On 16 Sep 2015, at 11:51, Paul Ferguson wrote:
Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation.
And must have access to the box in order to utilize said credentials -
which of course, there are BCPs intended to prevent same.
---
i read it, its rather good.
-e
On 9/12/15 12:45 PM, John Levine wrote:
/*If you're willing to sign on and help today, please email me directly
(off list) */and I will be happy to share a copy of the letter for you
to review before you agree to sign on.
Why don't you just send us a copy or a li
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation. Please discuss liberally.
- - ferg'
On 9/15/2015 1:46 PM, Stephen Satchell wrote:
> On 09/15/2015 11:40 AM, Jake Mertel wrote:
>> C) keep the i
I always perform the md5 and/or SHA verification of images on flash
against the Cisco website. This is mainly to ensure a good transfer from
TFTP. While I've never had a bad TFTP transfer (as in the transfer said
successful, but files were corrupted), I have encountered images that
were mis-nam
Well,
It would be pointless to do,
If the flash version and the running executable already replaced
that function to return the right MD5 as from the CCO repository...
But yes, scheduling the downloading the firmware and doing a SHA512
from your known good source (aka the Cis
On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said:
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output line
> that ends "= xxx" with the x's
> replaced with the MD5 hash.
You *do* r
On 09/15/2015 11:40 AM, Jake Mertel wrote:
C) keep the
image firmware file size the same, preventing easy detection of the
compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have
My apologies, Valdis is indeed correct, I did not mean to suggest that it
would be possible to make modifications in such a way that would result in
an identical checksum. Sorry for the confusion and extra noise.
--
Regards,
Jake Mertel
Ubiquity Hosting
*Web: *https://www.ubiquityhosting.com
On Tue, 15 Sep 2015 11:54:30 -0700, Jake Mertel said:
> Indeed -- While there are methods that can be used to "pack" a file so that
> it collides with a desirable checksum, that would be nearly impossible to
> do in this scenario.
Small clarification here.
There are known methods to easily produc
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas
wrote:
Does anyone have a sample of a backdoored IOS image?
The IOS image isn't what gets modified. ROMMON is altered to patch IOS
after decompression before passing control to it. I don't know WTF
they're going on and on about "file si
> On Sep 15, 2015, at 2:50 PM, Michael Douglas wrote:
>
> Wouldn't the calculated MD5/SHA sum for the IOS file change once it's
> modified (irrespective of staying the same size)? I'd be interested to see
> if one of these backdoors would pass the IOS verify command or not. Even
> if the backd
Indeed -- While there are methods that can be used to "pack" a file so that
it collides with a desirable checksum, that would be nearly impossible to
do in this scenario. I suspect that you're right in all regards -- that
taking the image file and checking it on another host would show obvious
indi
Another option might be an analog modem + phone line + carrier TAP gateway
(if your carrier(s) has/have one). Might or might not be more
cost-effective.
GTG
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin
> Hotze
> Sent: September 15, 2015 8:37 AM
>
The multitech multimodems I run seem to like rebooting an awful lot, they do it
at least daily.
At another position I did like the SMS FoxBox ( http://www.smsfoxbox.it/ ),
which had a simple http put command (amongst other interfaces) which allowed
you to send text messages. The do seem to have
On Tue, 15 Sep 2015, Jake Mertel wrote:
> Reading through the article @
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
> I'm lead to believe that the process(s) they overwrite are selected to
> cause no impact to the device. Relevant excerpt:
>
> ###
> Malware Ex
Wouldn't the calculated MD5/SHA sum for the IOS file change once it's
modified (irrespective of staying the same size)? I'd be interested to see
if one of these backdoors would pass the IOS verify command or not. Even
if the backdoor changed the verify output; copying the IOS file off the
router
Reading through the article @
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
I'm lead to believe that the process(s) they overwrite are selected to
cause no impact to the device. Relevant excerpt:
###
Malware Executable Code Placement
To prevent the size of the ima
Does anyone have a sample of a backdoored IOS image?
On Tue, Sep 15, 2015 at 2:15 PM, wrote:
> I'm sure most have already seen the CVE from Cisco, and I was just reading
> through the documentation from FireEye:
>
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm
> l
I'm sure most have already seen the CVE from Cisco, and I was just reading
through the documentation from FireEye:
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm
l
Question is that it looks to me like they are over-writing the ospf response
for "show ip ospf timers ls
The NTT ticket for Ashburn is VNOC-1-1345240005 if you are a customer and need
to follow up.
- Jared
> On Sep 15, 2015, at 12:45 PM, Mr. NPP wrote:
>
> we lost NTT for a short period in ashburn, so something went on for sure.
>
> mr.npp
>
> On Tue, Sep 15, 2015 at 9:31 AM, Matt Hoppes
> wro
we lost NTT for a short period in ashburn, so something went on for sure.
mr.npp
On Tue, Sep 15, 2015 at 9:31 AM, Matt Hoppes
wrote:
> Did anyone experience any flaps or outage in the Frontier network between
> 12:15 and 12:30 eastern today?
>
> Appeared to be in Ashburn.
>
>
>
Did anyone experience any flaps or outage in the Frontier network between 12:15
and 12:30 eastern today?
Appeared to be in Ashburn.
> From: Leonardo Arena
> To: Graham Johnston
> Cc: "'nanog@nanog.org'"
>
> Il giorno lun, 14/09/2015 alle 14.53 +, Graham Johnston ha scritto:
> > Today we use a product from MultiTech Systems call MultiModem iSMS to
> send SMS text messages from our monitoring system to our on call staff.
23 matches
Mail list logo
