From: Darby Weaver (ccie.weaver@gmail.com)
Date: Mon Jan 26 2009 - 04:32:46 ARST
I read the article... FUD.
While I totally agree to patch and keep devices up to date. They have to
date succeeded in exploiting a 1700 and a 2600 series router with outdated
IOS code.
They admit to something like 1 in 100,000 chance of even getting close
enough to attempt an exploit... really...
About 15 years ago a friend of mine who wrote viruses used to tell me how
hard it was to infect people even using his (then) latest and greatest
multi-function code... Imagine if his odds of success were on the 1 in
100,000 range - He's had become a garbage pickup man by now since he's have
a better chance of hacking old Routers that way.
Kaminsky recognized the security by obscurity of the many different flavors
of IOS contributed to the "White Hats" inability to hack the IOS reliably...
Then said Cisco should "standardize the code" and made it sound like it
would be beneficial to Cisco and clients to do so... Huh? Maybe he'll
suggest the IOS go open-source next like they did for MS sometime back...
Hey if you wanna get paid to play "Hacker" then at least earn your cash...
Everyone knows any OS can be exploited by using a buffer overflow to pop the
stack. It's practically a given. Lynn/Fx and company originally tried to
use the IOS Code References supplied by Cisco to their employees/contractors
in the late 90's or so and thus they only succeeded in learning how to
exploit really old IOS... the truth is these guys and their friends are
having a little trouble popping the stack - even thoough the Cisco IOS does
have a monolithic architecture.
Sure a DOS is nice... if one can get past contemporary and now almost
standard security/logging/IPS mechanisms in place...
But the real enchalada is being able to not only exploit the code but to
continue and be able to perform actual exploits or perform some other
malice...
It's easier to insert a rogue router into a network and advertise incorrect
routing information than it is to pop the stack and gain root on the Cisco
IOS...
Hmmm....
Maybe one day... not quite today...
Still maintain common sense approach to security architecture and patching
code is an important part of that architecture.
On 1/25/09, paul cosgrove <paul.cosgrove@gmail.com> wrote:
>
> You may wish to qualify that a little more, after all it is not unusual for
> people to put misplaced faith in edge security devices without reviewing the
> configs, processes, or risks elsewhere in the wider topology. Defence in
> depth (with regular reviews) is a safer approach.
>
> It is unusual for an IDS to monitor all traffic in a network, topologies do
> not normally make that possible. They are normally positioned to protect
> the servers and uplink DMZs, not the network infrastructure. Border
> monitoring/filtering will not protect you from attacks launched locally from
> equipment deeper inside the network, e.g. from user PCs aganst their default
> gateway. In addition if you allow encrypted traffic (e.g HTTPS or SSH)
> through your border then your IDS may have other blindspots.
>
> It is worth considering other measures to help protect your network
> equipment, e.g. infrastructure ACLs, and it goes without saying that you
> should apply updates to patch any remote exploits that are announced. This
> is all the more important now. Some people will devote many hours trying to
> become the first to make widespead use of this discovery in the wild, and
> not for the greater good.
>
> Paul.
>
> On Sun, Jan 25, 2009 at 3:13 PM, Jose <josermanzano@gmail.com> wrote:
>
>> I not too worried since I'm looking at this through an Enterprise's
>> Network set of eyeglasses. :-)
>>
>> If you have all the traffic that comes in and out of the network pass
>> through firewalls that include as well as pass through some sort of IDS/IPS,
>> as well as monitor the internal stuff through IDS/IPS you should not run
>> into this issues from what I'm reading. A good firewall/IDS/IPS etc...
>> will inspect the the actual data coming across and see if what coming
>> across is not normal for that type.... as well as terminate the TCP Session
>> , then reestablish it on the backed(internal) so session that the
>> communication has is never direct.
>>
>> Now, having said that ...what about the routers that site in front of
>> the firewall providing that internet connection ....... well i guess we
>> better patch ...
>>
>> I'm love the idea that Metro-E hands of with a plain RJ45 Ethernet
>> Connection more and more everyday 8-) .....
>>
>> You have to love the security cat and mouse game though....
>>
>> Darby Weaver wrote:
>>
>>> So very very true.
>>>
>>> On 1/24/09, Scott M Vermillion <scott_ccie_list@it-ag.com> wrote:
>>>
>>>
>>>> AKA "marketing for security consultants," LOL. We R&S types can meet
>>>> with
>>>> limited success scaring people into thinking they're about to run out of
>>>> capacity, etc, but we have nowhere near the leverage that the security
>>>> types
>>>> have! Fear is one of the greatest motivating factors in human nature
>>>> (think
>>>> Y2K). Talk about your job "security"...
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>>> Wouter Prins
>>>> Sent: Saturday, January 24, 2009 6:46 AM
>>>> To: arali
>>>> Cc: ccielab; ccielab-subscribe; cisco
>>>> Subject: Re: Hack Simplifies Cisco Router Attack -
>>>> www.darkreading.com/security
>>>>
>>>> The 'article' is just some $random blablabla IMHO :)
>>>>
>>>> 2009/1/24 arali <ar.ali@rediffmail.com>
>>>>
>>>>
>>>>
>>>>> Hi Group,
>>>>>
>>>>> Do you have any comment on below subject, please your guidance.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=21
>>>> 2
>>>>
>>>>
>>>>> 700896
>>>>>
>>>>>
>>>>> Hack Simplifies Cisco Router Attack; CheckFree Alerts Customers
>>>>> after Hack - Security researchers recently reported a significant
>>>>> breakthrough
>>>>> in a way to hack a class of Cisco routers without having to know the
>>>>>
>>>>>
>>>> router
>>>>
>>>>
>>>>> operating system. In other news, security researchers demonstrated a
>>>>> way
>>>>>
>>>>>
>>>> to
>>>>
>>>>
>>>>> crack the popular MD5 encryption algorithm, while CheckFree Corp
>>>>> notified
>>>>> its
>>>>> users of a criminal's compromise of one of its Internet domains.
>>>>>
>>>>> Thanks &
>>>>> Regards,
>>>>> Arali
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST