A newly launched open source project aims to help users safely store their online security credentials, particularly long, complex passwords. The project aims to combine hardware and software to solve the problems caused by users selecting insecure passwords, according to Mathieu Stephan, an electronics engineer at encryption vendor ID Quantique who will head the as-yet-unnamed project. The goal is to help users generate long, complex random passwords for the different websites they regularly access, which helps protect the user’s information from being compromised. Recent analysis of stolen passwords shows people are not good at selecting their own passwords, which makes them vulnerable to data or identity theft. The project seeks community input throughout the development of the device. As planned, the new technology will include a smart card and a device—able to store Advanced Encryption Standard (AES)-256-encrypted passwords and keys to help users secure their online credentials—that users can connect to a computer via USB. (SlashDot)(Hackaday)(IEEE Computer News Feed – December 2, 2013)
Friday, December 20, 2013
Open Source Project Tackles Secure Password Storage
Monday, May 6, 2013
Is IPv6 Secure Enough?
by George Lawton
Proponents are pushing network operators and equipment makers to adopt IPv6.
Supporters say increased utilization will result in a better protocol that provides many more IP addresses for the huge number of Internet-connected devices than its predecessor, IPv4. The Internet Assigned Numbers Authority gave the last IPv4 addresses to regional Internet registries in 2011.
On 6 June this year, backers sponsored World IPv6 Launch day, during which participating websites enabled the protocol permanently. In addition, ISPs offered IPv6 connectivity and router manufacturers provided devices enabled for the technology by default.
Despite the ongoing campaign, numerous experts contend that IPv6 raises significant security concerns that adopters must address.
For example, they say, best security practices for IPv6 routers, firewalls, and spam filters have not been well developed and implemented.
There are also concerns that Windows machines now turn on IPv6 tunneling by default. With this approach, legacy IPv4 networks can carry IPv6 traffic by encapsulating and tunneling IPv6 packets across IPv4 networks.
However, this could create security problems for organizations that have such IPv4 networks but haven't deployed security measures to deal with malicious IPv6 packets.
Jeremy Duncan, senior director at security vendor Salient Federal Solutions, said there have already been several IPv6 denial-of-service (DoS) and spam attacks because many existing routers, firewalls, and other gateway devices can't protect against them yet.
"There is a small percentage of the attacker community that is knowledgeable about IPv6," said IPv6 security expert Scott Hogg, director of technology solutions at consultancy GTRI and chair of the Rocky Mountain IPv6 Task Force.
Some hackers, he added, don't even know about IPv6 vulnerabilities but launch general attacks that happen to exploit IPv6 networks' weaknesses.
The Internet Engineering Task Force began developing IPv6 in 1992 when the IETF saw that the increase in Internet activity would use up the limited number of IPv4 addresses. The group released IPv6 in 1996.
IPv4 uses a 32-bit address space, allowing for 232 — or about 4.3 billion — unique addresses.
IPv6 uses a 128-bit address space, allowing for 2128 — or about 3.4×1038 — addresses.
Google has collected statistics that indicate that IPv6 global aggregate usage has grown from 0.2 percent of all Internet traffic in early 2010 to 0.75 percent in mid-2012.
Newer operating systems and networking equipment support IPv6. However, many older IPv4 devices are still in use.
According to GTRI's Hogg, a key issue is the lack of time IT workers have spent learning about IPv6, even though their networks use the technology.
IPv6 has different security challenges than IPv4, he explained. "Most security practitioners have not invested the time to learn about these differences and formulate plans on how to secure IPv6," he said.
IPv6 code development for security is immature, according to Jeff Doyle, president of IP-network consultancy Jeff Doyle and Associates.
Vendors have just begun implementing and testing useful IPv6 security approaches, which are too new to have been proven safe, he explained.
One problem occurs because IPv6 networks create tunnels for sending traffic across IPv4 networks by encapsulating IPv6 data into IPv4 packets.
IPv4 equipment, including firewalls, cannot easily decode the traffic based on the newer protocol for security inspection.
Thus, hackers could send malware and spam that IPv4 security equipment couldn't detect.
Some older IPv6 implementations don't support newer security technologies, including those that provide built-in authentication and encryption.
Another problem is the IPv6-attack tools that people have created and posted online for use by unskilled hackers.
For example, said Salient Federal's Duncan, one prominent group — the Hackers Choice (THC) — has updated one of its tools to include exploits for LAN-based IPv6 equipment.
THC says it has done this to make public the vulnerabilities it finds so that people will fix them.
However, the toolkit also lets hackers fake router advertisements, which routers use to announce themselves on a link. Hackers could use fake RAs to overwhelm a router and thereby stall traffic.
IPv6 offers rich extension headers that carry information that promises more granular networking control in areas such as routing, data encryption, and authentication.
However, vendors are just learning how to securely support these extensions.
In one case, a researcher used an extra-long extension header to overwhelm a router, allowing potentially malicious packets through without authentication.
Older IPv6 equipment supported by default the protocol's Type 0 routing headers, designed to list the intermediate nodes at which packets will stop on the way to their destination. This is designed to improve network performance.
However, hackers could construct packets that use the Type 0 headers to travel between two routers multiple times, resulting in a DoS attack.
Newer IPv6 equipment has support for Type 0 routing headers turned off by default.
IPv6 has several security features such as IPsec, which authenticates and encrypts each IP packet used during communications.
However, Salient Federal's Duncan noted, older equipment doesn't always have IPsec turned on by default.
IEEE 802.1X provides access control via the authentication of routers trying to communicate with the network.
The IETF's IPv6 Router Advertisement Guard (RA-Guard) analyzes RAs and filters out bogus ones sent from unauthorized routers. This helps counter router spoofing.
However, Windows doesn't natively support these capabilities, so organizations must deploy RA-Guard drivers on each of their computers to protect them.
The best practices for addressing IPv6 security issues are generally the same as those used with IPv4, said GTRI's Hogg.
However, in many cases, organizations must update their networking equipment to support the latest IPv6 capabilities, said consultant Doyle.
This will entail a simple software upgrade in some cases or, for equipment using dedicated-purpose chips that can't be upgraded, a full platform change.
Moreover, Doyle said, companies must make sure their IT personnel are fully trained in IPv6 security.
Businesses could also use deep-packet inspection tools to analyze IPv6 traffic more carefully.
Some organizations are offering security bounties to help find vulnerabilities. Will Brown, associate vice president of product development for network-equipment vendor D-Link, said, "We are working directly with the security community … and have created a reward program for disclosing any issues that can be verified."
Hogg stated, "We need security vendors to address IPv6 in all aspects of their security products to provide defenders [with] protection before they deploy IPv6."
Doyle predicted IPv6 will be a major concern to IT organizations and vendors for the next couple of years, as new vulnerabilities are discovered and addressed.
But in the long run, he said, as firewalls, spam filters, and packet-inspection tools improve, securing IPv6 will become routine.
Sunday, October 14, 2012
Android-based network built to study cyber disruptions and help secure hand-held devices
Sandia cyber researchers linked together 300,000 virtual hand-held computing devices running the Android operating system so they can study large networks of smartphones and find ways to make them more reliable and secure. Android dominates the smartphone industry and runs on a range of computing gadgets.
The work is expected to result in a software tool that will allow others in the cyber research community to model similar environments and study the behaviors of smartphone networks. Ultimately, the tool will enable the computing industry to better protect hand-held devices from malicious intent.
The project builds on the success of earlier work in which Sandia focused on virtual Linux and Windows desktop systems.
"Smartphones are now ubiquitous and used as general-purpose computing devices as much as desktop or laptop computers," said Sandia's David Fritz. "But even though they are easy targets, no one appears to be studying them at the scale we're attempting."
The Android project, dubbed MegaDroid, is expected to help researchers at Sandia and elsewhere who struggle to understand large scale networks. Soon, Sandia expects to complete a sophisticated demonstration of the MegaDroid project that could be presented to potential industry or government collaborators.
The virtual Android network at Sandia, said computer scientist John Floren, is carefully insulated from other networks at the Labs and the outside world, but can be built up into a realistic computing environment. That environment might include a full domain name service (DNS), an Internet relay chat (IRC) server, a web server and multiple subnets.
A key element of the Android project, Floren said, is a "spoof" Global Positioning System (GPS). He and his colleagues created simulated GPS data of a smartphone user in an urban environment, an important experiment since smartphones and such key features as Bluetooth and Wi-Fi capabilities are highly location-dependent and thus could easily be controlled and manipulated by rogue actors.
The researchers then fed that data into the GPS input of an Android virtual machine. Software on the virtual machine treats the location data as indistinguishable from real GPS data, which offers researchers a much richer and more accurate emulation environment from which to analyze and study what hackers can do to smartphone networks, Floren said.
This latest development by Sandia cyber researchers represents a significant steppingstone for those hoping to understand and limit the damage from network disruptions due to glitches in software or protocols, natural disasters, acts of terrorism, or other causes. These disruptions can cause significant economic and other losses for individual consumers, companies and governments.
"You can't defend against something you don't understand," Floren said. The larger the scale the better, he said, since more computer nodes offer more data for researchers to observe and study.
The research builds upon the Megatux project that started in 2009, in which Sandia scientists ran a million virtual Linux machines, and on a later project that focused on the Windows operating system, called MegaWin. Sandia researchers created those virtual networks at large scale using real Linux and Windows instances in virtual machines.
The main challenge in studying Android-based machines, the researchers say, is the sheer complexity of the software. Google, which developed the Android operating system, wrote some 14 million lines of code into the software, and the system runs on top of a Linux kernel, which more than doubles the amount of code.
"It's possible for something to go wrong on the scale of a big wireless network because of a coding mistake in an operating system or an application, and it's very hard to diagnose and fix," said Fritz. "You can't possibly read through 15 million lines of code and understand every possible interaction between all these devices and the network."
Much of Sandia's work on virtual computing environments will soon be available for other cyber researchers via open source. Floren and Fritz believe Sandia should continue to work on tools that industry leaders and developers can use to better diagnose and fix problems in computer networks.
"Tools are only useful if they're used," said Fritz.
MegaDroid primarily will be useful as a tool to ferret out problems that would manifest themselves when large numbers of smartphones interact, said Keith Vanderveen, manager of Sandia's Scalable and Secure Systems Research department.
"You could also extend the technology to other platforms besides Android," said Vanderveen. "Apple's iOS, for instance, could take advantage of our body of knowledge and the toolkit we're developing." He said Sandia also plans to use MegaDroid to explore issues of data protection and data leakage, which he said concern government agencies such as the departments of Defense and Homeland Security.
Share this story on Facebook, Twitter, and Google:Other social bookmarking and sharing tools:
Story Source:
The above story is reprinted from materials provided by Sandia National Laboratories.
Note: Materials may be edited for content and length. For further information, please contact the source cited above.
Note: If no author is given, the source is cited instead.
Disclaimer: Views expressed in this article do not necessarily reflect those of ScienceDaily or its staff.