http://www.networkworld.com/news/2005/080805-cisco-routers.html /* ARTICLE Among the developments last week: Cisco continually revised its security bulletin, adding details as to how versions of unpatched IOS software could be undermined by a "specifically crafted IPv6 packet." Sources at Cisco say testing will continue indefinitely and could include findings related to more than simply IPv6-related exploits. */ Ironic the marketing and disinformation coming out of Cisco Systems in relation to not disclosing what really occurred and labeling the vulnerability as "IPv6 based.... but" after they initially stated it as "IPv6 only!" /* ARTICLE The researcher who touched off the uproar, Michael Lynn, says he is now the subject of inquiries by FBI agents, and he continues to defend the propriety of his actions. */ Since when did the FBI decide to play "Corporation Superherosaviour" so blatantly. Mr. Lynn's disclosure while a double edged sword can possibly save the industry from a catastrophe, and while yes it can also cause one, I believe he did the right thing. /* ARTICLE Experts and users say the hole in IOS appears not to be an immediate concern based on what is public knowledge at the moment, since patches are available. But what concerns some is that Lynn's exploit techniques take router hacking to a new level, which eventually could have security implications for Cisco customers. */ This same attitude from vendors is what causes those releasing POC (proof of concept) code to release information on how things break. I recall posting here a while back information on how it would be possible to break neighbors in BGP by causing flaps. I did not post the information with the intent on anyone using that information to cause damage nor was it malicious. I did it under the impression someone in the industry would take a look at it and see what I saw and come up with a solution. To date however... It's been more or less the same: "You're an ass for doing that..." /* ARTICLE While Lynn has settled one lawsuit with Cisco and ISS, agreeing not to disclose anything he knows about the exploit, his problems don't seem to be over. The FBI is investigating him and interviewing friends and roommates, he says. */ Spin spin sugar... Looking at this current situation I'm wondering when did it become a federal offense to break a non disclosure agreement. I can look at this two possible ways now... Are the feds looking at Mr. Lynn because they have something vested in the IOS of Cisco (Carnivore, Magic Lantern), or are they going after him under the guise of "National (in)Security". If it's national (in)security, then why not go after Cisco for allowing this problem to go unresolved when they knew of it months in advance. Anyhow, sorry for the rants... The article is pseudo-worth the read if you can filter out marketing and crapaganda. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy." - Sun Tzu
On Aug 9, 2005, at 9:57 AM, J. Oquendo wrote:
Ironic the marketing and disinformation coming out of Cisco Systems in relation to not disclosing what really occurred and labeling the vulnerability as "IPv6 based.... but" after they initially stated it as "IPv6 only!"
Its a half truth. The vulnerability was IPv6 only, the method for executing arbitrary code was not. That's definitely spin, and I hope they address it soon.
Spin spin sugar... Looking at this current situation I'm wondering when did it become a federal offense to break a non disclosure agreement.
The FBI is not investigating violation of a non disclosure agreement. My understanding is that they are investigating possible trade secret theft. Also, please note that there is a large up welling of support within the federal government for what Lynn did and it would be improper to characterize them all as demons. The FBI is performing due diligence investigations based on reports to them of criminal activity. The FBI, in this case, is not the person responsible for this ongoing investigation. Rather, that lies with the assigned prosecutor and whomever the reporting parties were. A much better summary of these events can be found at Jennifer Granick's blog: http://www.granick.com/blog/
/* ARTICLE Experts and users say the hole in IOS appears not to be an immediate concern based on what is public knowledge at the moment, since patches are available. But what concerns some is that Lynn's exploit techniques take router hacking to a new level, which eventually could have security implications for Cisco customers. */
They are not "Lynn's exploit techniques". The techniques were published by someone else in considerable more detail than Lynn along with source code. And this other person has also described techniques for attacking other brands of network equipment not just Cisco. There is a sea change in hacker activity under way as they realize that most embedded systems (including routers and switches) are now based on general purpose computer technology and that such systems are full of opportunities for software exploits. Hackers no longer just attack OSes like Windows and Linux, they now are beginning to go after any kind of smart device, especially when the exploits can be leveraged for blackmail or to earn cash from espionage. You aren't safe just because your network runs on brand X boxes. The only way to be safe is for your brand X vendors to take software security and systemic security much more seriously. I also believe that there are lessons to be learned from the open source community's approach to security. This doesn't mean that Cisco or any other Brand X vendor should just run out and replace their box's OS with OpenBSD or NetBSD or Linux. But they need to seriously ask themselves what advantage they gain from inventing their own wheel and rejecting the work of thousands of highly skilled and dedicated people. There really is no such thing as closed source. The people building these exploits are fully capable of taking code from ROM or flash memory and reading what it does. It's all fine and well to have layers of security but hiding your source code really shouldn't be counted as a security layer. Even if someone managed to eliminate Lynn and all past and current employees of ISS by exiling them to Cuba, this would not stop the hackers who are exploiting network device flaws. --Michael Dillon
On Tue, Aug 09, 2005 at 04:11:45PM +0100, Michael.Dillon@btradianz.com wrote:
There really is no such thing as closed source.
I've been saying this for years, and I'm sure you and I aren't the only ones. Corrallaries: A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure. B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1] C. It's not secure until everyone knows exactly how it works and it's still secure. D. Any piece of source code which hasn't been subjected to widespread peer review should be presumed untrustworthy-- because it not only hasn't been shown to be otherwise, the attempt hasn't even been made. (Note that the contrapositive isn't true -- peer review is only a necessary condition, not a sufficient one.) More bluntly: the closed-source, "faith-based" approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries. Because relying on the supposed "secrecy" of source code is relying on a fantasy. ---Rsk [1] Either because it leaked (discarded computer equipment, backup tapes, etc.), was stolen from outside (network break-in, physical break-in), was stolen from inside (payoffs) or other means. Borrowing heavily from Bruce Schneier's analysis of what it'd be worth to buy an election: what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate? Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on R&D, or paying someone who's already done the R&D, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it.
Hi Rich,
A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure.
i like that way of looking at it..
B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1]
sure, or even a snippet would be sufficient to find and exploit a hole
It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries.
thats going to be a leap too far, its not an issue of security its a question of property and value
[1] Either because it leaked (discarded computer equipment, backup tapes,
source code is much wider distributed than people might think, its possible to be a contractor (individual or company) or for example in MS's case a partner and get source code supplied under NDA
what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate?
naww. $0. pre IOS-12 versions are in circulation already, 12.something was partially leaked a year or two ago, and i'm sure other bits can be picked up. who would be willing to pay? not companies, thats illegal. blackhats? maybe, but they can juts grab the circulating bootlegs
Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on R&D, or paying someone who's already done the R&D, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it.
wonder why they dont already have it, maybe they do... Steve
Rich Kulawiec wrote:
More bluntly: the closed-source, "faith-based" approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. TBH though, usually the open source "faith based" approach to security doesn't cut it either. its easy to say "its open source, therefore anyone can check the code" but much harder to actually find someone who has taken the time to do it....
On Sat, 13 Aug 2005, Dave Howe wrote:
Rich Kulawiec wrote:
More bluntly: the closed-source, "faith-based" approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders.
TBH though, usually the open source "faith based" approach to security doesn't cut it either. its easy to say "its open source, therefore anyone can check the code" but much harder to actually find someone who has taken the time to do it....
Depends on the project. Some OSS projects turn around enhancements and bug fixes, and fix vulnerabilities, quickly. Some don't. Some do some of the time, depending on the type of change. (For example, Mozilla is good about patching vulnerabilities quickly, but there's an Thunderbird enhancement almost 200 people voted for on Bugzilla, that people have been complaining about for months, that they've not done anything about.) -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: sjsobol@JustThe.net Snail: 22674 Motnocab Road, Apple Valley, CA 92307
[late followup] On Sat, Aug 13, 2005 at 07:32:20PM +0100, Dave Howe wrote:
More bluntly: the closed-source, "faith-based" approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. TBH though, usually the open source "faith based" approach to security doesn't cut it either. its easy to say "its open source, therefore anyone can check the code" but much harder to actually find someone who has taken
Rich Kulawiec wrote: the time to do it....
Ah, but I covered that, or at least I thought I did: "D. Any piece of source code which hasn't been subjected to widespread peer review should be presumed untrustworthy-- because it not only hasn't been shown to be otherwise, the attempt hasn't even been made. (Note that the contrapositive isn't true -- peer review is only a necessary condition, not a sufficient one.)" Which means: just because it's open source and therefore any can check it, doesn't mean that anyone has...or that they're competent...or that they were thorough...or that they found all the issues. Like I said, it's a necessary condition, not a sufficient one. But...even with all the tools that have been developed -- everything from formal proofs of correctness to array bounds checkers to stack overflow guards to you-name-it...it seems that in 2005 that the very best available/practical method we have for trying to produce secure code is "lots and lots of independent and clueful eyeballs". I'm not saying that's a desirable situation, because it's not: it would be nice if we had something better. But we don't, at least not yet. Another way of putting it: no matter who "you" are, from one lone programmer to 10,000, the Internet is more thorough than you are. Now, one could counter-argue that keeping source code secret provides some measure of security. I'm not buying it: I don't think there's any such thing as "secret source code". And even if there was: if someone with enough cash to fill a briefcase wants it: they WILL get it. I suppose what I'm saying is: let's drop the pretense that "closed-source" really and truly exists, let's get the critical code out in the open, and let's get started with the process of beating it into shape. Because we're already paying (and paying and paying) a huge price for continuing the charade. ---Rsk
On Tue, 9 Aug 2005, J. Oquendo wrote:
Anyhow, sorry for the rants... The article is pseudo-worth the read if you can filter out marketing and crapaganda.
Someone made a video of cisco hard at work fixing router security holes: http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html Cisco is also fixing web security holes: http://www.dslreports.com/shownews/66078 With all this and the FBI investigation of Lynn, I feel so much safer now. Thanks cisco. -Dan
At 11:49 AM -0700 8/9/05, Dan Hollis wrote:
Someone made a video of cisco hard at work fixing router security holes: http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html
Cisco is also fixing web security holes: http://www.dslreports.com/shownews/66078
With all this and the FBI investigation of Lynn, I feel so much safer now.
Thanks cisco.
-Dan
But why worry! Peter Packet will save the 'Net! <http://www.cisco.com/edu/peterpacket> "You can't run forever hacker!" --chuck
participants (9)
-
chuck goolsbee
-
Dan Hollis
-
Dave Howe
-
J. Oquendo
-
James Baldwin
-
Michael.Dillonļ¼ btradianz.com
-
Rich Kulawiec
-
Stephen J. Wilcox
-
Steven J. Sobol