Yep -- I'd say just wait for the presentation (assuming Cisco
doesn't go after this guy like they did Mike Lynn) and then
determine the level of seriousness.
It would appear to have people very nervous, however. Including
Cisco. It will be interesting to see what develops.
- - ferg
What if some good comes from this "root kit"?
For instance, what if it lets us fix things like DOM on non-Cisco
XENPAKs and SFPs? Or lets us un-cripple our 6500 chassis to run the
code we want?
Of course, given the messenger, I'm sure it's just hype to help
bolster Gadi's security practice, and will prove to be no big deal.
Paul
Paul Wall wrote:
What if some good comes from this "root kit"?
I'm sure it'll be good for a number of security providers to hawk their wares.
If the way of running this isn't out in the wild and it's actually dangerous then a pox on anyone who releases it, especially to gain publicity at the expensive of network operators sleep and well being. May you never find a reliable route ever again.
MMC
How long before we need to install Anti-virus / Anti-root-kit software on
our routers?
Simon
Simon Lockhart wrote:
How long before we need to install Anti-virus / Anti-root-kit software on
our routers?
Nah - we'll just replace them all with Macs. They don't need anti-virus ...
MMC
What if some good comes from this "root kit"?
For instance, what if it lets us fix things like DOM on non-Cisco
XENPAKs and SFPs? Or lets us un-cripple our 6500 chassis to run the
code we want?Of course, given the messenger, I'm sure it's just hype to help
bolster Gadi's security practice, and will prove to be no big deal.
A signed issue is now 25 bucks FOR YOU, Mister.
This needs fixing. It doesnt need publicity at security conferences
till after cisco gets presented this stuff first and asked to release
an emergency patch.
--srs
Suresh Ramasubramanian wrote:
If the way of running this isn't out in the wild and it's actually
dangerous then a pox on anyone who releases it, especially to gain
publicity at the expensive of network operators sleep and well being.
May you never find a reliable route ever again.This needs fixing. It doesnt need publicity at security conferences
till after cisco gets presented this stuff first and asked to release
an emergency patch.--srs
According to Cisco, there is nothing to patch:
Networking, Cloud, and Cybersecurity Solutions - Cisco
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
If the way of running this isn't out in the wild and it's actually
dangerous then a pox on anyone who releases it, especially to gain
publicity at the expensive of network operators sleep and well being.
May you never find a reliable route ever again.This needs fixing. It doesnt need publicity at security conferences
till after cisco gets presented this stuff first and asked to release
an emergency patch.
Agreed,
You've got to remember though that a security conference is a
commercial venture, it makes business sense for this to be publically
announced at this security conference.
I think security conferences have become something that sucks as its
all become money making oriented and the people who run these things
don't really have security in mind, just the £ signs reflecting on
their eye balls.
--srs
--
Suresh Ramasubramanian (ops.lists@gmail.com)
All the best,
n3td3v
I'd like to discuss:
1. What is it we are talking about.
2. Why it is serious.
3. What we can do to defend ourselves.
I'll be brief as this is not a briefing.
You are absolutely right on the sentiment, but miss the point on this particular issue. I agree with you that in most cases, software vulnerability issues should be resolved with the vendor first, especially where critical infrastructure is involved. This is not only about exploiting a vulnerability.
In this case it the the very realization that these issues exist (namely being able to run Trojan horses on IOS systems AND/or hiding their presense) is what we are discussing.
Router security as far as most operators are concerned includes the following issues: software version (now update), configuration, ACL and authentication (password) security. I include subjects such as BGP MD5 in configuration.
These issues are indeed important and very neglected, after all, how many "0wned" routers can be found that respond to cisco/cisco?
The main difference here is that we are now at a cross-roads where the face of router security changes, It is that the realization that:
1. A router is not an hardware device, it is an embedded device with a software operating system. As such it is as vulnerable to malware (wide-spreading--worm, or targeted--Trojan horse) as a Windows machine is.)
2. There are no real tools today for us to be able to detect such malicious activity on a router, listing processes doesn't cut it.
3. What tools exist, which I hope to secure permission to discuss later on, are only from third parties.
This is not about fear mongering, it's about facing reality how about how Cisco handles security threats to their customer base before such an issue becomes a public concern--namely, ignoring its very existence, at least as far as the public can see.
The point is, I don't want to rely on third parties for my router's security, even if I trust the said third party.
Gadi.
Paul Wall wrote:
What if some good comes from this "root kit"?
I'm sure it'll be good for a number of security providers to hawk their
wares.How long before we need to install Anti-virus / Anti-root-kit software on
our routers?
Very astute.
Sadly, this is already being done by a few people I know. No AV vendor has such a tool to offer you, so don't bother asking them.
The question is, can you afford not to?
The answer may be yes, you can afford for your router to be a spying machine for the enemy/competitor, and you can afford for it to be a bot participating in DDoS (as currently, for example, many *nix routers are known to be). The question is who can't afford for these things to happen...
Gadi.
The question is who can't afford for these things to happen...
Gadi.
I can't help but feel you're pushing fear to further some other interest here Gadi.
Do you actually have live examples of this or able to demonstrate it or are you just theorising about it all?
MMC
It is alright to have feelings.
Gadi.
It is alright to have feelings.
Gadi.
So I ask again, expecting nothing but another flippant answer:
Do you actually have live examples of this or able to demonstrate it or are you just theorising about it all?
MMC
The rational thing to do is to move beyond fear.
I'd love to know what magical mystical protection your routers have that will
enable them to avoid the same fate as every other device and operating system
has. There's only one thing up there that doesn't have known rootkits
in the wild. Yet.
The question isn't IF routers have security vunerabilities, but whether Gadi has an example he can demonstrate now of installing a root kit on an IOS router NOW or not.
MMC
> I'd love to know what magical mystical protection your routers have that will
> enable them to avoid the same fate as every other device and operating system
> has. There's only one thing up there that doesn't have known rootkits
> in the wild. Yet.
>
The question isn't IF routers have security vunerabilities, but whether
Gadi has an example he can demonstrate now of installing a root kit on
an IOS router NOW or not.
Rootkit for 2500, 3000 and 4000...... Load this onto your router and you'll
have root and much more.
KDV Electronics - uClinux Cisco 2500
Tuc/TBOH
It is alright to have feelings.
Gadi.
So I ask again, expecting nothing but another flippant answer:
I will honour you flame-bait, but only once.
Do you actually have live examples of this or able to demonstrate it or are you just theorising about it all?
Your question is irrelevant to our discussion, as I obviously base myself on the first email in this thread discussing the poc (?) about to be released, and my own statements from that first email in which I mention I will not discuss my own experience on the subject of rootkit risks and solutions until said poc (?) is released due to matters of honour.
I'd love to know what magical mystical protection your routers have that will
enable them to avoid the same fate as every other device and operating system
has. There's only one thing up there that doesn't have known rootkits
in the wild. Yet.The question isn't IF routers have security vunerabilities
Nope, the question is not about if routers have security vulnerabilities.
The question is how operators and organizations can defend their routers against rootkits, and cisco's practices.
I personally like Gadi's work, but not as much as I like getting my
packets to their destination. I personally don't quite understand why
netops keep buying proprietary, closed technology for routers, but I'm
not and have never been a netop so I'm sure there's good reasons. To
me it seems that if you need reliable router hardware, you can buy
that from a vendor, but in theory I don't see why the software for
routers couldn't be much more open. When I can, I reflash my WAPs
with DD-WRT, because at least then I understand the system (and you
can't secure what you don't understand), but I am not saying that's
much of a comparison.
So, speaking of hawking wares... 
Since I see some disclosure discussions brewing here, so I thought I'd
mention that I have a free online book on security, and I'm trying to
capture all the arguments about disclosure policies so that they don't
ever have to be rehashed. Instead, we can just point someone to it,
and move on.
Here's the section on disclosure:
http://www.subspacefield.org/security/security_concepts.html#tth_sEc25.1
I'm numbering them for your convenience, so that if for some reason
you want to state a particular argument, you can compress the
conversation by simply giving its index.
HHOS,
Travis