lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 18 May 2008 16:04:32 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: xploitable@...il.com, full-disclosure@...ts.grok.org.uk,
	kurtdillard@....com
Subject: Re: [NANOG] IOS rootkits

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keep in mind that rootkit functionality itself isn't all bad, take
anti-virus software for example. Its like a shark trawling the
bottom of the sea floor, looking up at its next meal on high; how
deeply can you hook the OS core...

Elazar

On Sun, 18 May 2008 14:45:48 -0400 Kurt Dillard
<kurtdillard@....com> wrote:
>Apparently Gadi  doesn't understand either.  Rootkits don't need
>to exploit
>vulnerabilities in an OS, they leverage the design of the OS or
>the
>underlying hardware platform. You don't 'patch' the design of
>something. You
>want to stop rootkits in IOS? Don't allow it to run arbitrary
>code, run the
>OS in firmware rather than from writable storage. Go study up on
>rootkits
>for a few weeks before you complain about someone demonstrating
>one. Unlike
>you guys I happen to know what I am talking about as I've been
>studying
>malware including rootkits for over 10 years. By studying I mean
>taking them
>apart, figuring out how they work, and finding tools to deal with
>them; not
>reading some half-assed article on CNET or Ziff-Davis full of
>technical
>errors.
>
>Over the past few years Cisco, Apple, and Oracle have behaved an
>awful lot
>like Microsoft did 10 years ago, trying to pretend that their
>platforms are
>immune to malware and refusing to approach vulnerabilities head-on
>with an
>attitude of rational pragmatism. Dave Litchfield and his team have
>dragged
>Oracle kicking and screaming to the world of reality, the same has
>yet to
>happen with the other two firms.
>
>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk
>[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
>n3td3v
>Sent: Sunday, May 18, 2008 12:50 PM
>To: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] [NANOG] IOS rootkits
>
>On Sun, May 18, 2008 at 4:37 PM, Kurt Dillard
><kurtdillard@....com> wrote:
>> NETDOVE,
>> Obviously you have no idea how a rootkit works much less how to
>defend
>> against them, your rants make no sense.
>>
>> Kurt
>
>Dude,
>
>Gadi Evron is punching into this guy as well, check this out:
>
>---------- Forwarded message ----------
>From: Gadi Evron <ge@...uxbox.org>
>Date: Sun, May 18, 2008 at 3:48 PM
>Subject: Re: [NANOG] IOS rootkits
>To: Dragos Ruiu <dr@....net>
>Cc: topo@...esecurity.com, fx@...urity-labs.com, nanog@...it.edu,
>ivan.arce@...esecurity.com
>
>
>On Sun, 18 May 2008, Dragos Ruiu wrote:
>>
>> On 17-May-08, at 3:12 AM, Suresh Ramasubramanian wrote:
>>
>>> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
>>> <mmc@...ernode.com.au> wrote:
>>>> If the way of running this isn't out in the wild and it's
>actually
>>>> dangerous then a pox on anyone who releases it, especially to
>gain
>>>> publicity at the expensive of network operators sleep and well
>being.
>>>> May you never find a reliable route ever again.
>>>
>>> This needs fixing. It doesnt need publicity at security
>conferences
>>> till after cisco gets presented this stuff first and asked to
>release
>>> an emergency patch.
>>
>> Bullshit.
>>
>> There is nothing to patch.
>>
>> It needs to be presented at conferences, exactly because people
>will
>> play ostrich and stick their heads in the sand and pretend it
>can't
>> happen to them, and do nothing about it until someone shows
>them, "yes
>> it can happen" and here is how....
>>
>> Which is exactly why we've accepted this talk. We've all known
>this is
>> a possibility for years, but I haven't seen significant motion
>forward
>> on this until we announced this talk. So in a fashion, this has
>> already helped make people more realistic about their
>infrastructure
>> devices. And the discussions, and idea interchange that will
>happen
>> between the smart folks at the conference will undoubtedly usher
>forth
>> other related issues and creative solutions.  Problems don't get
>fixed
>> until you talk about them.
>
>Dragus, while I hold full disclosure very close and it is dear to
>my
>heart, I admit the fact that it can be harmful. Let me link that
>to
>network operations.
>
>People forget history. A few years back I had a chat with Aleph1
>on the
>first days of bugtraq. He reminded me how things are not always
>black and
>white.
>
>Full disclosure, while preferable in my ideology, is not the best
>solution
>for all. One of the reasons bugtraq was created is because vendors
>did not
>care about security, not to mention have a capability to handle
>security
>issues, or avoid them to begin with.
>
>Full disclosure made a lot of progress for us, and while still a
>useful
>tool, with some vendors it has become far more useful to report to
>them
>and let them provide with a solution first.
>
>In the case of routers which are used for infrastructure as well
>as
>critical infrastructure, it is my strong belief that full
>disclosure is,
>at least at face value, a bad idea.
>
>I'd like to think Cisco, which has shown capability in the past,
>is as
>responsible as it should be on these issues. Experience tells me
>they have
>a ways to go yet even if they do have good processes in place with
>good
>people to employ them.
>
>I'd also like to think tier-1 and tier-2 providers get patches
>first
>before such releases. This used to somewhat be the case, last I
>checked it
>no longer is -- for legitimate concerns by Cisco. has this
>changed?
>
>So, if we don't patch the infrastructure up first, and clients
>don't know
>of problems until they are public "for their own security" (an
>argument
>that holds water only so much) perhaps it is the time for full
>disclosure
>to be considered a viable alternative.
>
>All that aside, this is a rootkit, not a vulnerability. There is
>no
>inherent vulnerability to patch (unless it is very local). There
>is the
>vulnerability of operators who don't so far even consider trojan
>horses
>as a threat, and the fact tools don't exist for them to do
>something once
>they do.
>
>       Gadi.
>
>
>
>
> > cheers,
>> --dr
>>
>>
>>
>> --
>> World Security Pros. Cutting Edge Training, Tools, and
>Techniques
>> London, U.K.   May 21/22 - 2008    http://cansecwest.com
>> pgpkey http://dragos.com/ kyxpgp
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkgwi9AACgkQi04xwClgpZja4wP+LItuGYEbfP4lnTsVY1Yg6ct3YWxB
HxuuzQVAr3/oUM277IjSHNetjfZmQy76gvo+98G3vs1nFQFdoFYvzCL0zIvoDqdQWTmE
biTeEFZGDzbj2bXT9GmEdRKE6FJCHW9fhBNo8IC2/HA/Yo/eMXNOF9O4YQIoy7ZiOZvN
VrfDCUA=
=Rfys
-----END PGP SIGNATURE-----

--
Click here and enhance your romance with the perfect honeymoon vacation.  
http://tagline.hushmail.com/fc/Ioyw6h4dydz7TgMpyAUaBg2f10zdUDSgsuoAmpzKWDv7nSpmQA0FFu/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ