savid INSIGHT Volume 1 Issue 5 How to Hack A IPv6 – New Protocol, Facebook Pro le less security? Is your password protected? D Attack Content Distribution Networks id you know that most of the mobile A p phones in Asia do not use IPv4 s the clouds continues to And that is what led to an arrest and to communicate with the Internet? roll in, (Sorry, I had to...), charges for a privacy breach. During They use IPv6 to IPv4 tunneling we are learning of more his presentation, Heinrich demonstrated because they have run out of IP attacks being successful this vulnerability at Flickr, Facebook, address space in most parts of Asia. The against organizations such and MySpace. He demonstrated how quick move to IPv6 by other countries has as Google, Facebook, and others. The we could access the private photos promoted a global growth in IPv6 as many latest is from a security researcher, of his fellow researcher, Chris Asian manufacturers require their US Christian Heinrich, located in G a t f o r d ’s , w i f e . O n e e x a m p l e counterparts to integrate with their supply Australia. He reverse engineered the showed a picture of Chris Gatford’s chain using IPv6. algorithm Facebook uses to access wife and child. The Queensland The problem is when we talked to your personal photos. Since Facebook Police responded to a complaint, enterprises they are not ready for IPv6 is a massively distributed application, although we don’t know who filed even though IPv6 has been supported by items such as photos and larger files the complaint about Heinrich’s vendors like Cisco for over 8 years. Many are placed into a content distribution breach of Chris Gatford’s wife’s organizations do not understand the fundamental network (CDN) such as that provided privacy caused by the demonstration. differences in IPv6 and that is cause of by Amazon, Akamai, and others in The Police responded by arresting a some security concerns. order to reduce the load on reporter for the Sidney Morning First, Network Address Translation Facebook’s servers. The thing is, the Herald, who had interviewed Heinrich (NAT) is no longer available in IPv6 CDNs don’t integrate into about his presentation, and seized because it is impossible to use up the entire Facebook’s authentication framework the reporter’s iPad. IPv6 address space. The length of an IPv6 since the CDN just stores files and Is this really Facebook’s or address is 128 bits, compared to 32 bits in serves them to anyone that requests Flickr’s problem or the CDN’s? It IPv4 which means you can have a total of the proper filename. Guess the most definitely is the content 3.4×1038 addresses which is a lot more filename of he private photos for a p r o d u c e r ’s p r o b l e m . T h e C D N than IPv4. However, many SMB rely upon person on Facebook, send the request networks can provide authentication NAT to hide their servers from the Internet. to the CDN, and you get the photo in and more advanced security controls While this is simply security through return. but that lowers performance by 30% obscurity the fact is NAT works! Without or more. NAT, you may need to rethink or purchase continued on page 2 additional equipment to protect IPv6 servers. Next, many IT professional have read that IPv6 is inherently more secure than Inside this Issue IPv4 because authentication and encryption is baked into the IPv6 protocol. While it is How to hack a -------------------- 1 Monthly Special----------- 4 part of the specification, the technology still Facebook profile? Receive a free 37 Point Assessment needs to be configured and deployed and has Attack Content Distribution Networks of your IT environment the similar performance problems with its IPv4 counterpart which means if you IPv6 – New Protocol, ---------1 couldn’t get management to buy into IPv4 The CEO Corner---------- 2 encryption good luck with IPv6. less security? Michael Davis shares his thoughts Back to that huge address space we Know the value of your ----- 3 Events--------------------------- 3 talked about earlier. We regularly hear that business becoming a Social IPv6’s huge address space makes it immune Media butterfly. to port scanning. continued on page 2 . How to hack a Facebook profile? IPv6 – New Protocol, less security? Is Attack Content Distribution Networks. your password protected? continued from page 1 continued from page 1 Ah, the old security versus performance By far the most common IPv6 subnet argument. That age old argument is prefix is 64 bits, which supports up why this little and perhaps unknown to 1.8 x 1019 individual addresses. arrest in Australia affects your Assuming a port scanner could “hit” organization whether you using a CDN one address per second; a scan of the or not. When the age old performance entire address space of a 64-bit subnet would take over 584 billion versus security argument comes up, the What are the key security considerations with years! The problem is that most port focus must be on the data type. Many IPV6 you need to be in front of? scanners use predictive algorithms to pieces of data are not considered greatly optimize their scanning capa- •Security means more than firewalls and ACLs. private or confidential, but if they are bilities and don’t just hit one port per Ensure all your IP systems are ready for IPv6 you must stick to the security guns and host at a time so while it will slow such as your IDS/IPS, SIEM, etc. only allow authenticated and authorized port scanning down; it definitely •Networking devices may process IPv6 in access to that data. Your argument back won’t take 584 billion years for one software. This is an opportunity for CPU to IT or development about the performance scan. Also don’t forget, security depletion attacks. gains is to analyze the increase in professionals have legitimate uses •Many modern operating systems enable IPv6 performance from only allowing the for port scanning too so this IPv6 by default. Do you know everywhere these “feature” can cause administrative OSes reside and how to secure them? non-confidential data to be accessed problems too. •IPv6 code is new. There have been security without security controls. Meeting holes, and there will be more, so make sure you Lastly, we believe the them halfway means they may have to monitor. Remember, black hats are studying biggest security issue with IPv6 is accept a 15% or 20% increase in the ease of configuration. Give this a IPv6 closely. performance that is less than perhaps try. Install 2 Windows machines. •There are three legs to the security stool: the increase they were looking for but Next, disable IPv4. You will be tools, people and processes/policies. Budget it is better than no increase at all. amazed that communication between sufficient time and money to update procedures the two devices still works. By and train your people. default IPv6 is enabled and function- ing and most admins do not disable There are other deployment and IPv6 which means an attacker could security concerns for IPv6 and we will start using IPv6 to communicate continue to discuss them as IPv6 continues to between machines and evade any be deployed. If you are not ensuring new IPv4 or host based Ipv4 firewalls that security technology you purchase is IPv6 are installed. Add to this scenario the capable, stop what you are doing and go do an ability to tunnel IPv6 into IPv4 and audit right now and update any RFP or RFQ they could use one IPv4 server to documents IT uses when purchasing security proxy all their malicious traffic technologies otherwise the security issues through to your unknown and within IPv6 could come up and bite you. unmanaged IPv6 network. CEO Corner Check this out! As IT looks to outsource more functions to the cloud most Top 10 Mobile Application businesses find out that cloud services are pay as you go based on some metrics such as transactions, gigabytes of Security Risks storage, or CPU cycles. This finite measurement of utility can be difficult to estimate for many IT organizations but the process may be worth the pain because of a hidden benefit. I am starting to see IT organizations use the same metrics cloud providers are using to charge them in order to charge the business for IT services. This seems like a simple This on-demand webinar teaches you and elegant idea and it might take off. Example: Want to purchase a mobile device how to strategically approach mobile security product? Simple, charge an extra $1 per phone per month to the business. security, so you can stay one step Want to purchase a new backup system? Charge users per gigabyte backed-up. ahead of attackers . Outsourced vendors are helping shape the “IT as a service” strategy into a reality and the use of such simple payment schemes enables IT to more easily estimate Return on Investment and cost. Call 877-307-0444 for more information or watch today @ With all the things IT does to help create business value, don’t be surprised when you http://www.savidtech.com/top10mobilerisks get a bill from IT. Know the Value of your business becoming a Social Media butterfly. For most of us Facebook, Twitter, and Linkedln have become part of our daily lives which is why your marketing or sales team may be coming to you asking about having the company join these social media networks. You may still be skeptical on how this could benefit your business so we decided to give you the top reasons why social media is here to stay. Once thought of as a fad, Increases Customer Loyalty & Trust: social media is now a fundamental way Providing knowledge and insight through we communicate and conduct business. thought leadership to your readers will According to comScore, 22% of help build their trust in the company, So marketing and sales have good inten- Fortune 500 companies now have which will make them do business with tional but if you are still skeptical you have every public-facing blogs which created you rather than your competition. It will right to be. According to InformationWeek’s 2011 additional web presence. In 2010, Twitter also improve the chances of customer Strategic Security Survey of over 1,000 business gained 100 million users, while more and security professionals, more than 70% think recommendations. that social media sites present a threat to their organi- than 250 million people connect to zation and 58% believe data loss is possible from Facebook every month. Chicago was Lead Generation: employees having access to social media sites. If the fastest growing city on Facebook in With millions of users logging in daily don’t you have social media policies but are not enforcing terms of usage in 2010 (AllFacebook.com); underestimate the power of social media. them, start enforcing them immediately as more how many of these users are your These platforms connect you to qualified social media attacks are being launched every day company’s target market? By intergrad- leads and when used right in will bring in but realize that enforcement does not mean ing social media into your companies more traffic than the search engines. disabling access. Now that you know why sales marketing plan, your target market is There are over 700,000 local businesses on and marketing are asking for these changes, work more accessible than you think. Facebook and those businesses have created with sales and marketing and properly educate more than 5.3 billion fans for their sites. your organization on social media risks. The Benefits that Social Since employees have children or spouses at home using the same social networks, we have Media Can Provide: In the end, social media is a seen much better security awareness retention privilege and a tool — one more opportunity rates when the organization opens up social media Branding and Awareness: to run a more productive and success- sites but uses their awareness training to educate By using social media sites such as ful business. Now that you know the the employee about company and personal social Twitter, Facebook, and LinkedIn your reason why Social Media can benefit media security risks. Helping employees protect company will gain new exposure and your company here’s how you can help themselves at work and at home while helping be known in the industry which increases your marketing and sales team the right sales and marketing attract new customers is a brand awareness and improves brand way with technology by making sure win-win for all. Monthly Events reputation. that these components are in check before becoming a Social Media butterfly. Building Community: First, remember that your employees Build your number of business contacts are users of social media too. They follow and enhance your reputation as an expert other brands and companies they want to June 9th @ 9:00am -5:00pm, CAMP IT- in your industry. Connect with other buy from. This can be a problem for your Enterprise Risk/Security Management professionals in your field to share company because of the dreaded password If attending this event stop by out table to win fun gadgets, and big prizes. Join us at the Donald E. information with like-minded people. sloth problem. Password sloth refers to Stephens Convention Center Rosemont, IL (O'Hare) Leverage these online communities for using the same passwords for more than your business by being a valued one account or website and if that password Happy Hour, Cocktails and Conversation @ member of the community yourself. your employees use on Facebook is the 5:30pm-7:30pm, VIP Lounge same as their VPN password it could cause Attended CAMP IT or in the area? Join us for a Research and Development: a breach. complimentary Happy Hour at the Crown Plaza Social Media allows for better track- Second, watch out for the negative Hotel in Rosemont, IL (across from the Donald E. ing through clicks and other metrics impact of social media. While social media Stephens Convention Center Rosemont, IL (O'Hare) captured online versus in traditional can help your company acquire new customers, media (like TV, newsprint, magazines, it can also quickly lead to reputational Complimentary Executive Briefing, by radio). Instant surveys can be conducted impacts if the company responds improperly appointment only. for enhanced product decision making. to social media questions or concerns. Michael Davis will review his 2011 Security Report Social media is a double edged sword. discussing the results of a year long study of over Lastly, most organizations that Increases Customer Loyalty & Trust: 1,300 security professionals in the US. demonstrating start embracing social media end up opening how organizations approach security strategically, Providing knowledge and insight up social media sites to employees so they and how you can learn from the mistakes of others. through thought leadership to your can use them while at work. If employees readers will help build their trust in the have the capability to interact on social June 23rd @2:00pm CST. How to Properly company, which will make them do networks it is likely they may talk about business with you rather than your Perform a Risk Assessment, Webinar Learn your company in a negative way, discuss competition. It will also improve the cutting edge information on how to perform a internal projects, or accidentally leak risk assessment with this free webinar! Register chances of customer recommendations. confidential data so you must be prepared here today: with proper social media policies. http://www.savidtech.com/landing/proper_risk_assessment_webinar.php 18470 Thompson Ct. Ste. 2B Tinley Park, IL 60477 Take a Break! Like Us” on Facebook and be entered to win Follow Us On $50 Best Buy Gift Card! http://www.facebook.com/savidtech Savid Technologies is very active in our http://twitter.com/savidtech web presence on Facebook, Twitter, and LinkedIn and we want to interact more with http://www.savidtech.com/blog YOU. We will make sure all your IT or BLOG security questions are answered! We regularly post: Exclusive content including the latest IT Joke of the Month trends and security threats to help keep your “How can you get four suits for a valuable data protected and your networks dollar? Buy a deck of cards.” running smoothly with no IT headaches . Got a funny joke? Send it to us at Informational videos featuring our experi- email@example.com and we may include it Monthly Trivia enced IT engineers educating on the newest in an upcoming issue. technologies as well as our security experts Be the first to email us the correct answer and win a providing information on the latest threats $20 Starbucks Gift Card! FREE and how to prevent your organization from becoming a target. Given these words, think of a famous person whose first and last names conceal the words. The given word Upcoming events & promotions such as 37 Point extends to both the first and last names and is not informational webinars, complimentary Assessment concealed entirely in the first or last name alone. lunch & learns, and exclusive executive of your IT Example: Heap briefings for you and your organization. Environment Answer: Rhea Perlman "LIKE" us today and we will enter you to Words: Shop, Case Lined, Idle, Lore win a $50 Best Buy Gift Card! Start Valid through the month of June. E m a i l y o u r a n s w e r t o : i n f o @ s a v i d t e c h . c o m interacting with us to gain exclusive, Contact 877-307-0444 to schedule your and look for the winner listed in next months newsletter valuable information within the IT industry appointment or for more details. Congratulations to last months trivia winner Greg Bee.