On Tue, 27 May 2008 11:02:32 CDT, Gadi Evron said:
> On Tue, 27 May 2008, Jared Mauch wrote:
> > *yawn*
>
> I guess we will wait for the next one before waking up, than.
No Gadi. What Jared is saying is that there are exactly *ZERO* routers
(for some infinitesimally small value of zero) that wil
On Tue, May 27, 2008, [EMAIL PROTECTED] wrote:
> There's basically 2 classes of Cisco routers out there:
>
> 1) Ones managed by Jared and similarly clued people, who can quite rightfully
> yawn because the specter of "IOS rootkits" changes nothing in their actual
> threat model - they put stuff i
> This seems like such a non-event because what is the exploit
> path to load the image? There needs to be a primary exploit
> to load the malware image.
Hmmm. Get a job servicing/installing data centre HVAC systems,
wait until you get called out to a mostly empty data center,
lift some floor ti
On Tue, 27 May 2008, Gadi Evron wrote:
Perhaps the above should be simplified.
Running a hacked/modded IOS version is a dangerous prospect.
This seems like such a non-event because what is the exploit path to load
the image? There needs to be a primary exploit to load the malware image.
*yaw
On Tue, May 27, 2008 at 11:13 AM, Adrian Chadd <[EMAIL PROTECTED]> wrote:
>
> Bloody network people, always assuming their network security stops at
> their router.
>
> So nowthat someone's done the hard lifting to backdoor an IOS binary,
> and I'm assuming you all either upgrade by downloading fro
On Tue, May 27, 2008, Chris Grundemann wrote:
> > Sure, its not all fire and brimstone, but the bar -was- dropped a little,
> > and somehow you need to make sure that the IOS thats sitting on your
> > network management site is indeed the IOS that you put there in the
> > first place..
>
> Like M
On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
> Like MD5 File Validation? - "MD5 values are now made available on
> Cisco.com for all Cisco IOS software images for comparison against
> local system image values."
That does wonders for catching a corruption in the FTP that wasn't caught
On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
Like MD5 File Validation? - "MD5 values are now made available on
Cisco.com for all Cisco IOS software images for comparison against
local system image values."
That does wonders for catching
On Tue, 27 May 2008 10:47:08 PDT, [EMAIL PROTECTED] said:
> What you want is cisco hardware that verifies firmware signatures in
> hardware.
Yes, but that requires new hardware. Understanding the security risk in
accepting an unsigned MD5 signature from the same place that you accepted the
file
[EMAIL PROTECTED] wrote:
> On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
>> On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
>>> Like MD5 File Validation? - "MD5 values are now made available on
>>> Cisco.com for all Cisco IOS software images for comparison against
>>> local system image va
On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
What you want is cisco hardware that verifies firmware signatures in
hardware.
Of course, how do you know your hardware hasn't been compromised?
http://www.usdoj.gov/opa/pr/2008/February/08_crm_150.html
> Like MD5 File Validation? - "MD5 values are now made
> available on Cisco.com for all Cisco IOS software images for
> comparison against local system image values."
I would expect a real exploit to try to match Cisco's
MD5 hashes. By all means, check those hashes after you download
them but I
On Tue, 27 May 2008 19:49:21 BST, [EMAIL PROTECTED] said:
> > Like MD5 File Validation? - "MD5 values are now made=20
> > available on Cisco.com for all Cisco IOS software images for=20
> > comparison against local system image values."
>
> I would expect a real exploit to try to match Cisco's
> M
Perhaps Cisco and friends should take to periodically printing MD5 checksums
in full page ads in the New York Times or similar?
Maybe not impossible for an attacker to replicate, but it certainly does
raise the bar :)
On Tue, May 27, 2008 at 3:07 PM, <[EMAIL PROTECTED]> wrote:
> On Tue, 27 May 2
On Tue, 27 May 2008, Sean Donelan wrote:
On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
What you want is cisco hardware that verifies firmware signatures in
hardware.
Of course, how do you know your hardware hasn't been compromised?
http://www.usdoj.gov/opa/pr/2008/February/08_crm_150.html
Are
> If you were an attacker, which would you go with:
>
> 1) The brute-force attack which will require hundreds of
> thousands of CPU-years.
In this case an attacker would definitely go with this option. Since
they can't change most of the IOS bytes because they contain IOS and
the exploit, they
On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
Are you buying directly from cisco or from resellers? If you are getting
counterfeit hardware directly from cisco then I guess we have real problems.
According to the FBI presentation, which may not be a reliable source
for this topic, Cisco has ver
On Tue, 27 May 2008 20:45:11 BST, [EMAIL PROTECTED] said:
> > 1) The brute-force attack which will require hundreds of
> > thousands of CPU-years.
Millions. Not thousands. See below.
> In this case an attacker would definitely go with this option. Since
> they can't change most of the IOS bytes
On Tue, 27 May 2008 [EMAIL PROTECTED] wrote:
On Tue, 27 May 2008 11:02:32 CDT, Gadi Evron said:
On Tue, 27 May 2008, Jared Mauch wrote:
*yawn*
I guess we will wait for the next one before waking up, than.
No Gadi. What Jared is saying is that there are exactly *ZERO* routers
(for some infi
On Tue, 27 May 2008, Sean Donelan wrote:
On Tue, 27 May 2008, Gadi Evron wrote:
Perhaps the above should be simplified.
Running a hacked/modded IOS version is a dangerous prospect.
This seems like such a non-event because what is the exploit path to load
the image? There needs to be a primary
> Date: Tue, 27 May 2008 15:46:34 -0400 (EDT)
> From: Sean Donelan <[EMAIL PROTECTED]>
>
> On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
> > Are you buying directly from cisco or from resellers? If you are getting
> > counterfeit hardware directly from cisco then I guess we have real problems.
>
> So let's see - if you had a billion CPUs in your botnet, and
> each one could go at a billion to the second, you still need
> 2**69 seconds or 449,235,776,528,695 years. Not bad - only
> 10,000 times the amount of time this planet has been around,
> so yeah, that's the way they'll attack all
On Wed, 28 May 2008 10:37:05 +0100
<[EMAIL PROTECTED]> wrote:
> > So let's see - if you had a billion CPUs in your botnet, and
> > each one could go at a billion to the second, you still need
> > 2**69 seconds or 449,235,776,528,695 years. Not bad - only
> > 10,000 times the amount of time thi
On Thu, 29 May 2008, Steven M. Bellovin wrote:
On Wed, 28 May 2008 10:37:05 +0100
<[EMAIL PROTECTED]> wrote:
So let's see - if you had a billion CPUs in your botnet, and
each one could go at a billion to the second, you still need
2**69 seconds or 449,235,776,528,695 years. Not bad - only
10,0
hnologies, Inc.
954-298-1697
> -Original Message-
> From: Gadi Evron [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2008 12:21 AM
> To: Steven M. Bellovin
> Cc: nanog@nanog.org
> Subject: Re: IOS Rookit: the sky isn't falling (yet)
>
> On Thu, 29
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 29 May 2008, Fred Reimer wrote:
>plaintext (the IOS code) and the hash. It is not trivial to be able to
>make changes in the code and maintain the same hash value, but there has
>been at least limited success in doing so.
Has there? My unde
On Thu, 29 May 2008 09:18:07 -0400
"Fred Reimer" <[EMAIL PROTECTED]> wrote:
> So the only easy way to attack this is the MD5 hash. We have a know
> plaintext (the IOS code) and the hash. It is not trivial to be able
> to make changes in the code and maintain the same hash value, but
> there has
On May 29, 2008, at 9:37 AM, Jim Wise wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 29 May 2008, Fred Reimer wrote:
plaintext (the IOS code) and the hash. It is not trivial to be
able to
make changes in the code and maintain the same hash value, but
there has
been at leas
N, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
> -Original Message-
> From: Steven M. Bellovin [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2008 9:43 AM
> To: Fred Reimer
> Cc: Gadi Evron; nanog@nanog.org
> Subject: Re: IOS Rookit
> -Original Message-
> From: Jared Mauch [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2008 9:48 AM
> To: Jim Wise
> Cc: Fred Reimer; nanog@nanog.org
> Subject: Re: IOS Rookit: the sky isn't falling (yet)
>
>
> On May 29, 2008, at 9:37 AM, Jim Wise wro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 29 May 2008, Fred Reimer wrote:
>The code would presumably be run upon boot from a non-flashable source,
>which would run the boot ROM code through a check on the crypto chip and
>only execute it if it passed. You would not put the code that
nal Message-
> From: Jim Wise [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 29, 2008 11:10 AM
> To: Fred Reimer
> Cc: Jared Mauch; nanog@nanog.org
> Subject: RE: IOS Rookit: the sky isn't falling (yet)
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
&
697
>
>
> > -Original Message-
> > From: Jim Wise [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 29, 2008 11:10 AM
> > To: Fred Reimer
> > Cc: Jared Mauch; nanog@nanog.org
> > Subject: RE: IOS Rookit: the sky isn't falling (yet)
> >
>
33 matches
Mail list logo
