[NANOG] IOS rootkits

Sun May 18 20:33:53 UTC 2008

On 18-May-08, at 7:11 AM, Suresh Ramasubramanian wrote:
> 2. It can be prevented by what's widely regarded as BCP on router
> security, and has been covered at *nog, in cisco training material,
> etc etc for quite some time now.
>
> I am much less concerned about security conferences discussing this
> than about the (highly uninformed) publicity that accompanies these
> conferences.

I'm not going to touch the disclosure or not debate... it's been done.

But I will agree to disagree with you about the above two points.

First of all about prevention, I'm not at all sure about this being  
covered by existing router security planning / BCP.
I don't believe most operators reflash their routers periodically, nor  
check existing images (particularly because the tools for this  
integrity verification don't even exist). If I'm wrong about this I  
would love to be corrected with pointers to the tools.

Regarding the second point, I also lament the often liberal doses of  
alarmism/FUD that get plastered over the popular media whenever  
complicated technical issues are discussed - but unless we have some  
have the discussions, and information dispersal, then the  
misconceptions have no chance of being dispelled.
The threat of misinformed press does not seem to be sufficient to  
justify censuring open discussion of the issues imho.

One of the thing I truly enjoy about the conferences we organize, is  
seeing the synergism that occurs when multiple minds focus on these  
security issues at the conferences. When the analysis is parallelized  
over multiple brains, inevitably the creative solutions that occur  
from the congregation of different viewpoints and ideas is pleasantly  
surprising, and powerful.  I've seen numerous examples of this: even  
just last April I had a chance to be a fly on the wall at a discussion  
between Jacob Appelbaum and Theo DeRaadt talking about the cold memory  
attacks research Jacob started - the result of which was that during  
the discussion it was realized that with the addition of about 30  
lines of code in the power fail interrupt handler a large segment of  
those attacks could be nullified, as they are now on OpenBSD.  If the  
discussion hadn't happened, the creative solution to it would have  
never arisen. These kinds of "out of the box" solutions frequently  
arise out of multi-person debate and free association that follows  
discussions of serious issues - no-one has the whole picture and  
adding other's viewpoints often brings superior solutions to problems  
up.

So in my opinion the benefits of discussing serious issues at  
conferences far outweigh the potential drawbacks of misguided media  
coverage of them. What I infer from your post is that you are of the  
opinion that issues such as this rootkit prototype should be reported  
to CSIRT and then shuffled under a carpet. To which I respond that  
that kind of attitude has led to what I currently consider to be an  
inappropriate level of concern and awareness amongst service providers  
of the seriousness of this threat. Cisco has some great guys, but  
surely discussion of this threat amongst the wider security community  
will lead to more and better solutions than Cisco operating in a  
vacuum. And more importantly this issue is not a Cisco issue - the  
basic threat vector should be a concern to other infrastructure  
equipment manufacturers too. Until we talk about it, we cannot find  
the right responses to the problem, and experts talking about it  
usually leads to better and more comprehensive solutions than single  
persons or smaller groups working in isolation.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K.   May 21/22 - 2008    http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp