Adventures in IPv6

18 February 2017

Because I use a home ISP that supports IPv6 and has done for quite a few years, I have been using IPv6 for some time. But recently a problem meant that I was losing IPv6 connectivity. IPv4 was working fine so only a minor hiccup. But the process of investigating this I learnt quite a bit about IPv6 and I thought I would document this here. It might help someone else.

Addresses

IPv6 addresses are 128 bits long and are written down in a standard notation, this looks like:
fe80::224:d7ff:feec:e7ec
::1
2a00:1450:4009:80f::200e

It is rare to have a completely populated address, so the notation allows for shortening the bits of the address that are zero. So the address ::1 is all zero except for the last bit. Also the CDIR format of showing the number of significant bits is often used. When used in some commands the interface to send on is specified with a %eth0 suffix

There are several types of IP address, and they can be recognised by the most significant part of the address. These are the ones I came across.

::1/128 this is the loopback address same as 127.0.0.1
fe80::/64 anything staring with fe80 is a link local address. A bit like 10.x.x.x or 192.168.x.x and can only be used on a single link
ff0X::   These are multicast addresses. the most useful ones are
ff02::1 All nodes in the link-local
ff02::2 All routers in the link-local

Configuration

IPv6 has been designed for auto-configuration, so an endpoint should not have to have anything set in order to use a network. Everything is automatic.

The link local address is automatically calculated from the MAC address of the interface, it should be there for any interface that is connected regardless of the network supporting IPv6 or not. You can display the IP addresses with ifconfig (or ipconfig on windows) or ip -6 address show

Neighbor discovery protocol allows the discovery the link local addresses of locally connected interfaces. We do this with a ping or as it is more formally known via Internet Control Message Protocol version 6 (ICMPv6) to a multicast address.

$ ping6 -c2 ff02::1%eth0

$ ping6 -c2 ff02::1%eth0
PING ff02::1%eth0(ff02::1%eth0) 56 data bytes
64 bytes from fe80::3e98:c0ee:51ae:b461%eth0: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=1 ttl=64 time=2.53 ms (DUP!)
64 bytes from fe80::3e98:c0ee:51ae:b461%eth0: icmp_seq=2 ttl=64 time=0.059 ms

--- ff02::1%eth0 ping statistics ---
2 packets transmitted, 2 received, +1 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.059/0.887/2.532/1.163 ms

This should give you a response form the link local of that interface, and anything else that has an IPv6 interface on that network segment. But

$ ping6 -c2 ff02::2%eth0
PING ff02::2%eth0(ff02::2%eth0) 56 data bytes
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=1 ttl=64 time=2.58 ms
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=2 ttl=64 time=0.946 ms

--- ff02::2%eth0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.946/1.764/2.582/0.818 ms

will only give responses from routers on the segment. So now we have local addresses sorted, we need to get a routeable IPv6 address. There are a number of ways this can happen, most commonly this uses Stateless Address Autoconfiguration (SLAAC).

The steps in getting a Global scope IPv6 address then are first to find the router. This is either from the response to a Router Solicitation (RS) ICMPv6 message, or from just listening as a router will periodically send out a Router Advertisement (RA).

Wireshark Capture

Wireshark capture of IPv6 address auto-configuration

Lets step through the auto-configuration process. The first step is setting the Link Local address, this is configured from the MAC address, but there still could be conflicts. in packet 83 we send a neighbour solicitation out for the address we want to use. If nobody responds then we go ahead and use that address, packet 97.

The next important bit is the Router Solicitation, and Router Advertisement. Routers will send out a Router Advertisement periodically to the multicast address ff02::1 periodically, but can be prompted by Router Solicitation, packets 118 & 119. The Router Advertisement is displayed in the packet analysis window, and we can see the Prefix information as well as DNS servers from the router.

Next is packet 141 where we send out a Neighbor Solicitation for 2001:8b0:1679:ea38:cf58:def3:b993:1412 to check that nobody else is using this address. If nobody replies then we go and use this address.


Password Managers

7 February 2017

Lastpass Screenshot

I am constantly surprised that ordinary people don’t use password managers. I would expect most security professionals to use them, but even there I find many do not use a password manager.

So what is a Password manager? Basically a database that stores usernames and passwords for you. The data is encrypted with a master password so you do have to remember that one password. When you visit a site or start an application that needs a password the password manager fills in the credentials for you.

Why is this better than what I do at the moment? If you don’t use a password manager then you must be doing one of the following:

1. Use the same password, or a small set of passwords on many sites.

This is a bad idea, mostly because if one of those sites is compromised then you will need to change your password on all the sites you have used that password on. Can you remember all of those sites? How long will it take you to do that?

2. Write passwords down.

Actually this is not too bad, as long as you look after the password book. You can do some things to make sure that if the book is stolen then it doesn’t immediately compromise all your passwords. But if you lose that book how do you go about changing your passwords?

3. Use an algorithm to generate the password for each site.

It could be paper based or something you can remember and do in your head or a combination. Usually you use the domain name of the site to work out your password. The problem here is if that site is compromised then you have to change your password, lots of these and you have a long list of exceptions, or alternative methods for passwords. It will soon become unmanageable.

Software to the rescue.

So the answer is to use a password safe software. There are a number of systems available. I recommend both lastpass and keepass. Lastpass is internet based, and implemented through a browser plugin whereas keepass is an application you run locally on your machine.

Both allow you to store usernames, passwords and the URL of the login page. Both have a master password to encrypt the password store, and only decrypt the password in memory on the local machine.

Keepass has a local database, but this can be synced with other machines with a Dropbox, GDrive, OneDrive, or even sftp. Because the database is only decrypted in memory this is safe. Keepass is open source and there are clients for all desktop operating systems, and some mobile as well. There is a huge range of extensions to extend the basic functionality.

I personally use lastpass, but I also regularly export my keystore and import it into keepass so I have a backup.

So why is this good.

1. you have a different password on every site. OK if you don’t have this when you start you can progress towards this. Because you only have to remember one password, there is no effort in having a different password for every site.

2. You use long, randomly generated passwords. These systems will generate a new password for you, so you may as well make it long and complex as you don’t have to remember it. And that makes you much more secure. So when you set up a new account or change an existing password, generate it randomly and a make it 16 characters long (if the site accepts this).

3. Your password manager checks the domain you are visiting and will only enter the amazon password into the page at amazon.com not amason.com amaz0n.com amazom.com arnazon.com

4. Use your password manager as your bookmarks, if you need to visit your bank, select it in the password manager and it will go there and log you on.

5. Use you password manager to store password recovery information. Because you are using a password manager you don’t need to be able to recover a forgotten password, but some sites insist on this. Never answer the security questions with the correct information, if they want your mothers maiden name put something random in there, otherwise it may be possible to have your account taken over using the password recovery process.

6. You can use this to store and auto fill other sensitive information like Name, address, credit card numbers etc. This avoids storing cards on a website, from where it may be compromised. And because it is automated just as fast as having the website store the data.

So if you have read this far you should be totally convinced and ready to start using a password manager now. Well done.


System Rescue CD & Spinrite

7 January 2017

I am a great fan of System Rescue CD. It is a great distribution for fixing computers. It is basically a gentoo installation customised with a whole lot of tools for fixing systems. Disk partitioning, wiping, password resetting, etc. As well some tools that are separate bootable images like memtest and freedos. I also have and like Spinrite which is not a free tool, so can’t be included in the distribution, but I wanted to find a way of adding this to a USB drive so I had all these tools on the same USB stick.

First I used the included scripts to create the USB stick as a System Repair CD image.

I found that the text file in syslinux/syslinux.cfg that had the menu system in. Looking through this there is a section:

MENU BEGIN
MENU TITLE A) Run system tools from floppy disk image...

I added the following to this menu item and copied my spinrite.img file to the bootdisk directory.

LABEL SpinRite
MENU LABEL SpinRite: Analyse and recover disk problems
kernel memdisk
append initrd=/bootdisk/spinrite.img floppy raw

Works a treat.


Old Computer technology forgotten

3 December 2016

Have we already forgotten how to use some of the computer technology from just a few years ago. Perhaps they need better (and older) tech consultants on programs. I was watching the latest episode of Timeless S01E08 Space Race. The plot takes us to the Apollo 11 moon landing and that a modern day virus is inserted into a 60’s era mainframe computer to disrupt the communications stranding Neil Armstrong and Buzz Aldrin on the moon.

A virus attacks flaws in the operating system or other privileged programs on a system. I suppose that we now have more knowledge of these problems, but how these would relate to operating systems of the 1960s is just not credible. So let us take the leap of faith and believe that a modern virus could affect computers of this era, and just look at the mistakes in dealing with this technology for a moment.

We enter into what looks like a IBM system/360 computer room. Firstly they insert a papertape program into the machine. This presumably is some form of bootstrap program, though that is not clear from the dialogue.

Loading the papertape machine

They have obviously just got a random bit of papertape and used that. In reality there would be a substantial leader of blank tape at the beginning. This would normally have either a typed label, or more likely, a handwritten description of the contents. The reader would normally have a sprocket wheel to thread the tape onto and a clip over tab to hold and guide the tape through.
I can remember it being cool to punch holes in the leader tape that made up dot-matrix like characters. This was a matter of setting up the bit image of the characters and adding this to the start of the punch sequence. That makes it sound much easer than it was.

example of fanfold papertape with printed label and punched characters

I mostly worked on Digital Equipment and Data General machines that used fanfold papertape, but there was also the teletype machines, that used loose tape. You would typically use a pair of plastic bins to hold the in and out portions of the tape. But this was quite untidy and the tape could easily be torn if it tangled up in the bins.

Next there is a sequence of loading a reel of ½” magnetic tape. In the background there are racks of tapes with the plastic surrounds (frequently called a “tape seal belt” because its purpose was to prevent humidity and dust on the media). There was a later innovation of these that usually matched with a automatic loading system. The tape, with the ring was loaded onto the drive, and the drive mechanism would open the seal, vacuum the tape through the machine onto the fixed takeup reel. The point is that you did not remove the seal belt before loading the tape. In the episode they remove the ring before taking the tape over to the machine. The tape drives do not appear to have the auto-loading mechanism, so they did this bit right.

Tape reels have an opaque side and a transparent side. The opaque side is the back of the reel and you would always load the tape with the transparent side outwards. As well there is a plastic ring that can be inserted into the back of the reel. This was a write protect ring. The drive would only be able to write to the tape if this ring was inserted. The ring was detected with a probe on the tape drive. so this ring must be on the back side of the reel when loaded into the drive. Also the tape on the reel was always loaded clockwise, inserting a reel back-to-front would not work at all.

Tape loaded back to front

With the write protect ring visable

They then press the top left button to supposedly load the tape. I suspect that this is the rewind button so it makes the drive spin as though it is doing something. I am surprised that they did not end up with lots of tape everywhere as the drive would try to unwind the rather than rewind. Perhaps they only had empty reels of tape, so they had to put them on backwards so you couldn’t see that there was no tape on them?


Financial Information

20 May 2016
A braclet that shocks you if you overspend

A bracelet that shocks you if you overspend

This story is typical of the difficulty people have in managing their finances well. The real problem is that banks and card companies have little interest in providing detailed analysis of financial information to their customers. As well as the divided nature of those institutions in that any one will only see a portion of the situation.

Firstly Banks, so my bank has all of my direct debits, and standing orders, and they know pretty well when and how much those are. They could project that forward and show me a projection of what my balance will be at the end of the month, next pay day or similar.

Card providers generally only show cleared transactions, sometimes there is a special display for pending transactions. This may be an important distinction for the Bank, but not to the consumer. As soon as I have made the transaction I want to see that in a statement.

What I want is at the point of making the decision, to have the information to make that decision. Can I afford to buy this thing this month or should I wait till next month. In the simplest case.

A more detailed analysis would be for the longer term. Like am I maintaining enough savings to cope with a not having a job for a couple of months, perhaps there are rumours of a takeover at my employment and I want to increase this target. Give me feedback on how many months before I can achieve that at my current spending / saving rate.

Personally I do this myself, and have done so for many years. I use GNUCash to record all my transactions. This allows simple reconciliation with statements. Then by ensuring that standing orders and direct debits are entered in a month before they are due I have a good projection of my future balance.


IP Bill Final Death Throws we hope.

14 March 2016

The IP Bill aka #SnoopersCharter is back from the committee stage with most of the sensible recommendations ignored, and some things even worse that it was before. Again I have Written to my MP lets hope it is again dead as the alternative is too horrible to imagine.

Dear Alock Shama

I have written to you several times about the Investigatory Powers Bill. [1,2] I have tried to explain the very real problems with this bill, but underneath all these problems, the massive impact that it would have on the high tech industry in the UK, under all of these problems is a fundamental issue of privacy.

I want you to think seriously about a state where citizens have no privacy. The privacy we have now in our own homes, our person and thoughts. As the internet becomes part of these spaces so these new powers to intercept, collect, filter, and examine come under the purview of the state.

The Home Secretary claims that we do not live in an interception state, because she only considers a communication intercepted when a person looks at it. This is not the view of the general public.

I watched much of the evidence presented to the Parliamentary Committee and read their report. The report highlighted many of this issues with the Bill and I was hopeful that we would get a sensible bill out of that process. But what we have after only a few weeks contains hardly any of the recommendations, but several changes to make the powers of the bill even worse.

When 200 Senior Lawyers tell you the bill is flawed, and probably illegal [3] I really think you should listen.

The only sensible course of action at this point is for you to vote against the Bill.

I urge you to declare that you will not support this bill.

Yours Sincerely

Stuart Ward

Ref:
[1] https://stuartward.wordpress.com/2015/11/21/investigatory-powers-bill/
[2] https://stuartward.wordpress.com/2015/11/26/the-ipbill-aka-snooperscharter-second-letter/
[3] http://www.theguardian.com/world/2016/mar/14/investigatory-powers-bill-not-fit-for-purpose-say-200-senior-lawyers


The #IPBill aka #Snooperscharter second letter

26 November 2015

Here is my second letter to My MP. This is the important one as they rarely see your first letter.

Dear Alok Sharma,

I thank you for your reply to my letter (ref: CRM12097), while your response tries to clarify some aspects of this bill you fail to address any of this issues that I raised.

I would like to explain just a few of the issues I, an others in the Cyber Security community, have with the Investigatory Powers Bill. Firstly the bulk collection of data.

Bulk collection of data records “meta data” is not equivalent to a phone bill. This implies that it only relates to a small part of a citizens life and interactions. In the case of the Internet we are living our lives where all our actions and thoughts travel on the Internet in some form. And this is rapidly expanding, from smart phones reporting location, activity, and biomedical information to our homes becoming automated and reporting machines that we live in. The “meta-data” of these interactions is vast and detailed view of our lives.

If you want a simple parallel it is equivalent to the information collected by the East German Stasi, collected and stored, and could be searched and analysed.

It is amoral in a free society to collect and store this level of information on citizens, whatever the justification.

Secondly the the storage and analysis of this data does not help the police, or GCHQ in performing their roles. If this is to protect us against terrorism it will not work. All of the recent terrorist attacks have been performed by persons known to the police. No cases of terrorism have been identified from bulk analysis of data. If this data truly was able to do this then we should demand extraordinary proof that this is the case, and subject this to public scrutiny. Where the NSA has been challenged to do this they have failed to provide a single case where access to bulk data was instrumental.

The simple argument here is that if the terrorists of all previous actions were known to the police but they were unable to spot this from the data they have, how does adding more data to the pile help.

This collection will be expensive and hamper the development of businesses in the UK. The Snowden revaluations mainly reflected on the operation of the NSA, and those revelations had, and are having a major impact on US businesses that sell technology solutions, especially internationally. This bill will have an even worse impact on UK businesses than the current revelations have already had.

The collection of useful data is easily bypassed by citizens. The entertainment industry has been trying to detect and prosecute people for copyright infringing activities for 10 years. This has taught much of the population how to use technologies like VPNs, and TOR. When these are used data collected under these Bulk collection schemes is useless.

The collection of this data is probably illegal under the European Convention on Human Rights. The recent ruling on the data retention directive, should alert you the the fact that the basic human rights are being infringed by the current collection schemes, and so this will probably be illegal under a similar challenge when it eventually comes. It would certainly not be legal under the American constitution.

Next I would like to discuss encryption. In your letter you say that you do not want to break encryption, The point in my letter was specifically about end-to-end encryption. This is where the service provider is unable to decrypt messages. The Bill states that service provider must comply with a warrant, and provide decrypted information. So what does this mean for services where the service provider is unable to do this? This implies that you will ban such services. If you think that this will help catch criminals, and not seriously harm UK businesses you don’t understand the issues.

End-to-end encryption uses the same technologies that secure connections to services providers. These are widely available technologies in open source products. These will be used whatever the law states.

I hope that this will help you understand how deeply flawed this bill is and and convince you not to support this. I have only covered a couple of issues with this bill, there are many more that I have not covered here.

Yours sincerely,

Stuart Ward