Remember how, a decade ago, we told you that the Internet was running out of IPv4 addresses? Well, it took a while, but that day is here now: Asia, Europe, and Latin America have been parceling out scraps for a year or more, and now the ARIN wait list is here for the US, Canada, and numerous North Atlantic and Caribbean islands. Only organizations in Africa can still get IPv4 addresses as needed. The good news is that IPv6 seems to be picking up the slack.
ARIN, the American Registry for Internet Numbers, has now activated its “IPv4 Unmet Requests Policy.” Until now, organizations in the ARIN region were able to get IPv4 addresses as needed, but yesterday, ARIN was no longer in the position to fulfill qualifying requests. As a result, ISPs that come to ARIN for IPv4 address space have three choices: they can take a smaller block (ARIN currently still has a limited supply of blocks of 512 and 256 addresses), they can go on the wait list in the hopes that a block of the desired size will become available at some point in the future, or they can transfer buy addresses from an organization that has more than it needs.
“If you take a smaller block, you can’t come back for more address space for 90 days,” John Curran, CEO of ARIN, told Ars. “We currently have nearly 500 small blocks remaining, but we handle 300 to 400 requests per month, [so] those remaining small blocks are going to last between two and four weeks.”
Doesn’t this allow for strategic behavior, where each ISP tries to request a block slightly smaller than the requests already on the wait list? “The wait list is a last resort as very little address space is returned to ARIN,” Curran said. “Trying to figure out how to game the wait list is not strategic. Trying to figure out how to use IPv6 for new customers is strategic.”
“ISPs will have to get used to the transfer market. If you need IPv4 addresses, go there,” Curran continued. “But I’m not sure how long a market is going to be around. Seven billion people with smartphones and home connections, a connection at work, then add Google, YouTube, Facebook, Bing… Four billion addresses, even with a perfectly working market, isn’t going to work in the future.”
IPv4 address markets
We spoke to Janine Goodman, vice president of Avenue4, a broker of IPv4 addresses, about what to expect in the short term.
“IPv6 is going to happen, that’s the direction it’s going,” she said. “But it’s going to take a while. Organizations are not ready to turn to IPv6 tomorrow; this will take a few years. A transfer market allows for the transition from IPv4 to IPv6 in a responsible way, not a panicked way.”
“The price for blocks of IPv4 addresses of 65,536 addresses (a /16) or smaller is about $7 to $8 per address in the ARIN region. In other regions, which have fewer addresses out there, the price tends to be a little higher,” Goodman said. “We expect the IPv4 market to be around for at least three to five years. During that time, the price per address will likely go up and then finally come back down as IPv6 is being widely deployed.”
Goodman stressed that buyers of addresses should make sure they are “clean” and have a known history. There have been reports of address sales where the addresses turned out to be in ongoing use after completion of the transaction.
ARIN CEO Curran also suggested that buyers do their due diligence. “With a car, the car and the registration are two different things. Not so with IP addresses: the registration in the whois database is the only thing,” he said. However, ARIN will only modify its whois records if the buyer of the addresses has a documented need for the amount of address space in question. As such, prospective buyers can pre-qualify with ARIN and then go out and buy the address space that covers their documented needs for the next two years, or they can find a seller of address space first and then come to ARIN to make sure they qualify.
Bring on the IPv6!
The Internet Engineering Task Force (IETF) saw the eventual depletion of IP addresses looming in the early 1990s, so they set out to solve the problem and came up with a new version of the Internet Protocol. The old IP has version number 4; the new version is 6. IPv6 increases the length of IP addresses to no fewer than 128 bits—sort of like increasing phone numbers from 10 to 40 digits. As a result, the number of available IPv6 addresses is, for all practical purposes, unlimited.
The trouble is that, of course, old systems can only handle the IPv4 with its 32-bit addresses. That problem has pretty much been solved in the intermediate decade, and today virtually all operating systems can handle 128-bit IPv6 addresses—although some applications can’t or don’t handle them properly.
The main issue remaining is that most networks simply haven’t enabled IPv6 yet. Although turning on IPv6 is not as hard as some people think, it’s not entirely trivial either in larger networks. Internet Service Providers, routers, firewalls, load balancers, and DNS servers must all be IPv6-ready and be reconfigured. And then there are all those little (and not so little) homegrown applications that keep businesses running. In almost all cases, a new IPv6 numbering plan is required, and DHCP works differently with IPv6 than with IPv4.
So for a long time, the number of Internet users who had IPv6 connectivity in addition to IPv4 connectivity, as well as the fraction of total Internet traffic that is IPv6, were rounding errors. Google’s statistics showed that only a few tenths of a percent of its users from 2009 to 2011 had IPv6 connectivity; that number reached one percent only at the end of 2012. A year ago, it hit 3.5 percent. Today, it stands between 6.5 (weekdays) and 7.5 percent (weekends).
Things get more interesting as we look at Google’s stats for individual countries. In early 2013, the US and Belgium weren’t notable players in the IPv6 adoption game, at 2.17 and 0.04 percent, respectively. Today, Belgium is the world leader at nearly 35 percent, and the US is third just behind Switzerland (both have about 21 percent adoption). According to Akamai’s numbers, seven countries now have IPv6 adoption rates above ten percent: Belgium, Switzerland, the US, Peru, Germany, Luxembourg, and Portugal—Greece will be the eighth very soon. Sixteen countries have more than five percent IPv6 deployment, and 32 countries have at least one percent.
Remarkably, neighboring countries may differ by an order of magnitude. The US is at nearly 21 percent, but Canada has only 0.5 percent IPv6 users. Belgium has nearly 35 percent, but the Netherlands has just three percent. Ireland is at 2.4 percent; the UK is at 0.2 percent.
Don’t be too alarmed by the colors of Google’s IPv6 deployment map. White means no IPv6, while darker shades of green mean more IPv6. Red is bad, as it not only indicates very little IPv6 but also that IPv6 is slower than IPv4. Orange means that there is significant IPv6 deployment, but IPv6 connectivity is slower than IPv4 connectivity. However, IPv6 packets often take just two hundredths of a second longer than IPv4 packets, which isn’t ideal but not as alarming as the orange coloring suggests.
However, there are also places, such as Belgium or Russia, where on average IPv6 is actually faster than IPv4. One explanation for this could be that “good” ISPs also tend to be the ones that have IPv6 deployed. Routing paths over worse-performing ISPs that are available to IPv4 packets aren’t available to IPv6 packets, so those have no other choice than to flow through better performing ISPs. But in places where IPv6 deployment is lacking, there’s always the risk that the ISP providing the shortest path doesn’t run IPv6, so IPv6 packets need to follow a longer path, slowing down communication.
So it looks like a future where the Internet remains largely IPv4-only, with more and more invasive translation devices that let more and more users share a single IPv4 address, is not the most likely outcome. We now know that getting a tenth of a country’s Internet users on IPv6 within a year is doable. And as someone smart recently said about ISPs adopting IPv6, referring to Metcalfe’s Law, “If everyone is doing it, you have to do it, too.”
Credit: Iljitsch van Beijnum
National Security Agency (NSA) actually has a real program named Skynet
Skynet, which was an evil military computer system that launches war on human race in the Terminator movies franchise, it is learnt that NSA has a program with the same name.
As per The Intercept reports, the NSA does have a program called Skynet. However, it has a less lethal but legally dubious aims. This one is a surveillance program that makes use of phone metadata to record the call activities and location of doubtful terrorists. An Al Jazeera journalist reportedly became one of its victims after he was kept on a terrorist watch list.
Chief bureau of Al Jazeera’s Islamabad office, Ahmad Muaffaq Zaidan got traced by Skynet after he was recognized by US intelligence as a possible Al Qaeda member and given a watch list number. Zaidan, a Syrian national has taken a number of exclusive interviews with senior Al Qaeda leaders, including Osama bin Laden himself.
According to a 2012 government presentation The Intercept obtained from Edward Snowden says that Skynet makes use of phone location and call metadata from bulk phone call records to identify fishy patterns in their communication habits and physical movements of the suspects.
The presentation indicates that SKYNET looks for terrorist connections based on questions such as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” It also looks for suspicious behaviors such as someone who engages in “excessive SIM or handset swapping” or receives “incoming calls only.” The goal is to identify people who move around in a pattern similar to Al Qaeda couriers who are used to pass communication and intelligence between the group’s senior leaders.
In addition to its misleading name, SKYNET has a few problems though. It happened to misidentify an Al-Jazeera reporter as a member of al-Qaida based on the criteria mentioned above. (It seems that the journalists meeting with sources and terrorists meeting with terrorist group leaders move in patterns that look same to the computer.) This misidentification would be disturbing even if the government did not make use of such metadata to make life-and-death decisions about who to kill with drone strikes. However, it does.
The NSA one should note has a second program too that is very similar to the Terminator‘s Skynet. As revealed by Edward Snowden in an interview with WIRED and James Bamford last year, this one is called MonsterMind. Like the film version of Skynet, MonsterMind is a defense surveillance system that would immediately and independently disarm foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. Algorithms under this program would remove massive repositories of metadata and examine it to recognize normal network traffic from anomalous or malicious traffic. Equipped with this knowledge, the NSA could immediately and autonomously find, and block, a foreign threat.
Snowden also stated that MonsterMind could one day be designed to automatically return fire without human interference against an attacker. Because an attacker could twist malicious code to keep away from detection, a counterstrike would be more successful in neutralizing future attacks. Sounds a lot like Skynet. However, there is no news from the NSA on why the iconic film name was not used for its real-world Skynet.
If you asked me, it seems quite serious guys who adhesives in the program:
Credit: Kavita Iyer
AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.
- New Application Data Section
- Tree-view of the application’s folder/file structure
- Ability to pull files
- Ability to view files
- Ability to edit files
- Ability to extract databases
- Dynamic proxy managed via the Dashboard
- New application-reversing features
- Updated ReFrameworker tool
- Dynamic indicator for Android device status
- Bugs and functionality fixes
BlueMaho is GUI-shell (interface) for a suite of tools best used for Bluetooth security testing. It is freeware, opensource, written on python, uses wxPython. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.
I did get interested in Bluetooth for a while and the security implications of a personal area network protocol which includes discovery/broadcast etc. I ended up only posting one article at the time though which was about Haraldscan – BlueTooth Discovery Scanner.
I have a bunch more Bluetooth related resources to share though, so I’ll be putting them out from time to time. Some (like this) aren’t particularly up to date, but give you a great base to start with and play around.
- Scan for devices, show advanced info, SDP records, vendor etc
- Track devices – show where and how much times device was seen, its name changes
- Loop scan – it can scan all time, showing you online devices
- Alerts with sound if new device found
- on_new_device – you can spacify what command should it run when it founds new device
- It can use separate dongles – one for scaning (loop scan) and one for running tools or exploits
- Send files
- Change name, class, mode, BD_ADDR of local HCI devices
- Save results in database
- Form nice statistics (uniq devices by day/hour, vendors, services etc)
- Test remote device for known vulnerabilities (see exploits for more details)
- Test remote device for unknown vulnerabilities (see tools for more details)
- Themes! you can customize it
The main requirements are:
- OS (tested with Debian 4.0 Etch / 2.6.18)
- Python 2.4
You can download BlueMaho here:
Or read more here.
Companies should check whether their CheckPoint system’s has the widespread vulnerability
The Shellshock Bash bug was found in a typical CheckPoint system’s Admin panel (WebUI), opening up the possibility that many more of the business information security systems could be vulnerable if attacked.
The vulnerability exist at the CheckPoint firewall system’s administrative WebUI, DHCP component and more firewall’s system modules and affected all the CheckPoint Firewall’s versions of the Gaia, SecurePlatform, SecurePlatform 2.6, IPSO 6.2 and Gaia Embedded platforms and all appliance lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1
The bug uncovered this week in a widely used component of Linux, Unix and Mac OS X was found in the largest firewall vendor’s – CheckPoint Admin panel. Alexey Baltacov, Network Security Architect at Frogteam|Security, said Sunday “Because many vendors use similar servers, the vulnerability is likely widespread”.
Baltacov declined to expose the vulnerable path in the system but also said:
“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can be also exploitable”.
A CheckPoint OS platform and the Admin panel, which often runs on Unix or Linux, is the main component of a CheckPoint Firewall system for managing and configuring the firewall hardware in the organization.
Many CheckPoint Firewalls hardware and servers run GNU Bash, which is the component with the critical flaw.
Bash, which stands for Bourne Again Shell, is the default command shell for the operating system.
The bug lets an attacker trick Bash into executing malicious command code by sending it via the Common Gateway Interface, an underlying component of the CheckPoint firewall’s administrative interface.
Eran Goldstein, Senior Cyber security and malware researcher at ZIMPERIUM said:
“Depending on the architecture of the firewall system, an attacker could manage and reconfigure all firewall hardware and servers and gain access to a company’s internal network. Even if he you don’t have the username and password (for the Firewall server’s admin panel), he still can exploit the vulnerability. Also, once inside the firewall system’s admin panel, an hacker could infect components inside the organization network and IT environment.”
Security researchers reported Thursday that hackers were trying to exploit Shellshock in Web servers. On Friday, firewall vendor Incapsula reported that in a 12-hour period, it recorded 725 attacks per hour against a total of 1,800 domains.
“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.
The attacks originated from 400 unique IP addresses. More than half of the attacks started from China and the U.S.
In general, the attackers were running automated scripts from compromised servers in existing botnets in an attempt to add more systems to the network. Several botnet operators were using re-purposed distributed denial of service (DDoS) bots in an attempt to exploit Shellshock.
Checkpoint respond in the company official website:
The OS WebUI may be susceptible to environment changes caused by the Shellshock exploit. At the time of Sep 2014, Check Point is not aware of any exploit on its solutions.
From CheckPoint website:
A Hotfix package is currently available for R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, and R77.20.
This Hotfix package is relevant to the main appliances lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1. For other appliances, see the relevant section below.
For other versions – R65, R70.20, R71.20, R75.10, R75.20 and R75.30, use the Early Availability (EA) solution below. A General Availability (GA) solution will be published within the week of September 29th.