Default security functions on an IPv6 CPE

[Ted Mittelstaedt]

On 5/12/2011 2:33 AM, Mark Smith wrote:
> On Thu, 12 May 2011 00:49:49 -0700
> Ted Mittelstaedt<tedm at ipinc.net>  wrote:
>
>> On 5/11/2011 2:29 PM, Jon Bane wrote:
>>>> - Hosts that have IPv6 enabled having also their internal firewalls
>>>> enabled, the practical danger of CPE transparency to IPv6 is
>>>> inexistent in unmanaged residential sites.
>>>
>>> I really do not understand this conclusion.  Vista/Win7 do have
>>> firewalls enabled by default, but the first time the machine detects
>>> it is connected to a new network it asks what kind of network you
>>> are on.  The options being Public, Home or Work.  If the user choses
>>> "Home" the firewall is effectively disabled as all of the SMB/NBT
>>> ports are opened up, as well as several ports for media sharing.
>>
>> Man there's an amazing amount of theory and so little practical
>> experience here with attacks it makes me shake my head.
>>
>> Direct IP attacks on hosts have been replaced by phishing attacks for
>> the simple reason that for the last decade ever since Broadband has
>> come into play, NAT's have blocked e2e connectivity.  However it didn't
>> happen overnight.  For many years early in the 2000 decade we had
>> many customers on Windows still get broken into directly, even XP users,
>> because the XP operating system itself would be compromised.
>>
>> An unpatched XP system WITH IT'S FIREWALL ON can be direct attacked
>> and pwned in minutes.  None of the XP SP's forced
>> automatic updates, all allow the user to disable updates during
>> the conclusion of the application of the SP.  In many corporations
>> it was standard to do this because they had apps that would break
>> when newer SP's and patches were released.
>>
>> And we are seeing the exact same thing with Windows 7.  Just last week
>> Acros Security boasted they would be displaying multiple pwning
>> cracks at Hack in The Box in Amsterdam.  All of these were reported
>> a year ago and Microsoft has only got around to patching a handful
>> of them.  They all require phishing but that is only because the
>> phishing attacks are the only attacks the cracker community is
>> working on - because NAT killed e2e.  The cracker community is
>> like any other business, they invest time and money in developing
>> cracks, they need to get paid back, and the criminals that develop
>> the cracks work on vectors that are easiest to crack, and phishing
>> is easier than direct attacks because of lack of e2e.
>>
>> The issue here is can Windows 7 or other "modern" OS be pwned by a
>> direct attack with it's firewall on - the answer is, absolutely yes.
>> Any flaw discovered in the underlying OS that the firewall is running
>> on and your in.  Geeze people, the OS processes the packet before
>> handing it to the firewall running on the OS, so a flaw there and the
>> attacker is in before the firewall ever sees the packet.
>>
>> And once a flaw is discovered, only half of the Win hosts out there will
>> immediately update via automatic updates because the rest of them either
>> are set to download updates and store until user approval to apply, or
>> they are corporate, part of a directory, and updates have been
>> disabled because the corporation has a procedure for internally testing
>> ALL security patches before deployment for compatibility with existing
>> apps.
>>
>> And once malware gets into a corporate directory your through.  In an
>> AD all Windows hosts that are members are controlled by the root and
>> if you manage to root that server then you can instruct all of the
>> member hosts to shut off their firewalls, or you can replicate copies
>> of your virus to all of them.
>>
>> And why is all of this possible?
>>
>> It is possible because you must have critical mass of a homogeneous
>> group of hosts for any computer virus to work, or for a crack to
>> make economically worth developing, and Windows systems have that
>> critical mass.  No other system does.  MacOS certainly is
>> homogeneous but there's not enough out there.  And Linux is
>> heterogeneous because of all the different distros.  Even Android
>> is starting to bifurcate.
>>
>> And why is a $50 firewall more secure than a $500 Windows 7 system?
>> It is simple - because it's simpler!
>>
>
> You haven't really lifted the hood/bonnet on one by the looks of it.
> They're general purpose computers too, most commonly running general
> purpose OSes. They're exploitable too.
>
> http://en.wikipedia.org/wiki/Psyb0t
>

Uh, yeah.  The news articles loved this but after investigation it
was shown that Netcomm had shipped their devices with remote telnet
access turned on and the default password of "admin".  Yep, remote
access from the WAN side.  Netcomm hushed it up and rushed out
firmware updates.  You can read about it here:

http://users.adam.com.au/bogaurd/PSYB0T.pdf

This did not mean the OS was exploitable or exploited.  The 
configuration was exploitable.  And stupid.

> http://xforce.iss.net/xforce/xfdb/36044
>

This one is more your typical exploit.  Although the interface to
the OS rather than the OS, was what was exploited.  It isn't surprising
it's 2wire since for some reason that company does not ever release
firmware updates, at least not for their DSL modems.  At least, not for
any of the 5-6 models I've dealt with.

The one thing that is interesting on this one though is that
it isn't actually running code on the router.  The main fear
seems to be the ability to send a bogus DNS server IP to hosts
behind the router.  Probably a great example of why not to put
your DHCP server on the modem.

I said more secure, not completely secure. ;-)

> Less than three weeks ago I was making half serious jokes about building
> a Stone SouperComputer out of a bunch of ADSL modems with dead ADSL
> ports.
>

I have lifted the hood and in fact have flashed dozens of dd-wrt
versions on linksys/netgear/motorola/belkin/dlink devices.  The
Broadcom-based ones I prefer, crappier chip than the atheros but
seem to sync with many more other radios.

And yes I was duly impressed with Psyb0t when it came out, although
dd-wrt folks disassembled it hours after it was announced and found
most of it was news hype.

But the big problem from a virus POV with the things is you have a
lot of different router models but even the largest market share
doesn't hold a candle to the number of Windows systems out there.
You need critical mass for it to work.  You can exploit these just
like you can exploit a MacOS X box but it's more a laboratory
curiosity thing than really usable in the wild.

Ted

>> A simpler firewall has less code in it, and with less code there is
>> less chance of a mistake being overlooked.  That is Software Development
>> 101, folks.
>>
>> Good security today is layers.  You protect against direct attacks
>> by you harden the host with a host-based
>> firewall and you firewall the border router too.  If the cracker
>> can get past the border router then he still has to figure out how
>> to get the host broken, and sometimes what he did on the border to
>> get past it precludes getting past the host firewall.  Then you
>> protect against the phishing by a combination of user training,
>> and anti-malware software on the host that is customized for the
>> host, as well as modifying application programs like the web browser
>> and the e-mail client.  And for extreme cases like hosts that
>> are setup for use by the general public, you either use host OS that
>> don't meet critical mass (like Macs) or you use unprivileged
>> user accounts that are wiped out at the end of the day, every day.
>>
>> Ted