Internet Protocol version 6 (IPv6) and its Security

Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet.

First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment of IPv6-enabled applications and systems.

When it comes to attacks, you probably want to do intrusion detection as well. Once you use new protocols in production environments, you have to make sure that your security infrastructure can cope with them. Martin Schütte introduced his IPv6 plugin for the Snort intrusion detection engine. The plugin contains a preprocessor for neighbour discovery messages and several rule options to evaluate IPv6 specific protocol fields. The code has its own project web site where you can find more information and links to the code itself.

Lastly a team from ERNW consisting of Enno Rey, Antonios Atlasis & Jayson Salazar presented weaknesses in the Multicast Listener Discovery (MLD) and its successor MLDv2. It is used to discover locally connected multicast listeners, similar to IGMP for IPv4. Their work features an overview of the subprotocol, OS fingerprinting on the local-link by sniffing the wire passively, amplification of DoS attacks, potential security issues related with the design of MLD and how they can be exploited by attackers. Since all operating system come with a variety of IPv6 components enabled, make sure what you already have to deal with.

We recommend these talks to anyone connected to the Internet.

Encrypted Messaging, Secure by Design – RedPhone and TextSecure for iOS

Encrypted communication is periodically in the news. A few weeks ago politicians asked companies and individuals all over the world to break the design of all secure communication. Demanding less security in an age where digital threats are increasing is a tremendously bad idea. Cryptographic algorithms are a basic component of information security. Encryption is used to protect data while being transported or stored on devices. Strong authentication is a part of this as well. If you don’t know who or what talks to you, then you are easy prey for frauds.

Should you be interested in ways to improve the security of your messaging and phone calls, we recommend watching the presentation of Dr. Christine Corbett Moran. She is the lead developer of the iOS team at Open WhisperSystems. She talks about bringing the TextSecure and RedPhone applications to the iOS platform. RedPhone can be used for encrypted voice calls. It uses ZRTP for the voice channel, and it displays a shared phrase to identify the integrity of the connection (communication partners can read the phrase to avoid falling victim to manipulation). Calls can be made between two RedPhone applications or to the Signal application on iOS. TextSecure can be used to send and receive SMS, MMS, and instant messages. It uses Curve25519, AES-256, and HMAC-SHA256 as primitives, and it has been audited by a researcher team from the Ruhr University Bochum.

The presentation held at DeepSec 2014 will tell you how these applications work, and what the current state of porting the code to iOS looks like (both apps are readily available for the Android platform for years now). In addition you get an inside view on the challenges and rewards of managing an active repository for open source iOS development. We strongly recommend watching the recording. You probably rely on secure communication more than you can imagine.

Encryption – A brand new „Feature“ for Cars

At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk,  please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a  breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers being responsible for crucial commands such as unlocking the car.

The ADAC team was able to reverse engineer the protocol being used and to manipulate commands. Why? Because the communication did not feature any kind of encryption or authentication. This means that your Connected Car of the future uses the protocol standards of the 1990s Internet. Apparently BMW fixed the security issue by adding HTTPS. The implications are bigger than you might expect. In the case of stolen cars insurance companies might also be interested in what exactly happened to the car and which security vulnerabilities were involved.

Security should be part of the design right from the start. This is especially true for “simple” features like encryption and authentication. If the brakes, the passenger protection, and other aspects are taken seriously, then this must also be true for the communication protocols. There can be no exception.

Reminder for the DeepINTEL Call for Papers

At the opening of DeepSec 2014 we announced the next DeepINTEL to be in Spring 2015. We have now finalised the date. DeepINTEL 2015 will take place on 11 / 12 May 2015, and it will be held in Vienna. The call for papers, already announced at the opening of last year’s DeepSec, is still open. We are looking for your submissions.

Since we want to address security intelligence, we like to know everything about threats, risk assessment, metrics that give you an idea what you really see, forensics, and improvements on the way to detect and defend. We are definitely not interested in presentations about the cyber hype. We want to hear about real sabotage, real compromised systems; you know, reality and all that.

Please make sure to send your ideas to cfp at deepsec dot net, or you can use deepsec at deepsec dot net (encrypted emails preferred, please use our key 0xE1170EDE22860969).

DeepSec 2015 is coming – save the Date!

We are back from our break. We have been busy behind the scenes. The video recordings of DeepSec 2014 have been fully post-processed. The video files are currently on their way to our Vimeo account. The same goes for the many photographs that were taken by our photographer at the conference. We are preparing a selection to publish some impressions from the event.

The dates for DeepSec 2015 and DeepINTEL 2015 have been finalised. DeepSec will be on 17 to 20 November 2015. DeepINTEL will be on 11 and 12 May 2015. The Call for Papers for DeepSec will be open soon. You can send your submissions for DeepINTEL by email to us (use either cfp at deepsec dot net or deepsec at deepsec dot net, the latter has a public key for encrypted communication). There has been a lot broken since November 2014, we love to hear about it.

For everyone interested in attending DeepINTEL, please get in contact with us.

DeepSec 2014 Video – “The Measured CSO”

The first recording of DeepSec 2014 has finished post-processing. Just in time for the holidays we have the keynote presentation by Alex Hutton ready for you. Despite its title “The Measured CSO” the content is of interest for anyone dealing with information security. Alex raises questions and gives you lots of answers to think about. Don’t stay in the same place. Keep moving. Keep thinking.

Post-DeepSec 2014 – Slides, Pictures, and Videos

We would like to thank everyone who attended DeepSec 2014! Thanks go to all our trainers and speakers who contributed with their work to the conference!

We hope you enjoyed DeepSec 2014, and we certainly like to welcome you again for DeepSec 2015!

You will find the slides of the presentations on our web site. Some slides are being reviewed and corrected. We will update the collection as soon as we get new documents. The video recordings are in post-processing and will be available via our Vimeo channel. We will start publishing the content soon.

The pictures our photographer took during the conference are being post-processed too. We will publish a selection on our Flickr site.

Posted in Conference by . 6 Comments

DeepSec 2014 Opening – Would you like to know more?

DeepSec 2014 is open. Right now we start the two tracks with all the presentations found in our schedule. It was hard to find a selection, because we received a lot of submissions with top quality content. We hope that the talks you attend give you some new perspectives, fresh information, and new ideas how to protect your data better.

Every DeepSec has its own motto. For 2014 we settled for a quote from the science-fiction film Starship Troopers. The question Would you like to know more? is found in the news sections portrayed in the film. It captures the need to know about vulnerabilities and how to mitigate their impact on your data and infrastructure. Of course, we want to know more! This is why we gather at conferences and talk to each other. We are especially proud to welcome friends and projects that attended DeepSec in the past and return with the results of lively discussions.

Of course, we could also have selected the only good bug is a dead bug for this year’s conference, but we believe this motto should be every day’s motto.

Enjoy DeepSec 2014!

BIOS-based Hypervisor Threats

The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources.

Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something you can do without. The researcher investigated the published information and found indications of increased execution times of code running on different hardware. The talk will explain the set-up, the hardware being used, and will introduce a test framework enabling researcher to test (server) hardware for anomalies.

The complete research will be published after the talk in a comprehensive article describing the work. We highly recommend attending the presentation.

DeepSec 2014 Talk: Why IT Security Is ████ed Up And What We Can Do About It

Given the many colourful vulnerabilities published (with or without logo) and attacks seen in the past 12 months, one wonders if IT Security works at all. Of course, 100% of all statistics are fake, and only looking at the things that went wrong gives a biased impression. So what’s ████ed up with IT Security? Are we on course? Can we improve? Is it still possible to defend the IT infrastructure?

Stefan Schumacher, director of the Magdeburger Institut für Sicherheitsforschung (MIS), will tell you what is wrong with information security and what you (or we) can do about it. He writes about his presentation in his own words:

Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014

This was one tweet about my talk of security in a post-NSA age at the AusCert conference in Australia this year. It pretty much sums up my opinion about what is currently going on in the IT Security circus.

Why IT security is ████ed up certainly is a strong stance against what is going on at IT security in general and conferences like DeepSec in particular. However, for the last three to four decades modern IT security exists, we have come a long way in securing our machines, processes and networks. However, certain fields of IT security are thoroughly ignored in research and practical application.

This has to do with computer science being the primary science behind IT security. Computer science is the child of mathematics as a formal science and engineering sciences. This limits the scientific methods to those used in that fields.

Unfortunately, IT security is more than just mathemathics and engineering. Neither social engineering nor human behaviour can be explained with CS methods. Nor can it be combated with it. The same goes for political/policy problems, like intelligence services attacking our human rights in the digital space of living. This is a political problem and we need a political solution for it. So political science also plays a role in IT Security.

When we keep this in mind, we see that current IT security lacks further development in certain fields. So I propose to emancipate IT security research from Computer Science and turn it into a new field of science. We can use the methods and tools of CS, Maths and engineering, but also need the methods, tools and philosophies (!) of humanities and social sciences like psychology and pedagogy.

So lets go and create a new Science. It will be fun and games until theories of science clash. 😉

New Article for the DeepSec Proceedings Publication

In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information. Latest addition is Marco Lancini’s article titled Social Authentication: Vulnerabilities, Mitigations, and Redesign.

High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

The MIS web site has a collection of all published articles. The full articles will be found in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“.

DeepSec 2014 Talk: The IPv6 Snort Plugin

The deployment of the new Internet Protocol Version 6 (IPv6) is gathering momentum. A lot of applications now have IPv6 capabilities. This includes security software. Routers and firewall systems were first, now there are also plugins and filters available for intrusion detection software such as Snort. Martin Schütte will present the IPv6 Snort Plugin at DeepSec 2014. We have asked him to give us an overview of what to expect.

  • Please tell us the top 5 facts about your talk!
    • Main research for my talk was done in 2011. I am quite surprised (and a little bit frightened) by how little the field of IPv6 security has developed since then.
    • It is often easier to build attack tools than to defend against them. But to improve IPv6 network security we urgently need more detection and defence tools.
    • The Snort IPv6 plugin is my approach to strengthen network security. It uses just a few building blocks to add new detection techniques to an old and established framework.
    • The software project is a product of my diploma thesis, unfortunately I had to abandon it afterwards. So if anyone is interested in it and could help with further development they are more than welcome.
    • It used to be difficult to compile the software but now I took the time to build a Debian package. I will publish that at DeepSec.
  • How did you come up with it? Was there something like an initial spark that set your mind on it?
    We started with the question ‘Why is IPv6 adoption’ so slow?’ One hypothesis was that there was a lack of sufficiently advanced network and security monitoring tools. Nobody wants to operate a network without any estimation on its activity and security implications. So I selected an IDS as a good way to approach these security issues. An IDS cannot solve all problems, but in many cases just making the issues and activity visible is already a big step ahead.
  • Why do you think this is an important topic?
    IPv6 is inevitable and we have to deal with it. As a protocol stack it has lots of problems of its own, and the whole v4 to v6 transition adds a second layer of problems on top of that. – But in the medium-term (say for the next decade) it is the only viable solution to the current IP address shortage.
  • Is there something you want everybody to know – some good advice for our readers maybe? Except for “come to my talk” ?
    Advice to anyone in network security: Ask your vendors about IPv6 operations and security functions! Too many people (even equipment providers) still hope IPv6 will not affect them and they end up with dysfunctional and insecure products.
  • A prediction for the future – what’s next? What do you think will be the next innovations or future downfalls – for IT-Security in general and / or particularly in your field of expertise?
    For IPv6 security: there are some more protocol layers to analyze, especially multicast comes to mind. Another very interesting and highly relevant topic are security issues caused by IPv4/IPv6 interaction and routing. So far we know of routing loop attacks against ISATAP, 6to4, and Teredo (documented in RFC 6324); in the future I would expect more of these directed against common IPv6/IPv4 tunnelling and transition configurations.

Martin’s presentation is one of the IPv6 talks we offer at DeepSec 2014. We recommend all IPv6 talks and the IPv6 workshop for anyone dealing with networks, either passively or actively.

DeepSec 2014 Talk: Build Yourself a Risk Assessment Tool

„The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology“, says Vlado Luknar. The never-ending quest for the “best” tool or methodology is a futile exercise. In the end it is you, the security specialist, who adds the most value to a risk assessment (RA) / threat modelling process for your company, claims Vlado Luknar (Orange Slovensko a.s. / France Telecom Orange Group).  In his talk at DeepSec Mr. Luknar will demonstrate that it is quite easy to capture your overall security knowledge in a home-made, free-of-charge tool.  But first, let’s ask Mr. Luknar a couple of questions:

1) Mr. Luknar, please tell us the top 5 facts about your talk!

  1. There is no problem with understanding existing RA methodologies, yet it is really not that easy to start with any of them.
  2. There is no single best approach to RA for everyone.
  3. For a RA to be practical we need to simplify things as much as we can.
  4. The presentation is for those practitioners who are subject of hefty compliance requirements which all demand a formal risk assessment.
  5. Exaggerating a little we could say the best about RA is not the result but the journey itself.


2) How did you come up with it? Was there something like an initial spark that set your mind on the topic of your talk?

One of key disappointments for me, as a (naive) practitioner, was the fact that no methodology would discover for me something I didn’t have a chance to know about before we started the RA journey. And I don’t mean a forgotten piece of sensitive data, or a server which we discovered when trying to solve the R(asset) = T x V x I formula.

I mean, the real discovery: after you went through all the exercises, responded to all questions, calculated everything that could be calculated, and after you finally pushed that red button labelled START on your mysterious RA machine… The machine then makes few cranky sounds, coughs a couple of times and then finally spits out the ominous verdict:


This is it? Well, yes. Nothing more nothing less.

Then I realized that performing a risk assessment is about the best collective judgment you can make from facts you are able to collect. Only very later on I discovered a very similar statement in the NIST SP 800-39 Managing Information Security Risk.


3) Why do you think this is an important topic?

Despite all that scholars know about risk it remains a vague and somewhat confusing concept. Everybody talks about it, asks for it, but only few know how to go about it, in particular those who really depend on it every day. And then there are those who don’t know that they should depend on it and that it should be an organic part of any security management and not a lifeless requirement from a standard. Done properly it can save you a lot of trouble, done formally you just cheat on yourself.


4) Is there something you want everybody to know – some good advice for our readers maybe? Except for “come to my talk” 😉

The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology.

It is you, the well informed internal expert and the team around you, who add the real value to the process, method or the tool. The tool or the methodology is just a  facilitator, although an important one.


5) A prediction for the future – what’s next? What do you think will be the next innovations or future downfalls  – for IT-Security in general and / or particularly in your field of expertise?

Some industries have already experienced it, not always handling it properly – that is, the growing pressure of regulation, and the open, public comparison of products based on security. One of the major “conflicts of interests” is that of technological advances versus privacy issues. To me the security is only another attribute of quality (in cases where the product does not directly depend on it) and due to many, mostly economic reasons, it does not yet make it there. The conflict of privacy vs. technology should inevitably make security a native part of any functional and design specifications during standard SDLC. It is not happening yet, especially with traditional business moving to web: just look at companies who provide GPS monitoring or smart home management – how many of them use even SSL and something more than a password on a web page. But it will change very soon.


DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!

Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data.

Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations.  He was leading the software security initiative at a major phone manufacturer and a major central European bank over the course of the last three years.

Currently Geoffrey’s starting up his own security consulting company called Artis-Secure. It is focused on making security development frameworks better integrated with business processes.
As for hobbies apart information security: he’s currently planning a massive fancy-dress gathering next year in an Irish castle. Social engineers, beware! And between all of this he was so kind to answer some questions about the talk his going to give at our upcoming conference…

1. Please tell us  the top 5 facts about your talk.

a.       The contents will be very useful for enterprise and cloud projects.

b.      I will show how the data validation problem is getting increasingly complex.

c.       My proposed design uses current technologies.

d.      I will describe a validation methodology that is language and process-agnostic.

e.      My talk outlines a lightweight and simple solution.


2. How did you come up with it? was there something like an initial spark that set your mind on it?
I have been frustrated by the lack of coherent and concrete validation patterns in my previous projects. I needed to think of a simple way to sanitize and constrain unknown inputs, given the complexities of multiple languages, exceptions and character sets.  My talk came out of this.


3. Why do you think this is an important topic?
Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. However, the current approach for validation patterns needs to be revisited and simplified or there will be no adoption in the developer community.


4. Is there something you want everybody to know – some good advice for our readers maybe? except for “come to my talk”. 😉
Good security patterns are very useful in a fast moving development environment because they can be easily deployed with minimal disruption. My talk is aimed at fellow security professionals who can use this information.


5. A prediction for the future –  what do you think will be the next innovations or future downfalls when it comes to cloud based strategies particularly your field of expertise. Is the cloud here to stay? what’s next?
“Each time history repeats itself, the price goes up”. The ‘Internet of Things’ (IoT) will be driven by new devices and cloud-based operations, making for incredibly complex meta-systems. This complexity will bring with it new security challenges. I believe that many costly mistakes could be made with this next advance in IT. The key to properly addressing these challenges with fewer mistakes is to implement simple models that are based on well-known security patterns. I see the next innovative wave of security as creating and providing standard libraries of these design patterns.



DeepSec 2014 Talk: Safer Six – IPv6 Security in a Nutshell

The Internet Protocol Version 6 (IPv6) is the successor to the currently main IP Version 4 (IPv4). IPv6 was designed to address the need for more addresses and for a better routing of packets in a world filled with billions of networks and addresses alike. Once you decide to develop a new protocol, you have the chance to avoid all the mistakes of the past. You can even design security features from the start. That’s the theory. In practice IPv6 has had its fair share of security problems. There has been a lot of research, several vulnerabilities have been discussed at various security conferences. DeepSec 2014 features a presentation called Safer Six – IPv6 Security in a Nutshell held by Johanna Ullrich of SBA Research, a research centre for information security based in Vienna. She answers questions about the content of the talk and the ongoing research in IPv6 security.

  • Please tell us the top 5 facts about your talk!
    IPv6 is the successor of nowadays IPv4 protocol and overcomes address depletion due to offering 2^128 distinct addresses. However, the protocol lacks security and privacy and vulnerabilities are found in the novel extension headers, neighbour and multicast listener discovery or tunnelling. Analysing them, I infer three major challenges with respect to IPv6: First, all of today’s address formats have at least one serious shortcoming and effort is required for the development of a secure while maintainable addressing system. Second, security on the local network practically does not go beyond IPv4’s although a number of approaches have been presented. Last but not least, reconnaissance is still an advantageous aspect in networking and appropriate techniques have to be developed.
  • How did you come up with it? Was there something like an initial spark that set your mind on IPv6?
    Writing my master thesis on the compression of secure communication in powerline systems, I encountered IPv6 for the first time. Starting at SBA Research afterwards, I was able to devote my first six months to intensive IPv6 studies including standards, scientific publications and community boards. I realized that an in-depth knowledge of the protocol requires a lot of time and people could benefit by providing this knowledge in a nutshell.
  • Why do you think this is an important topic?
    IP is THE Internet Protocol and the Internet a vital part of almost everybody’s life. So, I doubt that anybody will be able to go round IP’s new version 6. Is this single reason enough to convince you?
  • Is there something you want everybody to know – some good advice for our readers maybe? Except for “come to my talk”. :)
    Don’t condemn IPv6, but neither praise it to the skies. It is just another protocol having its advantages and disadvantages.
  • A prediction for the future – what’s next? What do you think will be the next innovations or future downfalls – for IT-Security in general and / or particularly in your field of expertise?
    I am worried of today’s “Yes-we-can”-mentality of bringing everything online — your coffee machine, your car or automation systems or the smart grid. These systems have been developed being stand-alone, connecting them to the Internet in some way does violate their primary specification and may induce serious security risks. Even worse, are the threats induced by a vulnerability: While in traditional IT this might result in non-availability and economic loss, this may expand to life-threatening situations, e.g., in an automation system or your car.

Despite the fact that most of the Internet still uses IPv4, don’t forget that IPv6 is widely available by packet tunnels. Modern operating systems have built-in IPv6 connectivity by these tunnels, so the problems discussed in this presentation are not something you have to deal with in the far away future. Therefore we recommend Johanna’s talk for everyone using the Internet.

In addition we wish to point out that DeepSec 2014 also features an in-depth IPv6 security workshop titled IPv6 Attacks and Defenses – A Hands-on Workshop held by Enno Rey of ERNW GmbH.