[Translation] Data theft due to the latest features of Windows and Mac OS X

Original author: Dan Goodin
  • Transfer
Information security researchers have discovered the possibility of theft of confidential information using standard Windows OS behavior.

The Man In The Middle (MITM) attacks described on Monday [04/04/2011] use the capabilities of the latest versions of Windows to simplify communication with networks based on the next generation IP protocol IPv6. Similar attacks can be made against computers with Mac OS X, although there is no practical confirmation yet. This statement is voiced by Jack Koziol, CEO of InfoSec Institute for Information Security.

The attack exploits a vulnerability called Stateless Address Auto Configuration, SLAAC), which allows clients and hosts to find each other on IPv6 networks. When this addressing (IPv6) is enabled, as it is by default implemented in OS X, Windows Vista, Windows 7, and Server 2008, SLAAC can be used to create an unauthorized IPv6 network, and it can redirect traffic through equipment controlled by the attackers.

As Jack Koziol noted, “In the event of such an attack, Windows machines will connect to the“ bad ”router, instead of the correct one. If Microsoft did not enable this option by default, most of the negative consequences of this attack could have been avoided. ”

Attack Confirmationbased on data from a researcher at the InfoSec Institute, Alec Waters suggests that the user does not affect the automatic operation of the protocol at all and does not receive any warnings when connecting to an unauthorized IPv6 network.

This attack works because the system is configured to use a newer communication protocol if available. Unauthorized connection of IPv6 equipment to IPv4 networks will cause computers to begin routing traffic through it, and not through a standard gateway. In other words, the attack uses the default behavior of the system, in which it whenever possible uses a newer version of the protocol.

According to Jack Koziol, Linux, FreeBSD and other operating systems are not susceptible to this attack at default settings.

This technique of stealing network traffic has long been known in theory in connection with the Address Resolution Protocol (ARP). According to Jack Koziol, while there are many tools for identifying and eliminating attacks for ARP, there is virtually nothing to profile SLAAC attacks today. Moreover, with the proliferation of new versions of Windows and OS X, such attacks can work effectively on an increasing number of machines.

Of course, attackers still have to install the appropriate hardware in the network. But on networks open to insider attacks, having Windows or OS X can make it possible, whereas previously it was not possible.

Bruce Cowper, Microsoft's Trustworthy Computing group, commented on the situation this way:
Microsoft is aware of a discussion among security professionals about the possibility of Man-in-the-Middle attacks on IPv6-based networks. The described method requires a hypothetical situation when the attacker has physical access to the network to install a “black” router. This situation is not a "security hole." As the only protection option, we prohibit the IPv6 protocol on all machines that do not use it.


From the translator. "About how many wonderful discoveries we have ..." . Continued on readiness for IPv6 .

Also popular now: