IPv6: Not a Security Panacea

With only 10% of reserved IPv4 blocks remaining, the time to migrate to IPv6 will soon be upon us, yet the majority of stakeholders have yet to grasp the true security implications of this next generation protocol. While IPv6 provides enhancements like encryption, it was never designed to natively replace security at the IP layer. Many simply have deemed it an IP security savior without due consideration for its shortcomings.

The old notion that anything encrypted is secure doesn't stand much ground in today's Internet, considering the pace and sophistication in which encryptions are cracked. Unfortunately, IPsec, the IPv6 encryption standard, is viewed as the answer for all things encryption. For example, at the last Black Hat conference hacker Moxie Marlinspike revealed vulnerabilities that breaks SSL encryption and allows one to intercept traffic with a null-termination certificate. But it should be noted that:  IPsec "support" is mandatory in IPv6; usage is optional (reference RFC4301). There is a tremendous lack of IPsec traffic in the current IPv4 space due to scalability, interoperability, and transport issues. Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This will carry into the IPv6 space and the adoption of IPsec will be minimal. IPsec's ability to support multiple encryption algorithms greatly enhances the complexity of deploying it; a fact that is often overlooked.

This is far from the truth and a major misconception. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this). IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers? However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will.

IPv6 tunneling should never be used for any sensitive traffic. By enabling the tunneling feature on the client (e.g. 6to4 on MAC, Teredo on Windows), you are exposing your network to open, non-authenticated, unencrypted, non-registered and remote worldwide IPv6 gateways. Whether it's patient data that transverses a healthcare WAN or Government connectivity to an IPv6 internet, tunneling should be avoided at all costs. The rate at which users are experimenting with this feature and consequently exposing their networks to malicious gateways is alarming. The advanced network discovery feature of IPv6 allows Network Administrators to select the paths they can use to route packets. Is your security conscious head spinning yet?

In theory, this is a great enhancement, however, from a Security perspective it becomes a problem. So where are the vendors that are supposed to protect us against these types of security flaws? In the event that a local IPv6 Network is compromised, this feature will allow the attacker to trace and reach remote networks with little to no effort. The answer is, not very far along. Since there are no urgent mandates to migrate to IPv6, most are developing interoperability and compliance at the industry's pace. Like most of the industry, the vendors are still playing catch-up.

So the question becomes: will the delay in IPv6 adoption give the hacker community a major advantage over industry? As we gradually migrate to IPv6, the lack of interoperability and support at the application and appliance levels will expose loopholes. Absolutely! This will create a chaotic and reactive circle of patching, on-the-go updates and application revamp to combat attacks. There is more to IPv6 than just larger IP blocks. Regardless of your expertise in IPv4, treat your migration to IPv6 with the utmost sensitivity.

The learning curve for IPv6 is extensive. Many of the fundamental network principles like routing, DNS, QoS, Multicast and IP addressing will have to be revisited. People can't be patched as easily as Windows applications, thus staff training should start very early. Reliance on given IPv4 security features like spam control and DOS (denial of service) protection will be minimal in the IPv6 space as the Internet 'learns' and 'adjusts' to the newly allocated IP structure. Jaghori is the Chief Network & Security Architect at L-3 Communications EITS. He is a Cisco Internetwork Expert, Adjunct Professor and industry SME in IPv6, Ethical Hacking, Cloud Security and Linux. It's essential that your network security posture is of the utmost priority in the migration to IPv6. Stakeholders should take into account the many security challenges associated with IPv6 before deeming it a cure-all security solution.

Jaghori is presently authoring an IPv6 textbook and actively involved with next generation initiatives at the IEEE, IETF, and NIST. Contact him at ciscoworkz@gmail.com.

Analyst: AT&T likely to keep iPhone exclusive deal

Despite widespread speculation that Apple Inc. will open the iPhone exclusive arrangement with AT&T Inc. to include Verizon Wireless after 2010, one analyst firm is predicting AT&T's exclusive deal as the wireless carrier will be extended beyond then. The main reason Apple is likely to stick with AT&T beyond 2010 is the relatively wide usage and growth expected for the HSPA air standard used by the carrier for 3G data." It appears iSuppli reached it conclusions without any direct knowledge of what Apple will do regarding the exclusive deal. In a report, iSuppli Corp. said that its main reason for expecting an exclusive extension is based on its analysis of a growth in usage of a faster wireless standard at AT&T known as High Speed Packet Access (HSPA). The global growth in HSPA usage will far outstrip growth in usage of EVDO (Evolution Data Optimized), a different standard used by Verizon, iSuppli said. "Speculation is rife that Apple will end its exclusive U.S. iPhone service deal with AT&T when the current contract expires in June 2010, and begin to offer phones that work with the Verizon network," said Francis Dieco, an iSupply analyst, in a statement. "However, iSuppli doesn't believe this will be the case. AT&T and Apple have been mum on the issue for months, and were again today.

Many analysts have speculated that Apple would want to work with more than a single carrier in the U.S. just to expand the opportunities to sell the iPhone. Gartner Inc. analyst Ken Dulaney agreed that AT&T will "definitely extend their deal" for exclusive sales of the iPhone. "AT&T would be crazy not to sell iPhone," he said in an e-mail, but added that Apple will also support Verizon, possibly with a different type of unit. "If you are beholden to stockholders to make money, there is no easier money than in your home turf through a carrier desperate for this type of device," Dulaney added. Today, Jack Gold, an analyst at J. Gold Associates, said that Apple would more likely want to open the exclusive deal for both AT&T and Verizon, the two largest carriers in the U.S. Gold said he didn't agree with iSuppli's conclusions, primarily because there isn't that much incentive for Apple to stay with AT&T "unless AT&T throws a lot of money at Apple." Gold rejected the analysis of growth in HSPA as a sufficient rationale to stay with AT&T, partly because adherence to a wireless standard doesn't fully determine how data throughput occurs. Many AT&T customers using the iPhone have been outraged about service interruptions and slow downloads, which may occur because a tower might not be nearby due to buildings or terrain, Gold and others have noted. "Raw speed with a wireless standard doesn't mean anything." Gold added. "It's important to realize, when three people are on a tower, that's no big deal, but when you have 300 people on a tower in downtown Boston or downtown L.A., that's huge." The analysis from iSuppli predicts that Verizon might get Apple products to sell other than the iPhone. A major factor in what a user experiences is determined by the number of users on a single cell tower, and how many towers are located in dense areas, he noted. Dieco based that prediction on his finding that there's no information indicating that Apple is prohibited from pursuing a relationship with Verizon for non-iPhone products, such as another phone model, tablet computer, netbook or an enhanced iTouch.

In 2009, there were 269 million HSPA subscribers globally, a number expected to soar to 1.4 billion in 2012. For EVDO, there were 145 million subscribers globally in 2009, a number expected to reach 304 million in 2013. Verizon has undertaken a program to move to faster LTE wireless in the 2011 to 2013 timeframe, and some analysts have assumed future iPhones could work over LTE, assuming Apple strikes an agreement with Verizon. Part of the reason iSuppli relied on the growth projections for HSPA versus EVDO to make its predicion is that HSPA growth globally will be so much bigger.

India schedules 3G license auction for December

India's auction of 3G and WiMax licenses is now scheduled to be held in December, according to a notice on the Web site of the country's Department of Telecommunications. Bidding for 3G licenses will start Dec 7, with the WiMax auction scheduled to start two days after the 3G auction is complete, according to the notice. The auction was originally scheduled for January of this year, but was postponed after disagreement within the government on the minimum cost of the licenses.

Both Indian and foreign companies are allowed to bid for the licenses, but foreign companies will have to set up joint ventures with Indian investors to run services in the country. The Ministry of Communications will license four slots for 3G in each of India's 22 service areas, with a fifth slot reserved for two government-run telecommunications companies. A group of ministers, set up to resolve the dispute over pricing the licenses, has named Indian rupees 250 billion (US$5 billion) as the minimum revenue from the auction of the 3G and WiMax licenses in the country, India's Minister of Communications, A. Raja said last month. A telecommunications company bidding for 3G licenses in all 22 circles will have to pay at least Indian rupees 35 billion, according to the new minimum pricing proposed by the Indian government. Two companies, Bharat Sanchar Nigam Ltd. and Mahanagar Telephone Nigam Ltd., were allotted 3G spectrum ahead of the auction, and have started offering services.

By the pricing announced last year, they would have to pay about rupees 20 billion. The government said last year that these companies would have to pay license fees equal to the highest bid in each service area. The final date for applications from bidders is Nov 13.

Gonzalez pleads guilty to TJX, other data heists

The man described by federal authorities as the mastermind of the massive data thefts at TJX Companies Inc., Heartland Payment Systems and other retailers today pleaded guilty to charges in a 19-count indictment that include conspiracy, wire fraud and aggravated identity theft. That case was being prosecuted separately in New York but was merged with the case in Boston under a plea agreement negotiated with prosecutors a few days ago. Albert Gonzalez, 28, of Miami, also pleaded guilty to one count of conspiracy to commit wire fraud related to a data theft at Dave & Buster's restaurant chain. Gonzalez is scheduled to be sentenced Dec. 8 by U.S. District Court Judge Patti Saris in Boston.

Under the plea agreement, Gonzalez will serve between 15 and 25 years for both cases and will be fined as much as $250,000 for each of the charges. He faces a maximum of 25 years in prison for the charges in Boston and 20 years for the case in New York. Gonzalez will also forfeit more than $2.7 million in cash as well as multiple pieces of real estate and personal property, including a condominium in Miami, a BMW and several Rolex watches that he is alleged to have acquired through his ill-gotten gains. Gonzalez was arrested in Miami in 2008 along with 10 other individuals on charges relating to the thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In August, federal authorities in New Jersey indicted Gonzalez on charges involving breaches at Heartland Payment Systems, Hannaford, 7-Eleven Inc. and two other unnamed retailers. About $1 million of the money being forfeited was recovered from a container buried in Gonzalez' back yard, according to a statement released today by the U.S. Department of Justice.

Prosecutors alleged that Gonzalez, along with two unnamed Russian conspirators, stole more than 130 million credit and debit cards from the five retailers. It is not clear if Gonzalez was the leader of a worldwide criminal gang or merely acting at the behest of powerful crime gangs based in Russia and East Europe. Today's plea brings to an end, for the moment, to the career of a hacker who federal authorities say has been the mastermind of the biggest data thefts in U.S. history. But his actions, which his lawyer has claimed stemmed from a computer addiction , have caused millions of dollars in losses to his victims. In addition, some of the companies that were Gonzalez's victims have had to pay fines to Visa and the other card brands for being noncompliant with the credit card industry's Payment Card Industry Data Security Standard and to spend more money to revamp their security controls.

TJX has publicly estimated that costs to the company from the data breach will touch $200 million . Heartland has already spent or set aside more than $12 million and is facing numerous lawsuits from affected institutions.