On Aug 9, 2005, at 11:11 AM, Michael.Dillon@btradianz.com wrote:
They are not "Lynn's exploit techniques". The techniques were published by someone else in considerable more detail than Lynn along with source code.
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
You aren't safe just because your network runs on brand X boxes. The only way to be safe is for your brand X vendors to take software security and systemic security much more seriously. I also believe that there are lessons to be learned from the open source community's approach to security. This doesn't mean that Cisco or any other Brand X vendor should just run out and replace their box's OS with OpenBSD or NetBSD or Linux. But they need to seriously ask themselves what advantage they gain from inventing their own wheel and rejecting the work of thousands of highly skilled and dedicated people.
Quality control. The general operating systems are not designed with a specific goal of high availability routing in mind, and while they display and can compete on some levels with specialized operating systems, they will loose out in the end. In this regard it is not open source environments that present the benefit, but as you say "thousands of highly skilled and dedicated people". There are very few of those people who are experienced in the realm of high end routing systems. The general operating system can garner a large support base due to its broad market appeal, its use in both servers, low end routing hardware, and desktops. However, to develop strong support for a reduced feature set and circumscribed is difficult. The same number of dedicated developers will be reduced and the amount of time highly specialized developers will focus on that code base will be diminished. You can see examples of similar behavior in the subsets of Linux developed for embedded systems, like the WAP Linksys routers. That being said, who would continue to buy Cisco equipment if IOS was available elsewhere? The Chinese market is already flooded with Cisco knock-offs, the rest would most certainly follow if it was legal. Out of curiosity, what, in your opinion, is the open source community's approach to security? I have seen differing approaches from different groups, some which are downright despicable (methods, not people).
There really is no such thing as closed source. The people building these exploits are fully capable of taking code from ROM or flash memory and reading what it does.
I've had some experience with reverse engineering and disassembly, and while it is true that you can analyze an image of a running program and find what it does that is a long, long step to having the kind of understanding of a program you can gain through the actual source code.
It's all fine and well to have layers of security but hiding your source code really shouldn't be counted as a security layer.
Obscurity should never be counted on as a sole security layer, but it does add a level of difficulty. One of the major themes in the security industry is mitigation. Obscurity does not add a level of security, but it does reduce the number of people who can easily accomplish a task. It raises the bar and reduces the pool of attackers.
Even if someone managed to eliminate Lynn and all past and current employees of ISS by exiling them to Cuba, this would not stop the hackers who are exploiting network device flaws.
Did anyone ever think that?
On Tue, 09 Aug 2005 14:31:08 EDT, James Baldwin said:
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)?
On Aug 9, 2005, at 3:20 PM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 09 Aug 2005 14:31:08 EDT, James Baldwin said:
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)?
No. Not at all. Lynn found information on Chinese websites indicating people were actively working to exploit IOS, not that anyone had actually done so.
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)?
A black hat who is not Chinese has published some slides with far more explicit step-by-step details of how to crack IOS using the techniques that Lynn glossed over in his presentation. This person also claims to have source code available on his website for download but I didn't look to know for sure. As for the Chinese connection, there is a fairly long document circulating on the net from a couple of years back. It is translated from Chinese and it is about modern techniques of information warfare. I think a lot of people interested in network security are aware that lots of Chinese hackers are at work out there and that they are good at what they do. Since all blackhats tend to communicate with each other to share ideas and to brag about their exploits, it is entirely possible that this Cisco exploit began in China. It is a nice myth to believe that a company like ISS does all their own work in-house and that their employees are all super gurus. But I would hope that most of you realize this is not true. Companies like ISS leverage the work of blackhats just like any hacker does. That's why I don't think gagging Lynn or ISS or the Blackhat conference will have any positive effect whatsoever. In fact, I would argue that this legal manouevering has had a net negative effect because it has now been widely published that Cisco exploits are possible. This means that many more hackers are now trying to craft their own exploits and own Cisco routers. Of course, in the end, Juniper is also vulnerable. Nortel is vulnerable. Every manufacturer of routing/switching equipment is vulnerable. Modern electronic devices are all built around embedded computers with complex software running on them. The root of all these vulnerabilities is our inability to write complex software that is free of bugs. Now I believe that Open Source software techniques can solve this root problem because many eyes can find more bugs. This doesn't just mean *BSD and Linux. There are also systems like OSKit http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/ that are more appropriate for building things like routers. --Michael Dillon
On Aug 10, 2005, at 6:13 AM, Michael.Dillon@btradianz.com wrote:
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)?
A black hat who is not Chinese has published some slides with far more explicit step-by-step details of how to crack IOS using the techniques that Lynn glossed over in his presentation. This person also claims to have source code available on his website for download but I didn't look to know for sure.
I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. If so, I think "far more explicit step-by-step" is quite an over characterization of what she presented. If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.
Since all blackhats tend to communicate with each other to share ideas and to brag about their exploits, it is entirely possible that this Cisco exploit began in China.
That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat as his actions, notification of vendor, confirmation of a patch, and release, are not characteristic of a black hat. I'd suggest that generalization is incorrect in any case, researchers of any hat, in my experience, keep their secrets amongst a small group.
It is a nice myth to believe that a company like ISS does all their own work in-house and that their employees are all super gurus. But I would hope that most of you realize this is not true. Companies like ISS leverage the work of blackhats just like any hacker does. That's why I don't think gagging Lynn or ISS or the Blackhat conference will have any positive effect whatsoever. In fact, I would argue that this legal manouevering has had a net negative effect because it has now been widely published that Cisco exploits are possible. This means that many more hackers are now trying to craft their own exploits and own Cisco routers.
I agree that this was a very large public relations blunder on the part of ISS and Cisco. Their actions caused undue attention to be placed on this issue and put both groups on the wrong side of a very public argument. On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best "If you put him and a (Cisco) box in a room, the box breaks." Having spoken with him throughout development of this technique, I can assure you that it was not developed, and further, not propagated to anyone outside of ISS with Lynn's knowledge. He has taken every care possible to ensure that this did not leak. That's not to say it will not, certain members within ISS were keen on originally releasing this to the public before informing Cisco which prompted Lynn to resign on the spot before he was talked into returning after they dropping the subject of uninformed public release.
Now I believe that Open Source software techniques can solve this root problem because many eyes can find more bugs. This doesn't just mean *BSD and Linux. There are also systems like OSKit http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/ that are more appropriate for building things like routers.
"Many eyes can find more bugs" implies several things. It implies that a large group of people are investigating bugs, and that the are qualified to find bugs of this nature. I would argue that the number that meet both criteria is small in the open source world. That is not to imply that there are untalented people in the FOSS community, only that they are not interested in locating bugs or ensuring security of a specialized routing operating system as their primary function. It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.
If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.
I think that people who specialise in security know what I am referring to. I won't say any more publicly since there are black hats reading this list. If they don't already know about this stuff, I'm not going to help them. If anyone wants to know what I am talking about, then go to the security people in your company and ask them. The company pays them to keep abreast of this stuff.
That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat
I never labelled Lynn as a blackhat. I said that Lynn and ISS and all other similar firms and researchers do the same thing as blackhats. They monitor communications of blackhats and learn from them. This activity does not make someone into a blackhat.
researchers of any hat, in my experience, keep their secrets amongst a small group.
It is human nature to brag about what you have discovered and for many blackhats, this is the only return they get for their work. I agree that whitehats like Lynn are generally much more careful about their secrets which is why Lynn's presentation was quite vague about many things.
On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best "If you put him and a (Cisco) box in a room, the box breaks."
I'm sceptical about such rhetoric.
It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.
First, I don't think there will be any trade secrets of great value revealed by the source code. Software and systems have a long history and people continue to reinvent wheels that were first invented two or three generations ago. In any case, people looking for trade secrets simply acquire the boxes and reverse engineer. Second, I don't suggest that Cisco suddenly release their code. But I can imagine a phased approach where they release the code to an ever widening circle of people, and then finally make it completely open. Or they could phase in a new codebase using Open Source as the foundation. --Michael Dillon
Michael.Dillon@btradianz.com writes:
If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.
I think that people who specialise in security know what I am referring to. I won't say any more publicly since there are black hats reading this list. If they don't already know about this stuff, I'm not going to help them.
Get a grip, Michael. Any black hat who reads this list already knows this information (if indeed it exists; acting mysterious isn't gaining you any credibility with the cynical among us, and of course you aren't even providing enough detail for people with clues to discern what the bloody heck you're referring to). All you're doing is withholding data from the non-black-hats. ---rob
Get a grip, Michael. Any black hat who reads this list already knows this information (if indeed it exists; acting mysterious isn't gaining you any credibility with the cynical among us, and of course you aren't even providing enough detail for people with clues to discern what the bloody heck you're referring to). All you're doing is withholding data from the non-black-hats.
*sigh* I have no special sources of info. One Monday morning I saw the traffic on this list about Lynn's presentation. None of the posted URL's worked. One of them led to a legal document ordering that the slides not be posted. So what did I do? That's right, I turned to Google. I found articles written by people who attended the presentation. One person had posted a zip file with photos of all of Lynn's slides as presented at BlackHat. I even managed to find the PDF file with the edited version of the slides that was the target of the lawyers. But I found more. It seems that a guy using the name FX has been publishing stuff about Cisco heap exploits for years now. I found his slides from a presentation made at BlackHat Las Vegas in 2002. Lots of juicy detail. And I found a long document translated from Chinese about modern information/economic warfare. I really didn't think this stuff was all that hard to find because it took me all of 30 minutes. The big question in my mind is why did Cisco freak out when somebody wanted to present an overview of exploits that have been worked on by hackers for the past 3 years? Especially when Lynn is giving them some valuable free advice, i.e. don't make it easier for hackers to use heap exploits. Thank's to Drew's posting I now know that FX presented again at BHLV a year later pointing out a UDP exploit that can be used to facilitate building the correct heap exploit for a specific IOS release and architecture. It seems to me that Cisco has a fundamental communications problem in regards to security. Their actions against Lynn did not stop people from reading his slides and his slides were not nearly as informative as the older slides from FX. Also, Cisco seems stuck in the traditional vendor-customer communications cycle that causes them to ignore or deprioritize security related communications unless it comes to them through a major customer. In fact, the people who REALLY know this stuff may not work for a major Cisco customer or if they do, they may not have access to the privileged communications channels within their company. --Michael Dillon Give a man a fish and you feed him for a day, teach him how to fish and you feed him for a lifetime.
I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat.
No, I am referring to something that was published 3 years ago and describes substantially the same exploits and techniques as Lynn described except the 3 year old document has much more technical detail and offers a URL where source code for the exploits can be acquired. Maybe Lynn rediscovered this independently. Maybe he heard rumours of an exploit in blackhat communications and this guided him where to look. But if my memory serves me correctly, Lynn himself claimed that his work was based on the work of a blackhat. --Michael Dillon
On Wed, Aug 10, 2005 at 11:13:42AM +0100, Michael.Dillon@btradianz.com wrote:
The root of all these vulnerabilities is our inability to write complex software that is free of bugs.
Inability? I'd rather say it's an economic question. Would you want to pay for proven bug-free software? Think twice (and look at some expense figures for such software first). :-) Regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
I will say is also about development time. We are continuously asking for new features (some times somehow artificially generated by the market or the vendors ?), so they need to work faster, test faster ... Regards, Jordi
De: Daniel Roesen <dr@cluenet.de> Responder a: <owner-nanog@merit.edu> Fecha: Thu, 11 Aug 2005 00:31:04 +0200 Para: "nanog@merit.edu" <nanog@merit.edu> Asunto: Re: Fwd: Cisco crapaganda
On Wed, Aug 10, 2005 at 11:13:42AM +0100, Michael.Dillon@btradianz.com wrote:
The root of all these vulnerabilities is our inability to write complex software that is free of bugs.
Inability? I'd rather say it's an economic question. Would you want to pay for proven bug-free software? Think twice (and look at some expense figures for such software first). :-)
Regards, Daniel
-- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
************************************ The IPv6 Portal: http://www.ipv6tf.org Barcelona 2005 Global IPv6 Summit Information available at: http://www.ipv6-es.com This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
participants (6)
-
Daniel Roesen -
James Baldwin -
JORDI PALET MARTINEZ -
Michael.Dillon@btradianz.com -
Robert E.Seastrom -
Valdis.Kletnieks@vt.edu