lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.62.0805250532280.19771@linuxbox.org>
Date: Sun, 25 May 2008 05:37:11 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: funsec@...uxbox.org, full-disclosure@...ts.grok.org.uk
Subject: Re: IOS rootkits (fwd)

In this email to I summarise the discussion thread.

One thing we did not do in these threads is to thank Core Security and 
Sebastian Muniz for the work, and releasing it to help make the world 
safer.

 	Gadi.


Date: Sun, 25 May 2008 05:27:36 -0500 (CDT)
From: Gadi Evron
To: Joel Jaeggli
Subject: Re: IOS rootkits

On Sun, 18 May 2008, Joel Jaeggli wrote:
> Dragos Ruiu wrote:
> 
>> First of all about prevention, I'm not at all sure about this being
>> covered by existing router security planning / BCP.
>> I don't believe most operators reflash their routers periodically, nor
>> check existing images (particularly because the tools for this
>> integrity verification don't even exist). If I'm wrong about this I
>> would love to be corrected with pointers to the tools.
> 
> I have 6 years worth of rancid logs for every time the reported number
> of blocks in use on my flash changes, I imagine others do as well.
> That's hardly the silver bullet however.

Cisco considerably updated its rootkits page (which was 3 lines, yes, just 3 
lines, last week, you might think it was a previously unknown threat).

Last Updated 2008 May 22 1600 UTC (GMT)
For Public Release 2008 May 16 0400 UTC (GMT)
Some update!

The new page gives a lot of information on best practices, MD5 verifications, 
etc. Very good as a security best practices page but still not much of an "anti 
rootkit" page. Well worth taking a look:

http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml

Again, very good page even if it in no way addresses the threat.

Last week my opinions were well-formed after a few years of thinking on the 
subject. I decided to re-examine my take as I may have just stagnated on the 
issue and the landscape changed. I reached the same conclusions.

Still no decent response on why they never spoke to their clients on Trojan 
horses on IOS, rootkits on IOS.. or practically, what tools they provide to 
deal with them or what their plans are to help us protect ourselves and our 
infrastructure. One could guess they have non.

As someone recently mentioned to me, after the Michael Lynn talk they
started admitting to remote code execution vulnerabilities being more than
just DoS in their announcements. Maybe that is a trend and we will get more 
information from them in the future, now that rootkits as a threat to IOS is a 
publis issue.

Cisco's "threats don't exist until our clients already know of them" strategy 
is running out of steam, and will soon outlive its usefulness. Cisco is acting 
pretty much like Microsoft did 10 years ago, they shouldn't be surprised if 
security research treats them the same way as it treated Microsoft.

I know what their treatment made _me_ do psychologically, it made me not want 
to reach out to them. It seems like the Michael Lynn way is the only way to go 
with their current attitude--full disclosure.

As to the risk itself, it is my personal belief IOS rootkits are currently a 
threat as a targeted attack. Therefore, although of serious concern it is not 
yet something I fear on the Internet scale.

Pure FUD, Cisco provided us with no real data:
I do however dread the day XR gains some popularity, then it is as bad as 
Windows XP exploitability-wise. 2003, year of the worm. 2013, year of the Cisco 
worms?

 	Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ