Though the implementation of IPv6 can somewhat increase the security of the lower layers of OSI, the main stream of actual hacking happens on the application layer of the model.

We will talk about firewalls and intrusion detection systems in future articles, as well as the ways to further secure your hosts with live response toolkits and forensic image toolkits that can help you to define possible kernel rootkits, etc.

The network reconaissance is helpful if hacker plans to attack particular network. But in
reality this approach is used less often today.

The main trend of [tag]internet security[/tag] attacks for 2006-2007 is to use “wholesale approach”.

That means no network, organization or individual serves as a specific target. Instead the
target is every machine that is exposed to certain vulnerabilities.

Another trend that is clearly seen is the combination of different techniques. If in
2004-2005 intruder would (mostly) use either email with embedded virus or worm, or use the exploit that would give him a direct access to the system, now the intermediate hacks are more popular.

They are used to get initial access to the system and as a platform for backdoor downloads.

To facilitate the distribution of the malicious code, the combination of several techniques and methods is used. Quite often large spam networks are utilized for the initial distribution of the spam emails. In order to avoid current malware filters, no virus is usually embedded in the email. Instead, the reader is sent to the malicious url. The web-based url is used for automatic download of the exploit.

Such spam email campaigns can target over billion email addresses thus ensure the large amount of opened and clicked-trough emails. Huge targeted audience ensures a large  base for the of users infected with a new virus through such spam attack.

So what applications are currently targeted more often for the attacks?
According to Symantec Internet Security Threat Report for the second half of 2006 (Volume 11), mostly targeted group for attack were web browsers and third party web applications.

Among web browsers, IE holds the crown and accounts for 77% of web-broser-targeting attacks.

Another confirmation that direct attacks are more often replaced by “wholesale” approach  is derived from the fact that home users are the targets in 93% cases of latest attacks!

Which is logical, since the home users is the least educated group of computer users (as far as internet security is concerned) and can be rather easily tricked by the combination of spam and web-based located urls hosting payloads with middle-level of security threat security threat.

In other words, they can be easily tricked to open spam emails, download the malicious code and thus get their computers infected.

I was recently asked which future [tag]internet security protocols[/tag] / models can help increase the overall security of the Internet.

Before I can answer this question, let’s take a brief look at the current OSI model (and
it’s simplified most often used TCP/IP version) that is the base for the overall data
transfer between systems on the Internet. The internet security is tightly bound to the security (or rather, insecurity) of those protocols.

TCP/IP protocol was originally created to suit the needs of ARPANET, closed network which was essentially what we call today intranet. Since it was not a public network, but rather peer-to-peer communication between several US universities, not everybody had access to it, so there was not much thought given initially to the security of this protocol. The main task of the protocol was to efficiently deliver data between the remote locations.

Later this network grew up and became Internet, but TCP/IP protocol still was used as a main way of communication. However, it was not a closed network anymore. So because of the initial “friendly” architecture, now we have ip spoofing to deal with. This technique allows hackers to effectively conduct ping sweeps and port scans, and gives them ability to effectively hide the ip of the host that originated the attack.

Smurf attacks and arp-redirects also probably wouldn’t be possible if this model would be originally created with a security in mind (or rather, the enhanced version of this
protocol would be created for the public network).

The trace of the “friendliness” of the TCP/IP model could be better seen on layers 2-4 of the model.

The insecure nature of Ethernet still amazes me. Broadcasts allow anyone on the network to easily access the information passed between any other machines on the same bridge. The logic is that everyone will behave ethically and not eavesdrop on conversations that are not meant to them. Well, it could would work for closed networks, but it certainly doesn’t work for the Internet where you in effect trust all your private communications to the complete stranger.

And the relative ease of arp redirects where any machine can claim to have any MAC address it wants, is nothing more than just more advanced version of misuse of the same trust…

Same goes for DHCP servers and DNS servers…

Though many security experts believe that actual hacking happens on the application layer, it would be much more difficult to accomplish without the preliminary reconnaissance of the target subnet. Besides, all the sniffing also happens on the network layer. And if username/passwords are sniffed, then no hacking is really needed – you already have everything you need.

So if we want to achieve more secure Internet, the first logical conclusion would be to somehow boost the security of TCP/IP protocol.

IP version 4 is completely insecure, so big hopes were cherished for the introduction of IP version 6. At least it will allow to positively identify the source of attack.
Plus, ping sweeps won’t work anymore simply because of the size of subnets that would have to be scanned. And broadcast will be changed to multicast, thus reducing the number of hosts that will be able to intercept communication. Plus it would be more difficult for worms to spread.  Of course the mandatory inclusion of IPSec in the IPv6 could theoretically be helpful too.

(Though on practice, the deployment of this protocol will take at least a few years, and most likely no encryption will be initially implemented.)

Unfortunately, this protocol has its own weaknesses too. One thing I hate is that now you can’t filter all ICMPs, because it’s neighbor discovery totally depends on it. And ICMPs are well known as one of the most popular sources for DDOS.

In total, IPv6 should have more positives then negatives as far as Internet security is concerned.

But we also need to see what could be done to increase the security on the application layer.
We’ll talk about it next time.