Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

IOS rootkits

  

 
First page Previous page 1 2 3 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


ge at linuxbox

May 16, 2008, 6:06 PM

Post #1 of 54 (3626 views)
Permalink
IOS rootkits
At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS
rootkit. skip below for the news item itself.

We've had discussions on this before, here and elsewhere. I've been
heavily attacked on the subject of considering router security as an issue
when compared to routing security.

I have a lot to say about this, looking into this threat for a
few years now and having engaged different organizations within Cisco on
the subject in the past. Due to what I refer to as an "NDA of
honour" I will just relay the following until it is "officially" public,
then consider what should be made public, including:

1. Current defense startegies possible with Cisco gear
2. Third party defense strategies (yes, they now exist)
2. Cisco response (no names or exact quotes will likely be given)
3. A bet on when such a rootkit would be public, and who won it
(participants are.. "relevant people").

From:
http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html

"A security researcher has developed malicious rootkit software for
Cisco's routers, a development that has placed increasing scrutiny on the
routers that carry the majority of the Internet's traffic.

Sebastian Muniz, a researcher with Core Security Technologies, developed
the software, which he will unveil on May 22 at the EuSecWest conference
in London. "

Gadi Evron.

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


pauldotwall at gmail

May 16, 2008, 6:13 PM

Post #2 of 54 (3610 views)
Permalink
Re: IOS rootkits [In reply to]
Gadi,

Please try to keep the self-promotion to a minimum, and come back when
you have meaningful data to share with operators.

Examples would include a list of affected platforms and code
revisions, as well as preventative measures.

Thank you,
Paul

On Fri, May 16, 2008 at 9:06 PM, Gadi Evron <ge [at] linuxbox> wrote:
> At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS
> rootkit. skip below for the news item itself.
>
> We've had discussions on this before, here and elsewhere. I've been
> heavily attacked on the subject of considering router security as an issue
> when compared to routing security.
>
> I have a lot to say about this, looking into this threat for a
> few years now and having engaged different organizations within Cisco on
> the subject in the past. Due to what I refer to as an "NDA of
> honour" I will just relay the following until it is "officially" public,
> then consider what should be made public, including:
>
> 1. Current defense startegies possible with Cisco gear
> 2. Third party defense strategies (yes, they now exist)
> 2. Cisco response (no names or exact quotes will likely be given)
> 3. A bet on when such a rootkit would be public, and who won it
> (participants are.. "relevant people").
>
> From:
> http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html
>
> "A security researcher has developed malicious rootkit software for
> Cisco's routers, a development that has placed increasing scrutiny on the
> routers that carry the majority of the Internet's traffic.
>
> Sebastian Muniz, a researcher with Core Security Technologies, developed
> the software, which he will unveil on May 22 at the EuSecWest conference
> in London. "
>
> Gadi Evron.
>
> _______________________________________________
> NANOG mailing list
> NANOG [at] nanog
> http://mailman.nanog.org/mailman/listinfo/nanog
>

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 16, 2008, 6:19 PM

Post #3 of 54 (3600 views)
Permalink
Re: IOS rootkits [In reply to]
On Fri, 16 May 2008, Paul Wall wrote:
> Gadi,
>
> Please try to keep the self-promotion to a minimum, and come back when
> you have meaningful data to share with operators.
>
> Examples would include a list of affected platforms and code
> revisions, as well as preventative measures.

Name on the door, money to be sent via paypal. I will sign my playgirl
cover for 5 USD each.

This is operational, and it is about me saying "na na na na na, na na na
na na na" to a discussion from two years ago. I have every intention to
gloat, but I will keep it to a minimum.

Yes?

Gadi.



> On Fri, May 16, 2008 at 9:06 PM, Gadi Evron <ge [at] linuxbox> wrote:
>> At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS
>> rootkit. skip below for the news item itself.
>>
>> We've had discussions on this before, here and elsewhere. I've been
>> heavily attacked on the subject of considering router security as an issue
>> when compared to routing security.
>>
>> I have a lot to say about this, looking into this threat for a
>> few years now and having engaged different organizations within Cisco on
>> the subject in the past. Due to what I refer to as an "NDA of
>> honour" I will just relay the following until it is "officially" public,
>> then consider what should be made public, including:
>>
>> 1. Current defense startegies possible with Cisco gear
>> 2. Third party defense strategies (yes, they now exist)
>> 2. Cisco response (no names or exact quotes will likely be given)
>> 3. A bet on when such a rootkit would be public, and who won it
>> (participants are.. "relevant people").
>>
>> From:
>> http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html
>>
>> "A security researcher has developed malicious rootkit software for
>> Cisco's routers, a development that has placed increasing scrutiny on the
>> routers that carry the majority of the Internet's traffic.
>>
>> Sebastian Muniz, a researcher with Core Security Technologies, developed
>> the software, which he will unveil on May 22 at the EuSecWest conference
>> in London. "
>>
>> Gadi Evron.
>>
>> _______________________________________________
>> NANOG mailing list
>> NANOG [at] nanog
>> http://mailman.nanog.org/mailman/listinfo/nanog
>>
>

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


dr at kyx

May 16, 2008, 8:29 PM

Post #4 of 54 (3599 views)
Permalink
Re: IOS rootkits [In reply to]
The question this presentation begs for me... is how many of the folks
on this list do integrity checking on their routers?

You can no longer say this isn't necessary :-).

I know FX and a few others are working on toolsets for this...

I'll probably have other comments after I see the presentation.
This development has all sort of implications for binary signing
requirements, etc...

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 21/22 - 2008 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp



_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


tvarriale at comcast

May 16, 2008, 8:57 PM

Post #5 of 54 (3586 views)
Permalink
Re: IOS rootkits [In reply to]
IIRC, the toolkit(s) can only be installed once having priv 15 on the
device.

If this is the case, the practicality of this is...well...not that
significant.

I do think the significance is that we are getting closer and closer to
treating infrastructure devices as end stations with respect to
susceptibility.

Looking forward to seeing all the details.

Gadi, have fun :)

tv
----- Original Message -----
From: "Gadi Evron" <ge [at] linuxbox>
To: <nanog [at] merit>
Sent: Friday, May 16, 2008 8:06 PM
Subject: [NANOG] IOS rootkits


> At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS
> rootkit. skip below for the news item itself.
>
> We've had discussions on this before, here and elsewhere. I've been
> heavily attacked on the subject of considering router security as an issue
> when compared to routing security.
>
> I have a lot to say about this, looking into this threat for a
> few years now and having engaged different organizations within Cisco on
> the subject in the past. Due to what I refer to as an "NDA of
> honour" I will just relay the following until it is "officially" public,
> then consider what should be made public, including:
>
> 1. Current defense startegies possible with Cisco gear
> 2. Third party defense strategies (yes, they now exist)
> 2. Cisco response (no names or exact quotes will likely be given)
> 3. A bet on when such a rootkit would be public, and who won it
> (participants are.. "relevant people").
>
> From:
> http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html
>
> "A security researcher has developed malicious rootkit software for
> Cisco's routers, a development that has placed increasing scrutiny on the
> routers that carry the majority of the Internet's traffic.
>
> Sebastian Muniz, a researcher with Core Security Technologies, developed
> the software, which he will unveil on May 22 at the EuSecWest conference
> in London. "
>
> Gadi Evron.
>
> _______________________________________________
> NANOG mailing list
> NANOG [at] nanog
> http://mailman.nanog.org/mailman/listinfo/nanog


_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


fergdawg at netzero

May 16, 2008, 9:00 PM

Post #6 of 54 (3590 views)
Permalink
Re: IOS rootkits [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Dragos Ruiu <dr [at] kyx> wrote:

>The question this presentation begs for me... is how many of the folks
>on this list do integrity checking on their routers?
>
>You can no longer say this isn't necessary :-).
>
>I know FX and a few others are working on toolsets for this...
>
>I'll probably have other comments after I see the presentation.
>This development has all sort of implications for binary signing
>requirements, etc...

Yep -- I'd say just wait for the presentation (assuming Cisco
doesn't go after this guy like they did Mike Lynn) and then
determine the level of seriousness.

It would appear to have people very nervous, however. Including
Cisco. It will be interesting to see what develops.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFILlgzq1pz9mNUZTMRAtmoAKC3bQLSqJzFDZklPMfdnkBX7fyccwCeN5mc
K1QQ9JnTqLmSfcNuj5JZ6Z8=
=W5F0
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


pauldotwall at gmail

May 16, 2008, 11:57 PM

Post #7 of 54 (3604 views)
Permalink
Re: IOS rootkits [In reply to]
What if some good comes from this "root kit"?

For instance, what if it lets us fix things like DOM on non-Cisco
XENPAKs and SFPs? Or lets us un-cripple our 6500 chassis to run the
code we want?

Of course, given the messenger, I'm sure it's just hype to help
bolster Gadi's security practice, and will prove to be no big deal.

Paul

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


mmc at internode

May 17, 2008, 12:17 AM

Post #8 of 54 (3597 views)
Permalink
Re: IOS rootkits [In reply to]
Paul Wall wrote:
> What if some good comes from this "root kit"?
>
I'm sure it'll be good for a number of security providers to hawk their
wares.

If the way of running this isn't out in the wild and it's actually
dangerous then a pox on anyone who releases it, especially to gain
publicity at the expensive of network operators sleep and well being.
May you never find a reliable route ever again.

MMC

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


simon at slimey

May 17, 2008, 12:34 AM

Post #9 of 54 (3603 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat May 17, 2008 at 04:47:02PM +0930, Matthew Moyle-Croft wrote:
> Paul Wall wrote:
> > What if some good comes from this "root kit"?
> >
> I'm sure it'll be good for a number of security providers to hawk their
> wares.

How long before we need to install Anti-virus / Anti-root-kit software on
our routers?

Simon
--
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
Director | * Domain & Web Hosting * Internet Consultancy *
Bogons Ltd | * http://www.bogons.net/ * Email: info [at] bogons *

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


mmc at internode

May 17, 2008, 12:50 AM

Post #10 of 54 (3590 views)
Permalink
Re: IOS rootkits [In reply to]
Simon Lockhart wrote:
>
> How long before we need to install Anti-virus / Anti-root-kit software on
> our routers?
>
Nah - we'll just replace them all with Macs. They don't need anti-virus ...

:-)

MMC
> Simon
>
_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 17, 2008, 2:38 AM

Post #11 of 54 (3585 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008, Paul Wall wrote:
> What if some good comes from this "root kit"?
>
> For instance, what if it lets us fix things like DOM on non-Cisco
> XENPAKs and SFPs? Or lets us un-cripple our 6500 chassis to run the
> code we want?
>
> Of course, given the messenger, I'm sure it's just hype to help
> bolster Gadi's security practice, and will prove to be no big deal.

A signed issue is now 25 bucks FOR YOU, Mister.



> Paul
>
> _______________________________________________
> NANOG mailing list
> NANOG [at] nanog
> http://mailman.nanog.org/mailman/listinfo/nanog
>

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ops.lists at gmail

May 17, 2008, 3:12 AM

Post #12 of 54 (3564 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
<mmc [at] internode> wrote:
> If the way of running this isn't out in the wild and it's actually
> dangerous then a pox on anyone who releases it, especially to gain
> publicity at the expensive of network operators sleep and well being.
> May you never find a reliable route ever again.

This needs fixing. It doesnt need publicity at security conferences
till after cisco gets presented this stuff first and asked to release
an emergency patch.

--srs
--
Suresh Ramasubramanian (ops.lists [at] gmail)

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


Jon.Kibler at aset

May 17, 2008, 3:23 AM

Post #13 of 54 (3562 views)
Permalink
Re: IOS rootkits [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suresh Ramasubramanian wrote:
> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
> <mmc [at] internode> wrote:
>> If the way of running this isn't out in the wild and it's actually
>> dangerous then a pox on anyone who releases it, especially to gain
>> publicity at the expensive of network operators sleep and well being.
>> May you never find a reliable route ever again.
>
> This needs fixing. It doesnt need publicity at security conferences
> till after cisco gets presented this stuff first and asked to release
> an emergency patch.
>
> --srs

According to Cisco, there is nothing to patch:
http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgusjEACgkQUVxQRc85QlO5kACfaZtij86HqIH540xeH+Uh/NyI
ccQAnjiRCMFnLxk/Ew9EuUKDzdLN6HQZ
=BCdw
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


xploitable at gmail

May 17, 2008, 4:08 AM

Post #14 of 54 (3556 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, May 17, 2008 at 11:12 AM, Suresh Ramasubramanian
<ops.lists [at] gmail> wrote:
> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
> <mmc [at] internode> wrote:
>> If the way of running this isn't out in the wild and it's actually
>> dangerous then a pox on anyone who releases it, especially to gain
>> publicity at the expensive of network operators sleep and well being.
>> May you never find a reliable route ever again.
>
> This needs fixing. It doesnt need publicity at security conferences
> till after cisco gets presented this stuff first and asked to release
> an emergency patch.

Agreed,

You've got to remember though that a security conference is a
commercial venture, it makes business sense for this to be publically
announced at this security conference.

I think security conferences have become something that sucks as its
all become money making oriented and the people who run these things
don't really have security in mind, just the £ signs reflecting on
their eye balls.

> --srs
> --
> Suresh Ramasubramanian (ops.lists [at] gmail)
>

All the best,

n3td3v

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 17, 2008, 4:10 AM

Post #15 of 54 (3552 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008, Suresh Ramasubramanian wrote:
> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
> <mmc [at] internode> wrote:
>> If the way of running this isn't out in the wild and it's actually
>> dangerous then a pox on anyone who releases it, especially to gain
>> publicity at the expensive of network operators sleep and well being.
>> May you never find a reliable route ever again.
>
> This needs fixing. It doesnt need publicity at security conferences
> till after cisco gets presented this stuff first and asked to release
> an emergency patch.

I'd like to discuss:
1. What is it we are talking about.
2. Why it is serious.
3. What we can do to defend ourselves.

I'll be brief as this is not a briefing.

You are absolutely right on the sentiment, but miss the point on this
particular issue. I agree with you that in most cases, software
vulnerability issues should be resolved with the vendor first, especially
where critical infrastructure is involved. This is not only about
exploiting a vulnerability.

In this case it the the very realization that these issues exist
(namely being able to run Trojan horses on IOS systems AND/or hiding their
presense) is what we are discussing.

Router security as far as most operators are concerned includes the
following issues: software version (now update), configuration, ACL and
authentication (password) security. I include subjects such as BGP MD5 in
configuration.

These issues are indeed important and very neglected, after all, how many
"0wned" routers can be found that respond to cisco/cisco?

The main difference here is that we are now at a cross-roads where the
face of router security changes, It is that the realization that:

1. A router is not an hardware device, it is an embedded device with a
software operating system. As such it is as vulnerable to malware
(wide-spreading--worm, or targeted--Trojan horse) as a Windows machine
is.)

2. There are no real tools today for us to be able to detect such
malicious activity on a router, listing processes doesn't cut it.

3. What tools exist, which I hope to secure permission to discuss later
on, are only from third parties.

This is not about fear mongering, it's about facing reality how about how
Cisco handles security threats to their customer base before such an issue
becomes a public concern--namely, ignoring its very existence, at least as
far as the public can see.

The point is, I don't want to rely on third parties for my router's
security, even if I trust the said third party.

Gadi.

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 17, 2008, 4:41 AM

Post #16 of 54 (3546 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008, Simon Lockhart wrote:
> On Sat May 17, 2008 at 04:47:02PM +0930, Matthew Moyle-Croft wrote:
>> Paul Wall wrote:
>>> What if some good comes from this "root kit"?
>>>
>> I'm sure it'll be good for a number of security providers to hawk their
>> wares.
>
> How long before we need to install Anti-virus / Anti-root-kit software on
> our routers?

Very astute.

Sadly, this is already being done by a few people I know. No AV vendor has
such a tool to offer you, so don't bother asking them.

The question is, can you afford not to?

The answer may be yes, you can afford for your router to be a spying
machine for the enemy/competitor, and you can afford for it to be a bot
participating in DDoS (as currently, for example, many *nix routers are
known to be). The question is who can't afford for these things to happen...

Gadi.


> Simon
> --
> Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
> Director | * Domain & Web Hosting * Internet Consultancy *
> Bogons Ltd | * http://www.bogons.net/ * Email: info [at] bogons *
>
> _______________________________________________
> NANOG mailing list
> NANOG [at] nanog
> http://mailman.nanog.org/mailman/listinfo/nanog
>

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


mmc at internode

May 17, 2008, 4:54 AM

Post #17 of 54 (3559 views)
Permalink
Re: IOS rootkits [In reply to]
> The question is who can't afford for these things to happen...
>
> Gadi.
>
>
I can't help but feel you're pushing fear to further some other interest
here Gadi.

Do you actually have live examples of this or able to demonstrate it or
are you just theorising about it all?

MMC


_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 17, 2008, 5:03 AM

Post #18 of 54 (3563 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008, Matthew Moyle-Croft wrote:
>
>> The question is who can't afford for these things to happen...
>>
>> Gadi.
>>
>>
> I can't help but feel you're pushing fear to further some other interest here
> Gadi.

It is alright to have feelings.

Gadi.

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


mmc at internode

May 17, 2008, 5:10 AM

Post #19 of 54 (3561 views)
Permalink
Re: IOS rootkits [In reply to]
>
> It is alright to have feelings.
>
> Gadi.
So I ask again, expecting nothing but another flippant answer:

Do you actually have live examples of this or able to demonstrate it or
are you just theorising about it all?

MMC



_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


nanog at 85d5b20a518b8f6864949bd940457dc124746ddc

May 17, 2008, 5:11 AM

Post #20 of 54 (3546 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008 07:03:58 -0500 (CDT)
Gadi Evron <ge [at] linuxbox> wrote:

> On Sat, 17 May 2008, Matthew Moyle-Croft wrote:
> >
> >> The question is who can't afford for these things to happen...
> >>
> >> Gadi.
> >>
> >>
> > I can't help but feel you're pushing fear to further some other interest here
> > Gadi.
>
> It is alright to have feelings.
>

The rational thing to do is to move beyond fear.

--

"Sheep are slow and tasty, and therefore must remain constantly
alert."
- Bruce Schneier, "Beyond Fear"

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


mmc at internode

May 17, 2008, 6:16 AM

Post #21 of 54 (3557 views)
Permalink
Re: IOS rootkits [In reply to]
> I'd love to know what magical mystical protection your routers have that will
> enable them to avoid the same fate as every other device and operating system
> has. There's only one thing up there that doesn't have known rootkits
> in the wild. Yet.
>
The question isn't IF routers have security vunerabilities, but whether
Gadi has an example he can demonstrate now of installing a root kit on
an IOS router NOW or not.

MMC

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ml at t-b-o-h

May 17, 2008, 6:36 AM

Post #22 of 54 (3554 views)
Permalink
Re: IOS rootkits [In reply to]
>
>
> > I'd love to know what magical mystical protection your routers have that will
> > enable them to avoid the same fate as every other device and operating system
> > has. There's only one thing up there that doesn't have known rootkits
> > in the wild. Yet.
> >
> The question isn't IF routers have security vunerabilities, but whether
> Gadi has an example he can demonstrate now of installing a root kit on
> an IOS router NOW or not.
>
Rootkit for 2500, 3000 and 4000...... Load this onto your router and you'll
have root and much more.

http://tinyurl.com/29duah

Tuc/TBOH

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 17, 2008, 6:41 AM

Post #23 of 54 (3556 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008, Matthew Moyle-Croft wrote:
>
>>
>> It is alright to have feelings.
>>
>> Gadi.
> So I ask again, expecting nothing but another flippant answer:

I will honour you flame-bait, but only once.

> Do you actually have live examples of this or able to demonstrate it or are
> you just theorising about it all?

Your question is irrelevant to our discussion, as I obviously base myself
on the first email in this thread discussing the poc (?) about to be
released, and my own statements from that first email in which I mention I
will not discuss my own experience on the subject of rootkit risks
and solutions until said poc (?) is released due to matters of honour.




>
> MMC
>
>

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


ge at linuxbox

May 17, 2008, 6:45 AM

Post #24 of 54 (3560 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, 17 May 2008, Matthew Moyle-Croft wrote:
>
>> I'd love to know what magical mystical protection your routers have that
>> will
>> enable them to avoid the same fate as every other device and operating
>> system
>> has. There's only one thing up there that doesn't have known rootkits
>> in the wild. Yet.
>>
> The question isn't IF routers have security vunerabilities

Nope, the question is not about if routers have security vulnerabilities.
The question is how operators and organizations can defend their routers
against rootkits, and cisco's practices.


>
> MMC
>

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog


travis+ml-nanog at subspacefield

May 17, 2008, 7:34 AM

Post #25 of 54 (3554 views)
Permalink
Re: IOS rootkits [In reply to]
On Sat, May 17, 2008 at 04:47:02PM +0930, Matthew Moyle-Croft wrote:
> I'm sure it'll be good for a number of security providers to hawk their
> wares.
>
> If the way of running this isn't out in the wild and it's actually
> dangerous then a pox on anyone who releases it, especially to gain
> publicity at the expensive of network operators sleep and well being.
> May you never find a reliable route ever again.

I personally like Gadi's work, but not as much as I like getting my
packets to their destination. I personally don't quite understand why
netops keep buying proprietary, closed technology for routers, but I'm
not and have never been a netop so I'm sure there's good reasons. To
me it seems that if you need reliable router hardware, you can buy
that from a vendor, but in theory I don't see why the software for
routers couldn't be much more open. When I can, I reflash my WAPs
with DD-WRT, because at least then I understand the system (and you
can't secure what you don't understand), but I am not saying that's
much of a comparison.

So, speaking of hawking wares... ;-)

Since I see some disclosure discussions brewing here, so I thought I'd
mention that I have a free online book on security, and I'm trying to
capture all the arguments about disclosure policies so that they don't
ever have to be rehashed. Instead, we can just point someone to it,
and move on.

Here's the section on disclosure:

http://www.subspacefield.org/security/security_concepts.html#tth_sEc25.1

I'm numbering them for your convenience, so that if for some reason
you want to state a particular argument, you can compress the
conversation by simply giving its index. ;-)

HHOS,
Travis
--
Crypto ergo sum. https://www.subspacefield.org/~travis/
If you are a spammer, please email john [at] subspacefield to get blacklisted.

_______________________________________________
NANOG mailing list
NANOG [at] nanog
http://mailman.nanog.org/mailman/listinfo/nanog

First page Previous page 1 2 3 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.