many of the servers owners are unaware of this.
Actually, until you and/or your firm are ready to enable IPv6 intentionally, I would at least recommend this few lines in a startup-script, i.e. /etc/rc.local :
# /sbin/ip6tables -P INPUT DROP # /sbin/ip6tables -P OUTPUT DROP # /sbin/ip6tables -P FORWARD DROP
And/or you could disable the loading of the IPv6-module, or compile your own kernel without IPv6-support. And even be sure to disable the use of IPv6 in your services, where possible. (Not every service even support IPv6 yet – but most of them do.)
I would recommend reading the articles linked at the bottom of this post, for further information. They are the source of my post.
Sources:
Uninformed – vol 10 article 3 : Exploiting Tomorrow’s Internet Today (Penetration Testing with IPv6)
The Hackers Choice presents (PDF): Attacking the IPv6 Protocol Suite
Maybe my security-related blog?
Posted by jorno in Uncategorized on May 11th, 2009
Hello world.
This may, or may not, be my future blog about security, linux, technology and other things I find interesting.
Right now, I don’t know what my second post will be, yet. Instead I recommend checking out some of my links. 
In particular www.gamelinux.org . It’s a good blog about security-related stuff, from Edward who was my teacher in a recent course about Linux Security at Redpill Linpro which I found very interesting. And whom inspired me both in focusing more on security, and creating this blog to write about some of my findings.
And since my GF don’t want me to write anything techology-related (can’t blame her!) on our common blog, which really is about our personal life, I decided I would try this blog for things only I find interesting. 
Please be patient – I don’t expect to be the most active blogger. But hopefully I would have some interesting stuff to write about, when I do post in here.