• Aikido
  • Healthcare/Clinical
  • LINK-12
  • Pandora’s Box
  • Tin Foil
  • What is Michael?
  • Projects
    • Personal Projects
  • IPv6 Secure Project

The Krypt

The Krypt

Tag Archives: comms

New VPN Blocking Technology in China?

15 Saturday Dec 2012

Posted by Michael in Uncategorized

≈ 1 Comment

Tags

astrill, china, comms, communication, network, prc, private, provider, secure, telecom, virtual, vpn

Yesterday’s Guardian Technology reported the PRC has deployed VPN-blocking technology as part of its Great Firewall. Apart from an alleged email from VPN firm Astrill, there’s no evidence of this, but something is happening. Initially it was those using corporate networks that reported the problem back in May 2011, while the home users were largely unaffected. This could well have been a strategy to compile a list of non-corporate VPN users.

I believe the PRC has merely applied their existing IP address blacklist to known VPN providers, rather than using a protocol-based filter, and that a given VPN service will remain reachable until it’s discovered. In other words, someone at the border gateway is searching for VPN providers and manually blocking them. The real test of this is whether VPN gateways within China, where TCP scanning is distributed across regional data centres, are reachable.

Advertisements

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

IPv6 Secure Project – Development Stage

08 Saturday Dec 2012

Posted by Michael in IPv6

≈ Leave a comment

Tags

comms, comsec, development, ipv6, p2p, project, routing, secure

Cross-posted from the IPv6 Secure blog.

It’s been a while since I last posted an update, largely because the project’s been on hold for the last six weeks. Basically the second year of the course was mainly about theoretical stuff, like policies, compliance, management, legislation, etc., and the third year got very technical (and practical) from day one. And it’s not a bad thing either, as I expect any infosec professional to have at least some experience and a decent understanding of enterprise network and server configuration. So, that’s my excuse.

Roughly a month ago I had the basic secure messaging client application working, and hopefully I can get that communicating with the network. Later it can be modified for audio and video comms, and perhaps even a social network could be built around it someday.

Getting hold of the equipment for the development stage won’t be a problem, as I initially expected. I now have a carrier grade routing system at my disposal, which means the countermeasures can be tested with a collection of Cisco 2800 routers, an Adtran Atlas 550 Integrated Access Device (IAD), and TCP and IP filtering layers. The Adtran is what’s going to simulate the ISP and Internet.

Routing system, minus the cabling

Routing system, minus the cabling

By the end of January 2013, the whole thing should simulate multiple clients communicating between networks, tunneling their comms through whatever interception and filtering exists between them. It’ll be a form of P2P communication, but there’ll be nothing to mark it out to ISPs as such.

Before that happens, I’ll need to somehow configure the routing system, which must be done via serial ports and Telnet sessions, which is apparently quite easy.

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

Opera Unite and its Relevance to Secure Comms

29 Thursday Mar 2012

Posted by Michael in Communications

≈ Leave a comment

Tags

browser, censorship, comms, communications, distributed, extension, free, ipv6, opera, server, unite

Back in 2009, Opera had announced an innovative service called Unite, which enables anyone to host stuff from their own computers using a browser extension that creates links to the local file system. I’ve played around with it, and at the time thought it was a pretty cool feature.
Looking at my old blog entries three years later, I’ve just realised the concept is loosely related to something I’ve been working on for several months, and it’s also a taste of how social networks might look when IPv6 becomes the Internet’s default address system (IPv6 multicasting and all that).

Opera claims that Unite turns devices into servers, but strictly speaking it doesn’t. Unite is actually a little more innovative than that. It uses the Command and Control server model I’ve recently posted about, in which two clients communicate across the Internet by establishing connections to something with a fixed address, or where a proxy relays traffic between remote access malware and the attacker. In the case of Opera Unite, the users technically have full control over what they share, subject to a shitload of Terms and Conditions related to content.

The way it works (I think) is like this:
1. User starts the Opera browser and activates the Unite extension.
2. The extension checks which services and local file system paths were defined by the user.
3. Unite extension establishes a connection with Opera’s server in Norway, and tells it which services it’s running.
4. Links to the extension and running services are listed on the User’s MyOpera page. The address http://<device name>.<user name>.operaunite.com is mapped to the relevant IP address and port on the local machine.
5. Others click on whatever links, and Opera relays traffic between them and the local services provided by the extension.


Why is all this important for secure comms? The Internet should enable anyone to freely communicate and share files, but we’re in danger of losing that through a torrent of ‘intellectual property’ legislation, censorship and surveillance, and the trend towards that over the past year has been worrying. Part of the problem is the Internet’s too centralised. We rely heavily on servers even for basic communications, and their IP addresses are easily blocked. One solution would involve discarding static IP addressing in favour of distributed gateways updated by servers that regularly change their own addresses. Unite has demonstrated it could be done with a simple browser extension accessible and transparent to the average person.

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

IPv6 and Secure Comms

27 Friday Jan 2012

Posted by Michael in Communications, IPv6

≈ Leave a comment

Tags

address, blocking, censorship, comms, communications, countermeasure, filtering, interception, ip, ipv6, multicast, proxy, security, server, tcp, tor

It’s only recently I’ve given IPv6 any serious thought, and I’m still going through a mass of literature on the subject and related technologies. As I’ve already pointed out, it’s still TCP/IP, which encapsulates data and routes it exactly as with IPv4, but the colossal address range makes numerous other things possible. Without giving too much away, this is one component of a system I believe will defeat traffic filtering and interception, hence my interest.

Multicast Groups
Without Network Address Translation, hosts located anywhere can form a group sharing a multicast address – one host sends data to that address, and it would be broadcast to the entire group.

IPv6 multicast addresses begin with ff:, so there are 2e+112 possible addresses a group can use, disregarding a handful of reserved addresses. The other bits in the first segment determine the type of multicasting.
A third party trying to intercept the broadcasts for a given group must therefore potentially scan through 2e+112 addresses to determine the correct one. We could say this is comparable to cracking 112-bit encryption. However, there are a couple of problems: the group must be able to select a random multicast address, and that address must somehow be communicated securely. It leaves us with the old key distribution problem, but that might be solveable with some implementation of RSA.

Proxy Servers
Also in my previous post, I pointed out that it’s possible to allocate roughly 6.67e+25 addresses to each square centimetre of the Earth’s surface, assuming my maths is correct. The point here is there’s no practical limit to the number of addresses a proxy server could use and discard, which makes the task of blacklisting them extremely difficult. This could even negate the current need to use proxies to defeat IP-based filtering systems.

IPsec
A few readers might wonder why I haven’t mentioned IPsec yet. IPsec is natively supported by IPv6, and functions at the TCP/IP layer instead of the application layer. This enables secure tunnels to be established between two points, and unlike SSL provides security for both routing and payload. It’s not commonly used at the moment as Network Address Translation re-encapsulates data, making it difficult to preserve the integrity of TCP/IP packets.

Where I’m Going with All This
Recent events proved the concepts of copyright and ‘intellectual property’ have been taken way out of proportion. Increasingly web sites are being arbitrarily blocked and removed without due process, ‘checks and balances’ provide no real protection, and we came dangerously close to allowing the US government to degrade the DNS in the name of copyright. As some of us feared, the United States is following China’s lead in blocking traffic exchanged between the US and other countries.
All this directly contradicts what ‘Cyber Security Strategies’ are supposed to achieve, and in the long run it will ultimately degrade the security of the Internet while aiding criminals. In my view, this is an engineering problem in need of a solution.

Looking at this objectively, the IPv6 Internet should route traffic without interference and regardless of content, especially when it develops into an ‘Internet of things’ that connects all manner of electrical and electronic device. To preserve the reliability and security of the Internet, a new system – perhaps a successor to the Tor network that takes advantage of IPv6 – is needed to render useless whatever methods are used for blocking traffic.

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

Menu

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.com

Categories

  • .NET
  • Communications
  • Cryptography
  • Development
  • Forensics and Investigation
  • IPv6
  • Linux OS
  • Martial Arts
  • networking
  • privacy
  • Python
  • Systems Integration
  • Uncategorized

Profile

Michael

Michael

My name is Michael, and I’m a software developer specialising in clinical systems integration and messaging (API creation, SQL Server, Windows Server, secure comms, HL7/DICOM messaging, Service Broker, etc.), using a toolkit based primarily around .NET and SQL Server, though my natural habitat is the Linux/UNIX command line interface. Before that, I studied computer security (a lot of networking, operating system internals and reverse engineering) at the University of South Wales, and somehow managed to earn a Masters’ degree. My rackmount kit includes an old Dell Proliant, an HP ProCurve Layer 3 switch, two Cisco 2600s and a couple of UNIX systems. Apart from all that, I’m a martial artist (Aikido and Aiki-jutsu), a practising Catholic, a prolific author of half-completed software, and a volunteer social worker.

View Full Profile →

GitHub

Blogs

  • Alexander Riccio
  • Brian Krebs
  • Bruce Schneier
  • Chris Lansdown
  • cypherpunks
  • Daniel Miessler
  • Dimitrios
  • Dirk Rijmenants
  • EXTREME
  • George Smith
  • Jeffrey Carr
  • Jericho@Attrition
  • Krypt3ia
  • Light Blue Touchpaper
  • MNIN Security
  • Pen Test Lab
  • Strategic Cyber LLC Blog
  • Tech Antidote
  • The Pro Hack
  • UWN Thesis
  • Volatility Labs
  • W.M. Briggs

Catholica

  • Bible Gateway
  • Brandon Vogt
  • Catholic Answers
  • Jacqueline Laing
  • Patrick Coffin
  • Rational Catholic
  • Rosary Confraternity
  • Strange Notions
  • Theology Like a Child
  • Thomas Aquinas' Works
  • Vericast
  • Word on Fire

Cryptography

  • Cipher Machines and Cryptology
  • Crypto Museum
  • Matthew Green

Developers

  • CodeAcademy
  • Codemanship
  • Hacker News
  • Puneet Kalra
  • SWLUG

InfoSec

  • Airbus Cyber Security Blog
  • Cryptome.org
  • Fuzzy Security
  • Linux Security
  • OSVDB
  • Packet Storm Security
  • PHRACK
  • Qjax Blog
  • RISKS Digest
  • SecTools.org
  • Strategic Cyber LLC Blog

Interesting Stuff

  • 27b/6
  • Attrition Online
  • Frank Langbein
  • Learn WordPress.com
  • Theme Showcase

Martial Arts

  • AikiCast
  • Aikido Journal
  • Aikido Sangenkai
  • AikiWeb
  • Welsh Aikido Society

ISTQB Certified Tester

Update by RSS

  • RSS - Posts
  • RSS - Comments
Advertisements

Blog at WordPress.com.

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Cancel
%d bloggers like this: