Re: [NANOG] IOS rootkits
I'd love to know what magical mystical protection your routers have that will enable them to avoid the same fate as every other device and operating system has. There's only one thing up there that doesn't have known rootkits in the wild. Yet.
The question isn't IF routers have security vunerabilities, but whether Gadi has an example he can demonstrate now of installing a root kit on an IOS router NOW or not. MMC
I'd love to know what magical mystical protection your routers have that will enable them to avoid the same fate as every other device and operating system has. There's only one thing up there that doesn't have known rootkits in the wild. Yet.
The question isn't IF routers have security vunerabilities, but whether Gadi has an example he can demonstrate now of installing a root kit on an IOS router NOW or not.
Rootkit for 2500, 3000 and 4000...... Load this onto your router and you'll have root and much more. http://tinyurl.com/29duah Tuc/TBOH
On Sat, 17 May 2008, Matthew Moyle-Croft wrote:
I'd love to know what magical mystical protection your routers have that will enable them to avoid the same fate as every other device and operating system has. There's only one thing up there that doesn't have known rootkits in the wild. Yet.
The question isn't IF routers have security vunerabilities
Nope, the question is not about if routers have security vulnerabilities. The question is how operators and organizations can defend their routers against rootkits, and cisco's practices.
MMC
Gadi Evron wrote:
The question isn't IF routers have security vunerabilities
Nope, the question is not about if routers have security vulnerabilities. The question is how operators and organizations can defend their routers against rootkits, and cisco's practices.
The existence proof of a root kit does little if anything to change how one protects and secures the control plane.
* Joel Jaeggli:
The existence proof of a root kit does little if anything to change how one protects and secures the control plane.
| Network administrators are not able to observe Lawful Intercept is | enabled. No Lawful Intercept program messages or error messages are ever | displayed on the console. <http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html> This is a Sony-style rootkit, but it certainly demonstrate that the concept is feasible (surprise).
Florian Weimer wrote:
| Network administrators are not able to observe Lawful Intercept is | enabled. No Lawful Intercept program messages or error messages are ever | displayed on the console.
<http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html>
This is a Sony-style rootkit, but it certainly demonstrate that the concept is feasible (surprise).
Eh, it's a little misleading. Every Net admin knows when Lawful Intercept is activated on their router. The processor utilization takes a major spike. What it's doing might not be known, though umm, even intercept traffic itself can be intercepted or redirected through portions of the network where it can be intercepted. ;) Jack
The question isn't IF routers have security vunerabilities, but whether Gadi has an example he can demonstrate now of installing a root kit on an IOS router NOW or not.
That's not really the question. In fact, there are two questions. First, are routers really embedded devices running a software operating system? Secondly who can you trust in regards to security of your routers. On the first question, I don't think anyone will argue that routers are not capable of being compromised by software. Some may argue that compromising the software from the public Internet is virtually impossible and statistically unlikely, but most organizations now realize that hard shell security is a fantasy. The real danger is an insider who has enable on the router and who takes money to install a trojan, or the reseller who sells you a router with trojans already installed. Let's face it, if the NSA now believes there is a serious risk of counterfeit hardware that has been modified to contain hardware trojans, then the much easier to achieve software trojans should be a greater risk, and therefore worthy of attention. But the second question is the more interesting one in the context of NANOG. Can we trust Gadi? Can we trust the people who pop up and try to smear Gadi in some way? I haven't a clear answer here except to say that Gadi is a well-known person whose biases and possible motives (consultancy work) are well known. Same thing could be said about Cisco or Microsoft and this may make Gadi (or Cisco) more trustable about some things and less trustable about others. But everybody on this list deals with certainties like this every day. It's the people who pop up and smear Gadi that I really wonder about. There seems to be no good reason for this, unless possibly they are blackhats of some sort. I remember a few years ago when William Leibzon posted about his work which eventually became completewhois.com and several blackhats popped up and tried to smear him. So when people attack Gadi or anyone else with no substantive facts to justify those attacks, I always assume that they are part of the criminal gangs who drive network abuse in the 21st century. Of course they may just be harmless fools who think that they will become better network operators if they can become part of the in group. Who knows... Personally, I am not particularly disturbed that security vulnerabilities are announced with few substantive details. That's just the way things are normally done in the real world. --Michael Dillon
On Sat, May 17, 2008 at 5:45 PM, <michael.dillon@bt.com> wrote:
It's the people who pop up and smear Gadi that I really wonder about. There seems to be no good reason for this, unless possibly they are blackhats of some sort. I remember a few years ago when William Leibzon posted about his work which eventually became completewhois.com and several blackhats popped up and tried to smear him. So when people attack Gadi or anyone else with no substantive facts to justify those attacks, I always assume that they are part of the criminal gangs who drive network abuse in the 21st century. Of course they may just be harmless fools who think that they will become better network operators if they can become part of the in group. Who knows...
Actually, Michael, folks who have problems with Gadi, William, and certain other offenders are mainly annoyed with the quantity (high) and quality (low) of their posts. That you seem to have a blind spot in the direction of this particular explanation is dismaying but not surprising. Paul
participants (8)
-
Florian Weimer
-
Gadi Evron
-
Jack Bates
-
Joel Jaeggli
-
Matthew Moyle-Croft
-
michael.dillon@bt.com
-
Paul Wall
-
Tuc at T-B-O-H.NET