Due to “popular demand” and given Marc couldn’t join us at the IPv6 Security Summit (as flights into FRA were canceled that day due to snow) we decided to invite him and Antonios Atlasis another time, to present their knowledge, skills & voodoo in two workshops held in Heidelberg, in late June. More details can be found here.
See you all potentially at the Heise IPv6 Kongress, take care
on the [ipv6-ops] mailing list currently there’s some discussion about RA guard support on switches from different vendors.
Stefan, one of our students (btw: working on a topic similar to this session), quickly put together a preliminary list, based on publicly available information (read: the WWW ). Some of you may find this useful; it can be found here. Furthermore on the list this link was mentioned which seems to provide some info as well (albeit potentially not very up-to-date).
If anyone of you has better/more information pls feel free to share by leaving a comment. The IPv6 security comment will thank you for that
just to let you know that all presentations from this year’s TelcoSecDay are published in the interim. (Harald [Welte] couldn’t participate as in the morning of that day FRA airport was closed on short notice).
Next year’s TSD will happen on 03/18/2014.
After being on the market for a few months now, Microsoft started quite a large advertising campaign in Germany for its new Surface RT . We had a comprehensive look at the new tablet PC and here are a few thoughts and impressions:
Running a slightly reduced ARM version of Windows 8, I heard somebody calling it “Windows 8 Home”, which in comparison to older versions hits the spot, Microsoft offers an easily usable interface. Software is reduced to market apps (the minimal run level on a plain Windows is 0, any, and 8, Microsoft, on Windows RT), so you can’t just install your favourite app, or can you?
Just a quick update here: Ivan (who gave the magnificent Virtual Firewalls talk at Troopers recently) blogged about this and some guy added some feedback from an environment with Cisco FEX and “one of the server guys start[ing] a Citrix Netscaler” . See the second comment to his post.
This shows, once more, that the dependencies of various technologies (and what they are used for) must be well understood in cloud/virtualized environments. Complexity … but who do we tell. Y’ all know that, right?
This is a short summary of some selected talks from the second day of this year’s Hack in the Box conference in Amsterdam.
Rethinking the Front Lines by Bob Lord
Bob Lord is currently the Director of Information Security at Twitter. He has worked at numerous companies in the area of security and software engineering.
In his keynote for the second day of HITB13AMS he tackled a topic that has raised a lot of discussions in the past months. His talk was a summary of what twitter does internally to ensure the security of the company and a plea to implement so called security awareness trainings for employees in a sustainable way. (more…)
This is a short summary of some selected talks from the first day of this year’s Hack in the Box conference in Amsterdam.
Abusing Twitter’s API and OAuth Implementation by Nicolas Seriot
Nicolas Seriot (https://twitter.com/nst021) is an iOS Cocoa developer with an interest in privacy and security. He is currently a mobile applications developer and project manager in Switzerland. Nicolas focused his talk on the extraction of consumer tokens that are needed for OAuth to authenticate a consumer to a service provider. These tokens can then be used by rogue applications to gain access to a victims twitter account. (more…)
2 Comments | Posted by Enno Rey
I just had an interesting discussion with Jim Small (who gives the “IPv6 Attacks and Countermeasures” talk at the North American IPv6 Summit next week) about the feasibility of the “undetermined-transport” keyword in PACLs on Cisco 3560 switches (here running IOS 15.0(2)SE). Actually there’s some kind-of funny behavior as for it on that platform (and there’s even some Cisco documentation stating it’s not supported). Let’s have a look, and start with a quick refresher.
Rogue router advertisements pose a significant security and network stability risk in IPv6 networks. That’s why there’s a security feature implemented on certain switches which is called “RA Guard” (see also here). Unfortunately (at least Cisco’s current implementation of) RA Guard can easily be circumvented, e.g. by using the following command from the THC IPV6 attack toolkit:
fake_router26 -E D eth0
0 Comments | Posted by Sergej Schmidt
The gritsforbreakfast blog post making the rounds on the Liberation Tech mailing list about security of Apple’s iMessaging service is gaining quite some attention. The post refers to a CNET article on how the iMessage service “stymied attempts by federal drug enforcement agents to eavesdrop” conversations due its end-to-end encryption and commends Apple for protecting the user’s privacy while pointing out that Gmail and Facebook Messaging don’t. However, I disagree on some points of the blog post and therefore want to discuss them here.
Last week Rapid7 posted an interesting analysis of the Amazon S3 storage system: Apparently roughly one out of six S3 buckets (a bucket is, simply said, a kind of folder) is accessible without any authentication mechanism. Accessing those files, the Rapid7 guys were able to download a wide range of data, also comprising confidential information such as source code or employee information, comparable to past research for other platforms (see also this presentation I gave on some of the biggest Cloud #Fails)