Researchers at German pentesting company Enable Security just published an intriguing blog post about a security problem they found in the popular online collaboration tool Slack.
The short version is that they uncovered a way to poke around inside the private parts of Slacks network, so they disclosed it, Slack fixed it and paid them a $3,500 bounty
and then, as sometimes happens when the rest-of-life gets in the way, it was another two years before they got the green light to publish their findings.
In some ways, the bug bounty progress report makes more fascinating reading than the blog post itself, because it shows how the responsible disclosure process allows for affable and open technical discourse between the bug finders and the bug fixers, without giving needless hints to crooks along the way.
But well focus on the blog post here because it includes some really simple but very effective advice that anyone running real-time collaboration services (a hot topic right now!) can take on board.
Whether youre interested in live text chat, audio or video, this report could help you improve your own security, and that of your users.
One problem that so-called end-to-end or peer-to-peer software has on most internet-connected networks is that very few computers these days have network identifiers what are known as IP numbers assigned uniquely to them.
The modern internet numbering system known as IPv6 (there is no IPv5 numbering system because the suffix -5 had already been used for other things) gives each device on the internet a 128-bit number.
Even using just 64 bits worth of that so-called address space, you can count all the way from zero to 264-1, which is enough to number more nearly 20 million million million devices uniquely.
But the older IPv4 system is still used by the vast majority of devices out there, and it has just 32 bits, which gives you an absolute maximum device count of just over 4000 million (4 billion).
As large as that sounds, there are already billions of mobile phones around the world, plus billions more laptops, routers, cloud servers, smart kettles, street signs, lampposts
so you can see why 32-bit network numbers are a real problem these days, and have been for years.
(In practice, there arent even 232 values available because about half-a-billion IPv4 numbers are set aside for purposes other than identifying individual devices.)
Most networks these days make do with one IP number thats shared between all the computers on the local network (LAN), which make do with so-called private IP numbers that are reserved for internal use only.
These private IP numbers dont get past the router, so they dont need registration or any central authority to control them, but they dont identify your computer globally in any useful or usable way.
If youve ever wondered why your computer may show up with an IP number such as 192.168.1.12 at home, and something very similar, such as 192.168.1.13 at the coffee shop you (used to) frequent, its because those numbers are private only, and as long as theyre allocated on separate LANs they wont get in each others way.
As an aside, if youve ever had the misfortune to have all the computers on your network blocklisted at the same time because just one of them did something naughty, such as sending spam
thats because all traffic out of your network has the very same IP number once it joins the public internet, so your individual computers cant be blocked independently they stand or fall together.
Your router therefore acts as a sort of traffic proxy that figures out which incoming network packets are replies to what outgoing network requests, and redirects them accordingly.
Thats called NAT, short for Network Address Translation, and its a decent enough solution if all you want to do is establish connections from your private network to servers on the public internet, as you did when you browsed to this web server to start reading this article.
Generally speaking, however, a NATting router can only deal reliably with incoming traffic after a computer on the LAN has initiated an outbound connection otherwise it has no idea which network flows (as they are called) belong to which device.
For peer-to-peer chats, whether theyre one-to-one calls or group calls, you have a problem each participant can dial out to the call by connecting outwards to any or all of the others, but no one can accept the call because incoming network traffic relies on an already-open connection to a public server first.
One solution to this problem is known as TURN, which is a rather forced acronym meaning Traversal Using Relays around NAT. (Relays Using NAT Traversal would be clearer to write in full, but wouldnt be a good acronym.)
The idea is that a server on the public internet acts as an answering machine that accepts calls from other computers, even if they are behind NAT routers, and applies suitable identification and authentication as needed.
For any call that users are trying to connect to, the TURN server ends up on the receiving end of outbound connections from everyone on the call, so it can act as a relay or broker that shuffles one callers outbound data into the right recipients inbound data channel and vice versa, thus simulating an end-to-end connection between two or more computers that would otherwise be kept apart by their NAT routers.
This isnt an ideal solution, especially if the TURN server is in New York and the callers are both in San Diego, say, because the packets are crossing a continent only to come straight back again, and it also means that everyones call latency gets affected by the load on the TURN server.
But by making TURN into a lightweight data packet shuffling service, its nevertheless proved to be a very useful system that works for all sorts of traffic, not just for audio, or video, or whatever.
Because TURN servers can broker traffic between arbitrary services on arbitrary computers, you dont need to add TURN code to every type of server you run, meaning that you can dedicate TURN servers entirely to their job of packet brokering.
This means you can therefore configure and tune TURN your servers for optimum throughput, without worrying if those tweaks would reduce performance for other service types on your network such as web, database and streaming servers.
But this general-purpose nature of TURN means that you need some way for a TURN server to allow the original caller to specify where they want to go to reach the other end of their TURN call.
And the primary functions of TURN is to broker traffic past NAT routers, which means that TURN needs to be able to make sense of IP traffic that a router itself would ignore because the destination computers have internal-only IP numbers that make no sense on the public internet.
You can probably guess where this is going.
There are almost certainly several network ports open on your laptop right now, many of them listening on localhost, which is a special series of IP numbers from 127.0.0.0 to 127.255.255.255 that are reserved for your computer to access itself only from itself.
Localhost addresses (127.0.0.1 is usually used) are so special that many operating systems dont even send local network packets through the networking subsystem.
To improve the speed, security and reliability of local-to-local connections they often just shuffle the data directly in memory between the sending program and the receiver.
Likewise, your router probably has an administration web server running on an IP number such as 192.168.1.254 or 192.168.0.1 to keep it safely cut off from the outside world but accessible to computers inside your network.
But if you have a TURN server, it is already inside your network, so if you accidentally permit an incoming caller to specify an internal-only IP number as its target, you may end up brokering packets between an outsider and some internal service that would otherwise be invisible to outsiders.
Peeking into internal Slack resources via Slacks TURN servers in this way is what our intrepid researchers were able to do, two years ago.
By placing fake calls with recipients that were inside Slacks own network, using a mixture of localhost and private IP numbers, they were able to boldly go where no caller was supposed to.
They made an informative video (its slow going but surprisingly easy to follow) of what happened:
If you are a Slack user, there is nothing to do.
Slack already did it for you, which is why this report is public only now.
But if you run your own TURN servers, the researchers suggest checking that you have configured your server to ignore connection brokering requests to any internal-only IP numbers.
This protects you from access control mistakes down the line, because there is no down the line.
For the server described in their paper (called coturn), the configuration they recommend is as follows:
If youre a networking person you will probably recognise those ranges anyway they cover multicast, LAN-only IP numbers, localhost-only IP numbers, autoconfiguration IP numbers, reserved-for-documentation IP numbers and more.
Remember: the earlier you block bad traffic, the less harm it can possibly do!
- IT spending on Internet connectivity, security to rise in India: Report - Business Insider India - July 6th, 2020
- VPNs are the need-of-the-hour for safe and fast connections as we work-from-home - The Hindu - July 6th, 2020
- What is network security in the cloud computing era? - TechRadar - July 6th, 2020
- Revealed: How home router manufacturers dropped the ball on security - TechHive - July 6th, 2020
- Malaysia Internet of Things (IoT) Security Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Akamai Is an Overlooked Web Infrastructure Play. Its a Buy, Analyst Says. - Barron's - July 6th, 2020
- According to Latest Report on Internet of Things (IoT) Security Market to Grow with an Impressive CAGR - 3rd Watch News - July 6th, 2020
- Enterprise Firewall Market Overview and Regional Outlook with Research Study 2019 2026 - 3rd Watch News - July 6th, 2020
- How Have I Been Pwned became the keeper of the internets biggest data breaches - TechCrunch - July 6th, 2020
- Global Internet of Things (IoT) Security Market Trends, Opportunities, Key Players, Growth, Analysis, Outlook & Forecasts To 2026 - Daily Research... - July 6th, 2020
- WISeKey develops WIShelter Covid-19 secured smartphone app, using digital IDs and blockchain protocols, to certify users that are not infected with... - July 6th, 2020
- Cryptocurrencies Adding to the Safety and Security in the UK Gambling Industry - London Post - July 6th, 2020
- Voice recordings from domestic violence alerting app exposed on the internet - Security Boulevard - June 30th, 2020
- The lack of women in cybersecurity puts us all at greater risk - The Next Web - June 30th, 2020
- Cascading Security Through the Internet of Things Supply Chain - Lawfare - June 30th, 2020
- How to Build the Right Security Assessment - Security Boulevard - June 30th, 2020
- Apple may have just changed a key part of how the internet works - TechRadar - June 30th, 2020
- Indians most concerned about identity theft - Fortune India - June 30th, 2020
- Deeper Connect Mini: Decentralized, Private and Secure Internet for the People, launching June 30th on Indiegogo. - Yahoo Finance - June 30th, 2020
- Internet of Things (IoT) Security: Technologies and Global Markets - Yahoo Finance - June 30th, 2020
- Could Donald Trump claim a national security threat to shut down the internet? - Brookings Institution - June 30th, 2020
- Internet of Things Security Market Strategic Insights 2020 with analysis of Leading players: Check Point Security Software Technologies, Cisco... - June 30th, 2020
- Global IT Security Market is accounted for xx USD million in 2019 and is expected to reach xx USD million by 2025 growing at a CAGR of xx% : Blue... - June 30th, 2020
- Internet of Things (IoT) Security Market Size, Share, Growth, Revenue, Global Industry Analysis and Future Demand |Globalmarketers.biz - Cole of Duty - June 30th, 2020
- Surge in encrypted malware prompts warning about detection strategies - SecurityBrief Europe - June 30th, 2020
- NexTech AR to supply its video conferencing and virtual events platform to Dallas Independent School District - Proactive Investors UK - June 30th, 2020
- Dutch people are least concerned about safety, survey reveals - IamExpat in the Netherlands - June 30th, 2020
- Only 31% of Americans concerned with data security, despite 400% rise in cyberattacks - TechRepublic - June 24th, 2020
- WatchGuard Technologies Report Finds Two-Thirds of Malware is Encrypted, Invisible Without HTTPS Inspection - GlobeNewswire - June 24th, 2020
- How To Turn Off Firewall In Windows And Mac - Ubergizmo - June 24th, 2020
- OTF's Work Is Vital for a Free and Open Internet - EFF - June 24th, 2020
- Microsoft acquires CyberX to bolster Azure IoT security - Internet of Things News - IoT Tech News - June 24th, 2020
- Partner Content: ESET and Spire Technology on why you need a Password Manager - PCR-online.biz - June 24th, 2020
- Internet of Things (IoT) Security Market to Witness Robust Expansion Throughout the Forecast Period 2020 2025 - 3rd Watch News - June 24th, 2020
- Google is on a mission to stop you from reusing passwords - The Verge - June 24th, 2020
- Marking the 30th Anniversary of the Internet and Cybersecurity Treaty - CircleID - June 24th, 2020
- The Cyberlaw Podcast: Using the Internet to Cause Emotional Distress is a Felony? - Lawfare - June 24th, 2020
- DDoS Protection Market 2020 | How The Industry Will Witness Substantial Growth In The Upcoming Years | Exclusive Report By MRE - Cole of Duty - June 24th, 2020
- Julian Assange Extradition and the Freedom of Bitcoin Bitcoin... - Bitcoin Magazine - June 24th, 2020
- How to become a web developer? - The Tribune - June 24th, 2020
- Frost & Sullivan Report Finds BlackBerry Solutions Address 96% of the Enterprise Threat Landscape - PRNewswire - June 24th, 2020
- EAC to evaluate testing and certification of non-voting equipment - Politico - June 24th, 2020
- Global IT Security Spending Market Projected to Reach USD XX.XX billion by 2025- Check Point Software Technologies, Cisco Systems, EMC, Fortinet,... - June 24th, 2020
- OPAQ Webinar to Share Lessons Learned and Best Practices from Zero Trust Migration Project with TTX Company - Business Wire - June 24th, 2020
- Global Internet of Things (IoT) Security Technology Market 2020 Analysis, Types, Applications, Forecast and COVID-19 Impact Analysis 2025 - NJ MMA... - June 24th, 2020
- Put Your Risk on Mute: Using PKI to Simplify Remote Workforce Security - Hashed Out by The SSL Store - Hashed Out by The SSL Store - June 24th, 2020
- NetNumber Expands Industry Recognized Signaling Firewall to Protect SIP Connections - GlobeNewswire - June 24th, 2020
- How to fight back against Covid-19 scams - Global Banking And Finance Review - June 24th, 2020
- What Will The Crypto Market Look Like In A Post COVID-19 Economy? | Coin Insider - Coin Insider - June 24th, 2020
- US: Congress Should Back Open Technology Fund - Human Rights Watch - June 21st, 2020
- David Pratt: Will the next global pandemic take place online? - The National - June 21st, 2020
- Global Internet of Things (IoT) Security Industry Market Insights, Opportunity, Analysis, Market Shares & Forecast 2020 2027 - 3rd Watch News - June 21st, 2020
- Facial recognition to play key role in travel reopening as biometrics industry weighs social responsibility - Biometric Update - June 21st, 2020
- 'IT Act does not protect freedom of speech' - The Sunday Guardian - June 21st, 2020
- In Depth Analysis and Survey of COVID-19 Pandemic Impact on Global Distributed Denial Of Service (DDoS) Protection Market 2020 Key Players A10... - June 21st, 2020
- Cyber Liability Insurance Market (USD 4.6 Billion) Will Grow At A CAGR of 11.12% During Forecast Period 2020-2025 (Impact Analysis of COVID-19) - 3rd... - June 21st, 2020
- Internet of Things Security Market research report presents a thorough study on the overall market by Application Forecast To 2020 - Surfacing... - June 21st, 2020
- Global Internet of Things (IoT) Security Product Market 2020 SWOT Analysis & Key Business Strategies by Leading Industry Players and Forecast 2025... - June 21st, 2020
- Knoxville still quiet on ransomware attack and what's being done to fix it - Knoxville News Sentinel - June 21st, 2020
- Indias digital workforce needs secure software. Testing, not banning apps, is the answer - ThePrint - June 21st, 2020
- Bolton book can be released, but conduct 'raises grave national security concerns' - ABC News - June 21st, 2020
- Broadband Connection Disconnected: Things You Can Do To Fix It - TelecomTalk - June 21st, 2020
- Former Google CEO Eric Schmidt says there's 'no question' Huawei routed data to Beijing - CNBC - June 21st, 2020
- Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More - WIRED - June 21st, 2020
- Internet Security Software Market: Qualitative Analysis of the Leading Players - News by aeresearch - June 11th, 2020
- Global Internet Security Market 2020 by Manufacturers, Size, Development Analysis, Applications and Forecast to 2025 - Cole of Duty - June 11th, 2020
- Internet Security Software Market 2019 Break Down by Top Companies, Countries, Applications, Challenges, Opportunities and Forecast 2026 - Cole of... - June 11th, 2020
- Internet Security Software Market Impact Of Covid-19 And Benchmarking. - Personal Injury Bureau UK - June 11th, 2020
- Drivers is Responsible to for Increasing Internet Security Software Market Share, Forecast 2027 - Cole of Duty - June 11th, 2020
- Webroot Internet Security with Antivirus Protection Software | 3 Device | 1 Year Subscription | PC Download - The Report - June 11th, 2020
- Endpoint Security Market to Cross US$ 10,026 MN by 2026, Growing Adoption of Work from Home Services to Favor Growth: Fortune Business Insights -... - June 11th, 2020
- Internet of Things (IoT) Security Market 2019 Break Down by Top Companies, Countries, Applications, Challenges, Opportunities and Forecast 2026 - Cole... - June 11th, 2020
- Yukon's Gurdeep Pandher tries to spread some joy on social media - Lindsay Advocate - June 11th, 2020
- Microsoft Windows users in UAE advised to install security updates - Khaleej Times - June 11th, 2020
- Clear guidelines for remote work will boost security and control access - TechRepublic - June 5th, 2020
- Mozilla Funds Meething to Help Fix the Internet - GlobeNewswire - June 5th, 2020
- The Internet of Bodies is here. This is how it will change our lives - World Economic Forum - June 5th, 2020
- Crowdstrike CEO explains how the future of remote work and security will look - CNBC - June 5th, 2020
- Mocana Recognized as Industry Leader in Cybersecurity and the Industrial Internet of Things - GlobeNewswire - June 5th, 2020
- SC Awards Europe 2020 - CISO/CSO of the Year - SC Magazine UK - June 5th, 2020