Attacks against smartphones such as BlackBerrys, iPhones and Android phones have become quite prevalent in recent years and many of them have focused on getting malicious apps on users phones. Thats a quick and easy way to get access to user data and sensitive information. But there are a slew of other real and potential vectors that attackers have at their disposal no, as well. Going after the device firmware is one potential method, as is attacking the mobile infrastructure itself.”

If I can update your phone remotely, I own the phone at every level and I own you. Its game over,” said Don Bailey, a senior security consultant at iSEC Partners, said during the panel discussion.

While I myself have been thinking about mobile security, this is an angle I didn’t even consider. If hackers can pwn the mobile phone network itself, well, everyone’s mobile device is in danger. There’s not much you can do about it, either.

Comments

• 6 August 2011, Robmitch writes: How is this any different to the current paradigm with PC's and the Internet? I don't see that the issues are much different, just that the form factors and the areas of attack change slightly. There's an interesting commentary at http://www.theregister.co.uk/2011/08/04/secret_iphone_hacking_tool/ on iphone hacking vectors, if you combine firmware update capabilities and this then there's some very evil stuff going on. But it's no different to the sort of MITM or Phishing-style attacks that we've seen on the Internet for years. Surely the same defence model can/should be used?
• 6 August 2011, PhoneBoy writes: Surely it can, but the mobile operating systems are so locked down third parties can't provide security services like they can on a PC. You also can't easily "firewall" your mobile phone with a hardware device like you can with your PCs at home. :)
• 7 August 2011, Robmitch writes: Fair point - that just means that the Mobile OS providers either have the obligation to secure their OS (Guess Apple kinda missed the boat on that one!) and the mobile network providers need to start incorporating that external "firewall" capability into their mobile networks. I think that corrupting endpoint devices is a relatively minor concern if the whole network is up for grabs - I guess the telcos have relied upon the technology to hijack or emulate a base station to be too expnsive and/or obscure up until now. Again, these are lessons that have been well learnt in the PC/Internet world, and another point where IP convergence into telephony/SCADA/infrastructure catches out historically poor security practice.
• 29 August 2011, Tomas writes: I bought my first Smartphone some weeks ago and I was thinking about security issues, too. I was looking for some good methods to secure my phone, but my search wasn´t as successfull as I was hoping. So it is and will be hard to really securing your phone.

Related Posts

• Thinking About Mobile Security
• End Users Aren’t The Customers
• Mobile Phones, Applications, and Subsidies
• Why We Need To Go To IPv6. Now.
• Who Controls The Branding?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

(Just to be clear, I work for Check Point and these are my own thoughts.)

Check Point R75.20

This release (press release, download) brings a number of new features. One of the most anticipated ones is the ability to inspect outgoing SSL traffic. Not just for Application Control, where it is most needed given the proliferation of sites requiring SSL, but in all the various software blades we support. And its included as part of the relevant software blades license (i.e. it’s not a separate charge).

SSL inspection is done by essentially doing a “man in the middle” on the traffic. The gateway dynamically generates a certificate for the destination website, which is presented to the client when they connect. This allows the Security Gateway to see the traffic “in the clear” and make the relevant security decisions. The connection is encrypted as it leaves the gateway with SSL. Since SSL inspection is more intensive than inspecting HTTP traffic, and potentially creates potential regulatory issues by its use, you will have granular controls as to when this feature is invoked.

Another new feature in R75.20 is a completely revamped URL Filtering blade. While Check Point is still selling this as a separate product, it is actually integrated with Application Control. Applications and URL Filtering categories are given equal billing in the now combined Application Control and URL Filtering rulebase. You can do user-level URL filtering (with Identity Awareness) and can take advantage of our UserCheck technology to inform users of the policies. We can also handle HTTPS websites and custom categories. The categories themselves have also been substantially updated.

Unlike with previous versions of URL Filtering, where the entire URL filtering database was stored locally on the Security Gateway, the new engine makes use of the cloud. Commonly accessed URLs and their categories are stored in a local cache on the gateway. Over 99% of your web traffic should be met by the local cache on your gateway. When someone accesses a URL not in the local cache, the URL Filtering database in the cloud is consulted, with the result being stored in the local cache for future use.

The Data Loss Prevention (DLP) blade also gets a substantial update in R75.20. HTTP performance is substantially improved in this release and you also gain the ability to examine HTTPS traffic as well. A large number of additional “out of the box” datatypes are now included. We also integrate with an internal Microsoft Exchange server so DLP can be performed on internal email as well as email leaving the organization.

SecurityPower

A common complaint I’ve heard from Check Point customers over the years is that the performance numbers we quote for our appliances don’t reflect what performance you’ll get in the real world with real world traffic patterns. This is because performance numbers have been historically quoted for a single firewall rule (any any any accept) with the most optimal traffic pattern (1500 byte UDP packets). To be fair, this has been the standard industry practice for some time now. Every vendor of network equipment performs tests like this.

Unfortunately, this isn’t a good indicator of how an appliance will perform under real world conditions. With that in mind, Check Point has developed a new testing methodology for its appliances using a real rulebase (100 rules) with real-world traffic patterns (both based on industry standards and actual patterns seen at Check Point customer installations). This rulebase and traffic pattern exercises all of the various features and functionalities available in our Security Gateway. Based on those tests, Check Point has rated each appliance with a SecurityPower Unit rating (SPU).

One could call the SPU an arbitrary metric. What it gives you is a relatively simple way to compare appliances and the relative security load they can handle. More importantly, an SPU can be generated for a given set of requirements (required blades, throughput, number of connections, and so on). You can then compare that against the available appliances to ensure you choose the right security appliance for the right security task.

Check Point has developed a tool that does exactly this. It will be available shortly. Personally, I think this is a big deal.

New Appliances

Two new appliances are being launched today for the data center: the 21400 (press release, product page) and the 61000 (press release, product page). These appliances are aimed squarely at the data center, where tens or even hundreds of megabits gigabits per second of throughput are needed!

The 21400 is a powerful 2U platform that features massive port density (up to 37 1000-base-T ports, 36 1000-base-F SFP ports, or 12 10GBase-F SFP+ ports), 50 GB of firewall throughput, 21GB of IPS throughput, hot-swappable redundant power supplies and disk drives, and an optional Lights-out Management card. Everything you’d expect from a carrier-grade chassis. The appliance runs both R71 and R75 with SecurePlatform.

The 61000 series, on the other hand, is a monster appliance! It’s a 14U (DC) or 15U (AC) bladed chassis that, when fully loaded, will support 200GB of firewall throughput today and, with future hardware and software enhancements, will support over 1TB of throughput in the future! Aside from all of the various connectivity and redundancy options, the appliance acts as a single platform that, when new hardware blades are added, automatically configures itself to distribute the load between the blades! The platform currently runs a 64bit version of SecurePlatform based on R75.

Both appliances, which are referred to as Data Center Appliances, are available now on the Check Point pricelist.

Comments

• 2 August 2011, Most Important Announcement of the Year [2011] - Page 6 - CPShared Forums writes: [...] y'all are interested in my personal take on our announcement: http://phoneboy.com/4175/check-point...new-appliances __________________ http://phoneboy.com Email: my CPShared username @ gmail.com Unless otherwise [...]
• 2 August 2011, RStewart writes: Towards the end, I think you mean tens to hundreds of *gigabits*. Hundreds of megabits of throughput is easy. ;-)
• 2 August 2011, EF writes: Did you notice that they changed --AGAIN-- the price for software blades? The URL Filtering blade is now $1,500/$3,000/$4,500 depending on the appliance or container size, instead of a plain $1,500 per gateway.

Related Posts

• Check Point R75 Now Available
• Job Change Dead Ahead
• Gil Shwed says Check Point isn’t for sale
• Announcing CPshared: The Open Technical Forum for all things Check Point
• The long-term plan for phoneboy.com

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Unlike a traditional PC, where there are a number of solutions to address various information security needs, mobile devices (those running iOS, Android, Symbian, Blackberry and others) provide little if any mechanisms for third parties to provide security solutions. Beyond ActiveSync integration, which itself is potentially untrustworthy (remember how iOS used to lie to Exchange servers that their mail store was encrypted?), other options for securing the device or data on the device are limited.

That said, mobile operating systems have had the benefit of experience of other operating systems. They are designed to be more resistant to intrusion by requiring signed code, employing sandboxing, limiting the available APIs, and more. It doesn’t eliminate the risk of security vulnerabilities, but it does minimize the risk known ones will occur.

Unfortunately, the “baked in” security only addresses a small segment of potential security issues. It does nothing to address future security issues that might crop up. Due to the limited APIs, it is not possible for third parties to address these issues without cooperation from the OS vendor (e.g. Apple, Google, Nokia). Unfortunately, security threats evolve far faster than an OS vendor’s ability to mitigate these threats on their own. Just look at how long it took Microsoft to enable the firewall in Microsoft Windows by default, implement driver signing, or any number of other security mechanisms that are just the default on mobile operating systems.

Even so, the most important feature of a mobile device–the ability to access and share information from anywhere–is also a threat to an enterprise. The potential for data leakage is substantial! All I have to do is take a picture of a whiteboard in an office with confidential data on it using an Android phone with Google+ automatically uploading my photos “in the cloud” to have a potential data leak! Not to mention using your personal device to access mobile email and working with attachments.

Even if adequate tools existed to address all the issues on mobile devices, one should not blindly rely on these tools. It comes down to people understanding the security implications of their actions and adjusting their actions accordingly.

Comments

• 3 August 2011, jason @ Voip writes: It took years to get users to even consider security on their PCs. How long do you think it'll take them to consider it on their mobile phones? Till they are hacked? Oops! They have been and they've still not learned!
• 6 August 2011, Securing Mobile Devices May Be Impossible « The PhoneBoy Blog writes: [...] While I myself have been thinking about mobile security, this is an angle I didn’t even consider. If hackers can pwn the mobile phone network itself, well, everyone’s mobile device is in danger. There’s not much you can do about it, either. [...]
• 19 August 2011, Peter writes: Thanks a lot for this nice article. I think there are too many security breaches in mobile devices to use it with peace of consience. Just for example the untrostworthyness like you told the fact that iOS used to lie to exchange servers that their mail store was encrypted. I don´t know if i want to use a smartphone as long as i can´t get a clear overview over the security possibilities that are trustworthy.

Related Posts

• Securing Mobile Devices May Be Impossible
• Mobile Security Isn’t The Same on All Platforms
• Why Purple? And Why Minutes?
• PhoneBoy’s Week That Was 3 February 2008
• Job Change Dead Ahead

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

SocialGuard, ZoneAlarm’s newest security solution, promises a groundbreaking new method of monitoring and preventing safety breaches on Facebook the most popular social networking site by a mile, with over 500 million users without “friending” your child and intruding on his/her social space. SocialGuard sends real-time alerts to parents via email–or the SocialGuard interface–whenever suspicious activity is detected on your child’s profile; parents can customize security settings and keywords to trigger such messages if the child is exposed to illicit or inappropriate content. SocialGuard monitors children’s Facebook accounts for threats including cyberbullying, age fraud ensures children are not befriended by adults outside of their network; friend requests, hacked accounts, and link safety flags dangerous/offensive links contained in messages.

The product, available now, can be purchased here.

Check Point, my employer, is behind this. I’ve used the betas of this product and they do precisely what they say without being a huge burden on you or your computer. The price: $1.99 a month or $19.99 a year, makes this a no-brainer if you have kids using Facebook!

See what Check Point’s Head of Consumer Business has to say about SocialGuard.

Related Posts

• SightSpeed 6.0 Coming in Early February
• PhoneBoy Goes Corporate, Twitter Style
• A New Hope
• Security Folks: Let’s Not Forget The Dialup Users
• GizmoCall? Can’t Penetrate Firewalls.

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

“The industry needs to change a little bit,” [Check Point Software Technologies CEO Gil Shwed] says. “Our software blade architecture is the right direction but it’s not enough. I think the real change is actually understanding that security is not a bunch of technologies that people need to deploy but understanding that it needs to be treated like a business process. It starts with the well-defined policy of what a company wants to achieve and what is allowed or not allowed, continues with educating – or not educating but involving the users – and the enforcement side is only the last part of it.

“Most of our customers have a lot of check lists but not one clear policy. Everybody is trying to keep the users aside from that, but if users are not aware of their expected behaviour they become the weakest link in security. Then it goes to enforcement, which needs to apply these principles. We’ve just launched 3D Security that has three elements – policy, people and enforcement – and I think that would be a major change in people’s mindset when they think about security.

While Check Point certainly has some great security technology–I should know, I work there–if it’s not applied according to a process and policy with defined business goals, the result will be less than satisfying. I’ve seen it again and again in my work over the years.

Related Posts

• Gil Shwed says Check Point isn’t for sale
• Check Point Software’s Earnings Call and Nokia’s Security Appliance Business
• Gil Shwed Opens NASDAQ
• Check Point Software Posting Record Financial Results For Q1 2009
• The Academy: Video How-Tos On Network Security Products

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

• CPshared already had more active threads today than CPUG. This includes all the public boards, which I verified by loading up both sites in Google Chrome’s “Incognito Mode” to ensure I wasn’t logged in.
• The number of Check Point employees already participating on CPshared is far more than I’ve ever noticed on CPUG in the past two years.

Keep in mind that the CPUG forums have been around since August 2005. CPshared was only “officially” announced last week–it had been privately tested for about 4 weeks before that.

Again, these are just observations. They may be completely meaningless. You can come to your own conclusions here.

Related Posts

• Announcing CPshared: The Open Technical Forum for all things Check Point
• Where Did the FireWall-1 FAQ Go?
• Reconnecting with PhoneBoy of old
• Pictures from my Check Point User Group apperance
• USB Powered Fish Tank

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Presenting CPshared:  The Open Technical Forum for All Things Check Point. In the NG days, this was a base “package” in the Check Point suite that handled communication between management and modules. It was also called the SVN Foundation. This is where the name comes from, and I think it’s an appropriate name.

CPshared was started by an ex-Check Point employee and a long-time member of the Check Point community. It is designed to be an alternate approach to information dissemination to more established forums like CPUG–a forum I kickstarted by donating my own content to in 2005. CPshared includes a blog (with contributions by others), a web-based forum, a Twitter account @cpshared, and a web-based chat system.

CPshared has been under private beta for the last few weeks with a number of other long-time members of the Check Point community, including a few Check Point employees. It was formally announced today. If you use Check Point products, give it a look and join the small, but growing community!

Related Posts

• CPshared and CPUG: A Couple of Observations
• Where Did the FireWall-1 FAQ Go?
• Check Point is watching me
• Am I doing a book on NGX?
• Skype is NOT like Open Source

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

The first thing I noticed was the packaging. A complete lack of technical jargon or marketing about how this router compares to the others they sell. There most technical things on the box are in small print and are just basically a list of system requirements and a warning that, due to a number of factors, your wireless speeds and range may vary.

When I did the initial setup, I used my Mac–usually a stumbling block for these so-called “easy setup” programs. The Easy Set Up key is little more than a Flash drive that contains some documentation and the Cisco Connect application. Launching the Cisco Connect gives you a screen that tells you to do do three things:

• Plug the router into your Internet connection
• Plug the router into your power
• Click next

In less than the five minutes it tells you it could take, I had a screen that told me my router was set up and I was connected to it. Sweet! You could, of course, do some additional configuration of the router. A very simple interface is presented for doing this (click image for larger view):

The add device option gives you the settings you need to configure a device. Obviously, it’s going to vary by device manufacturer. Once it has detected the device has connected, you can then “name” the device for later. Handy!

I didn’t mess with the parental controls–I almost never find them granular enough for my tastes. However, it appears they do some category-based URL filtering and allow you to blacklist sites. The problem is the restrictions are per-host, meaning you have to select the individual hosts that you wish to restrict. You also can’t whitelist sites or create a default URL filtering policy that applies to all connected hosts. That said, it’s more functionality than I’ve seen in a typical consumer router.

The guest access feature is quite handy as well. Cisco Valet creates a second (open) SSID that your guests can use to access the Internet. It is segmented off from your regular wireless network and presents a captive portal to your guests, whom must enter a password before they are allowed access to the Internet:

Of course, you can disable this feature as well.

When the router is first configured, the SSID is set to a random adjective-noun word combination and the password is set to a 10 character random string. In the Valet Settings, you can change these things to something. You can also save this to the Easy Setup Key (or create a new one using any standard USB thumb drive) that will allow you easily configure other Mac or Windows computers in your house with the correct wireless settings.

And, of course, there’s the Advanced Settings, which fires up a web browser with a typical Linksys-style web interface for configuring the router (though it is entirely Cisco-branded now). This is where the geek settings are, of course, and are, “advanced.” I’m sure given the relatively ease through which computers can be added and the basic settings can be configured, there will rarely be a reason for most people to ever visit the advanced settings.

But Is It Secure?

Most reviews stop here. They are quite happy that someone has finally come up with a wireless router that almost anyone with even rudimentary computer knowledge could configure and use. That is a feat worthy of praise, no doubt.

I am not most people. I wonder, in the back of my mind, does Cisco make this device easy to use, yet actually make it secure? The answer is not surprising–to me at least.

First, it’s probably worth pointing out that I work for a competitor to Cisco: Check Point Software Technologies. We don’t compete in the consumer market, really, but we certainly in the enterprise network security market. That doesn’t affect my opinions here, but I figure I should disclose that since some might consider it a conflict of interest.

Prior to proceeding with the setup wizard, I saw what the router was broadcasting by default–a WPA-protected access point named CiscoXXXXX (where XXXXX corresponded to the last 5 digits of the device serial number). My guess is the router is preconfigured with some default WPA password that the Cisco Connect software then changes to something else, which it then tells you after the setup is complete.

Cisco gets props on a number of things security related:

• Choosing a random network name (SSID)–most manufacturers use a known default
• Configuring WPA as a default
• Choosing a random password that contains numbers, upper and lower case letters, and special symbols

All three of these things are good. By choosing a random SSID and a random password, it makes it harder for someone to brute-force (i.e. guess every possible password) access to the wireless access point.

While these are far better than what I’ve seen from others, it’s, unfortunately, not enough. To be relatively safe from a brute-force attempt, the passphrase needs to be at least 20 characters–random ones at that. Also, it defaults to WPA/WPA2 mixed mode, which allows you to use the TKIP, which may be needed for some legacy hardware, is not the most secure. You can change to WPA2, which only supports AES. It would be nice if you could change the rekey interval, but I don’t see a way to do that from the advanced settings.

There are a couple of other dangerous settings enabled by default:

• Universal Plug and Play is enabled by default (which, when paired with malware, could easily make your computers more vulnerable to attacks)
• WMM Support (in the QoS section) which, when enabled, makes your network a little more susceptible to hacking when WPA (not WPA2) is enabled.

The Nintendo DS Factor

One rather common WiFi-enabled device in any household with children is the Nintendo DS. This device does not support WPA at all. Even the newer DSi, which does support WPA, doesn’t support it for DS games. This means, if you want your kids to be able to use the WiFi features of their DS games, they won’t be able to use them unless you use WEP for your wireless security, which is not recommended.

This is, in my opinion, one big disappointment with the Cisco Valet. There is no way to allow a Nintendo DS to use the Guest wireless without using WEP. They could very easily allow the whitelisting of certain MAC addresses to be allowed to access the Guest wireless (which is open, unencrypted, and will work with the DS) without requiring web-based captive portal authentication.

Other Minor Gripes

The Cisco Connect software allows you to configure items that cannot be configured with the Advanced Settings interface, namely the Guest wireless access. I would like to be able to change the default IP range used for the Guest wireless and, possibly, whitelist certain machines as I described above.

By default, the router administration password the same as the WPA password. This does make it easier for end users, but I think you should be able to set them independently in the Cisco Connect software.

I also do not see a way through the Cisco Connect software to upgrade the firmware for my router. This is a necessary, sometimes daunting task, especially given the number of hardware variations that can exist even with the same model. There’s no reason Cisco couldn’t have made this process as simple as they’ve made everything else–push a button and it takes care of the rest.

And, of, course, my security gripes above. While they went a lot farther than I’ve seen other manufacturers go, they could have gone just a little farther in choosing more secure defaults, possibly with an optional “security settings” page so you don’t have to hunt in the Advanced Settings interface to make the wireless connectivity more secure.

All in all, though, I am very impressed with the product. I could easily see myself recommending this product to my non-technical friends and family as a dirt simple way to share their Internet connection and create their own personal wireless hotspot.

The only people I cannot recommend this product to are Linux users who lack a Windows or Mac machine on which to run the Cisco Connect software. Since the initial setup of this router cannot happen without the Cisco Connect software, which does not run on Linux, your “out of the box” experience will be less than fulfilling. You only need the software the first time, of course, but you might be better off with a Linksys-branded router.

So yes, Cisco did it. They made WiFi easy for normal people to set up. Using the Easy Setup Key, I set up four different Windows computers with my Cisco Valet settings in a matter of minutes. It was drop-dead simple. I wish they spent a little more time on the security side of things, but this is a tough one to do without making things more inconvenient for users. Given what Cisco was aiming for here, I think they nailed it.

Comments

• 13 February 2011, The Cisco Valet: Easy Setup, but is it Secure? - Wireless Network News writes: [...] Cisco Valet: Easy Setup, but is it Secure? The PhoneBoy Blog / 29th Jan 2011 Nintendo [...]

Related Posts

• Wait, Doesn’t Cisco Have the iPhone Trademark?
• Cisco’s Trademark Case Against Apple “Silly”
• Sipura gets acquired by Linksys, er Cisco
• Cisco Sues Apple over iPhone Trademark!
• Is Security Holding VoIP Back?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

To put it in perspective, as I write this, there is still a few /8 addresses unallocated by the IANA, which are distributed to regional registries, which are then responsible for distributing the IPs to ISPs, whom in turn distribute them to you. A /8, in IPv4, is 16,777,216 IP addresses. That seems like a lot of addresses, until you realize that, depending on how those IPs are allocated, the number of usable IPs ends up being a bit less.

Even so, once IANA runs out of /8s, the individual registries and ISPs still likely have caches of IPv4 addresses. The problem of address space exhaustion probably won’t show any acute symptoms immediately, but the lack of IPv4 addresses (and the lack of wide deployment of IPv6) will start causing problems soon, creating pockets of servers that can only be accessed by one protocol or another.

We’ve actually been working around the problem of address exhaustion in the IPv4 space for some time now using network address translation. That router you get from your local consumer electronics store has been masquerading all of your computers behind a single, public IP address, providing you both a level of protection and connectivity.

Enterprises do much the same thing, except their boxes are significantly larger and they also might provide services accessible on the Internet, which means: they need more than one public IP. Also, some enterprises have so many connected systems that they have, quite literally, run out of available private IP addresses (some IPs in the IPv4 space are set aside explicitly for private, non-Internet connected use).

In any case, the pressure is mounting to switch to IPv6. Given that some of my customers are asking about IPv6, I figured I’d get myself educated. I happen to have access to one of the people who helped define the IPv6 standards in the IETF (he works at Check Point), but there’s really no better way to learn about it than to just get it set up.

Of course, part of the problem right now is that my ISPs at home (Comcast, CenturyLink) are still serving me IPv4 addresses. Fortunately, there are ways of tunneling over IPv4 to the IPv6 networks. One such service is TunnelBroker, run by the folks at Hurricane Electric. They tunnel IPv6 packets inside of IPv4 packets (more specifically using IP Protocol 41, designed for this purpose).

I had it working on an old Linksys router I had flashed with TomatoUSB and hacked a bit. I had IPv6 flowing through my network and was able to reach a few sites over IPv6. Then I had the realization that I was no longer protected by my router. I was now directly reachable–without a firewall! While I could fix that, I think that’s enough experimentation for now.

I guess the point is: I can make it work today. However, few people are going to want to do what I had to go through to make it work. Every hop in the network has to be IPv6 friendly and IPv6 enabled. For the home user, it’s going to have to be as simple as plugging in a router. We’ll get there, but it’s going to be a bumpy ride for the next few years.

Comments

• 20 February 2011, A. T. writes: when I noticed Hurricane Electric mentioned, immediately I recalled "Running IPv6 in practice" http://www.debian-administration.org/article/Running_IPv6_in_practice ... could be great if you tag all your IPv6 posts with particular tag ;)
• 20 February 2011, PhoneBoy writes: I was thinking about doing that anyway, thanks for reminding me!

Related Posts

• Getting Closer To IPv6?
• Speaking IPv6–Privately
• Why We Need To Go To IPv6. Now.
• Your ISP May be Trialing IPv6 Already!
• Innovate Or Get Out Of The Way

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Over the past several months, as part of my normal duties at Check Point, I have talked with a number of the people involved in this release. I’ve learned about some of the technologies that went into this release, and I have to say, it’s quite amazing how it all comes together!

Take R75 out for a test drive. Even if you don’t immediately use the new features, there are some usability enhancements in the SmartConsole applications, an improved IPS engine, and, of course, AppWiki, which is a great resource to find out about applications–even if you’re not using our Application Control Software Blade!

Related Posts

• Gil Shwed says Check Point isn’t for sale
• Announcing CPshared: The Open Technical Forum for all things Check Point
• The long-term plan for phoneboy.com
• Check Point: R75.20, SecurityPower, and New Appliances
• Where Did the FireWall-1 FAQ Go?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Related Posts

• My wife’s parents are now Broadband-enabled
• Blogging Anywhere
• My Dad’s Internet Safety Tips
• Internet Channel on Wii
• Reorganizing my office

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

One thing that many sites have glossed over is the inherent illegality of using Firesheep. “Go on! Try it! It’s cool!” — yes, it is shockingly cool, but if you use it on a public network you are breaking the law.

In general, the interception of any communication — digital or otherwise — is prohibited by law. Government agencies are the only exception and even then a warrant is usually required. Firesheep, by intercepting digital communication and re-routing it to your Web browser is a wiretap. Unless you’re trying to crack the local organized crime racket and you have a warrant in your pocket, you are breaking the law.

Making something illegal doesn’t mean people–especially criminals–won’t do it. Besides, one could argue that this communication is being broadcast unencrypted and can easily be sniffed passively, thus one should not have had a reasonable expectation of privacy.

The goal of this program isn’t to let people hijack each other’s web sessions anyway, it’s to clearly demonstrate the threat of using unencrypted WiFi using unencrypted protocols, which has existed since WiFi was first conceived. Unfortunately, easy-to-use programs like this are what’s needed to apply the appropriate pressure to change our protocols and practices.

Comments

• 8 November 2010, No Script Kiddie Left Behind – Firesheep Makes Stealing Logins Over WiFi Easy | Sword & Shield Enterprise Security, Inc. writes: [...] you’re interested in experimenting with Firesheep, Phoneboy cautions that using it may be illegal, so the  usual legal precautions [...]
• 14 November 2010, Myka writes: Blah blah blah tell it the crows, if you leave your car wide open with the keys in the ignition dont complain that it was stolen

Related Posts

• Unencrypted Access Needs To Die
• Verizon Following AT&T Yet Again, This Time on “Illegal” Tethering
• Why The U.S. Has More Minutes Of Use Than Others
• There Oughta Be A Law Against This
• Does a Mobile Phone to VoIP bridge break any laws?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

In case you’ve been somewhere off the grid, and have somehow missed the news, Firesheep is an incredibly easy to use add-on for the Firefox web browser that, when invoked while connected to any open and unencrypted WiFi hotspot, lists every active web session being conducted by anyone sharing the hotspot, and allows a snooping user to hijack any other user’s online web session logon with a simple double-click of the mouse. The snooper, then logged on and impersonating the victim, can do anything the original logged on user/victim might do.

I’ve experimented with Firesheep on my own system. Normally, I use Google Chrome, but I installed a fresh copy of Firefox just for the occasion to try Firesheep.

Within a few moments, I was able to pick up web sessions happening from my Google Chrome browser. I was able to use both my Facebook and Twitter from Firefox without having to log into them! It did pick up my Google login, but before I hit Gmail, I had to provide authentication. Remember, this was a fresh installation of Firefox on a machine that did not previously have Firefox installed at all!

This is scary stuff. As Steve Gibson says, though, this has always been possible with unencrypted WiFi by anyone with enough 1337 5killz to pull it off. Now, it’s as simple as installing a web browser plugin.

Related Posts

• Using Firesheep is Illegal. So What?
• MCI, Qwest, and Verizon
• Nokia N93 and Access Points on Odd Channels
• MacBook Didn’t Make It
• Crack WEP With a Single Packet

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

The [product] runs on all mobile operating systems and devices. It includes antivirus, personal firewall, antispam, and remote monitoring and control services. It remotely backs up and restores data and can locate devices that are lost and stolen, as well as wipe data from stolen devices. It also can send an alert when a SIM card has been removed or replaced. For enterprise users, it protects devices accessing networks with SSL-based virtual private network.

And it makes great toast, too!

Reality check. The functionality of the above mentioned product is highly dependent on the mobile platform we’re talking about. A quick trip to the vendor’s website shows you what options are available on which platform, and it’s clearly not the same.

Mobile operating systems are designed more secure from the get-go. That doesn’t completely reduce the need for security, but it does reduce or eliminate certain classes of threats. Also, each mobile OS has their own unique restrictions on the kinds of apps that can be written. Each mobile OS has different security services that can be utilized in different ways.

In short, what you can do on iPhone and what you can do on Android are very different. Even if a vendor provides the same application on multiple platforms, it is not going to provide the same level of functionality. It simply cannot.

The author of the above-linked piece did not even attempt to articulate this critical point. If you’re looking at a mobile security solution for your enterprise, you simply have to be aware of this reality so as you don’t expect something that cannot be delivered.

Disclaimer: My employer offers a competing product: Mobile Access Software Blade. However, the above thoughts are my own.

Related Posts

• Why is Skype So Popular?
• FCC’s MCDowell Has Cohones
• Securing Mobile Devices May Be Impossible
• Thinking About Mobile Security
• Re-Blogging Ain’t So Great

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Two months ago, antivirus systems giant McAfee was sold to Intel for $7.7 billion. At the time, a number of analysts suggested that Check Point Software Technologies would also be an attractive target for takeover. Gil Shwed, the company’s founder and leader, yesterday shrugged at the idea in conversation with reporters, after the company filed its third-quarter financials.

Anything’s possible, Shwed said: but he’s been very consistent in his position for the last 17 years, which is that Check Point isn’t for sale. “We are very proud of the fact that we are an Israeli company, an independent one,” he said.

Why would Check Point put themselves up for sale when the financials continue to be strong and only getting better? I think it’s just “wishful thinking” by the analysis.

Disclaimer: I work for Check Point.

Related Posts

• Gil Shwed: “The [security] industry needs to change a little bit”
• Gil Shwed Opens NASDAQ
• Check Point Software’s Earnings Call and Nokia’s Security Appliance Business
• Check Point Software Posting Record Financial Results For Q1 2009
• More Obsolete VoIP Gear for Sale

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a