| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e92364c3041214194919d7df0c@mail.gmail.com> From: jftucker at gmail.com (James Tucker) Subject: GPRS/IP-session from Nokia/Symbian mobilephonestays up Why can't the MS be given an IP connection through a NAT with a private IP class? (removing the specific attack vector described as the range could be made much larger). Obviously this is less preferential for financial transactions as one would desire to know more about the endpoint, however it could be argued that in reality the switch carries the end of the IP circuit, and thus there is no real argument here (except by paranoid auditors who've lost an appreciation of reality (not uncommon (*clears throat*))). When you are discussing wireless data circuits at these speeds and over subscription rates the overhead associated with adding IPv6 as an optional function is quite significant (data, cost, interoperability with the outside world, MS support, etc, etc). As was stated moving to only IPv6 is problematic in terms of end user support. Furthermore there are support issues with some of the IPv6 implementations anyway (meaning even those IPv6 devices may not work either). See the eastern GSM networks for detail on that (who've been suffering IP range issues for some time now). In terms of address depletion there is the over subscription to be considered also; it is likely that the IP infrastructure will not be the bottleneck here and in fact the network probably does not support enough concurrent users in order to fully deplete the range prior to RF equipment saturation. This leaves the cost issue, and leads to the understanding that firewalls (with connection/application knowledge) are probably required (as it is only the end user device that will ever know if it needs the connection again). IMO it shouldn't even have been this long before people start switching on to attacking these networks. Cost of course is one of the reasons for the lack of prior abuse in this area (outside of some professional efforts). Some users are already having cost related issues with IP services on GPRS, the common one being IM over GPRS which has lead to quite a few un-paid bills already. Finally, IPv6 doesn't completely eradicate the possibility of a similar attack, it simply changes the scale. Let me explain: 10 years ago, scales had quite a different ratio than they do now. Back then it would not take me a day to crack every password hash on the local machine, nor were there consultants carrying around hash dvd's for near instant cracking services. At the time, 9Gb of data was quite a large volume. Moreover programmatic generation of it, whilst not a complex algorithm as such, was a long (in terms of time quanta) operation. Now though, systems are faster, memories are bigger and thus the scale of the search space is different to the scale of process ability. Similar thing here, as the scales change ratios the impact of scalar-reliant attacks will also change. The moral of the story is that scalar attacks should be somewhat predictable, and thus known and prepared for. We know that passwords are getting weak, so we are moving to pass phrases and biometrics. If you know that address ranges are a problem for this technology, then don't just try to change the length of the range, change the system functionality until it's not possible to abuse it anymore. m/2cents
Powered by blists - more mailing lists