any news of the presentation surfacing anywhere? interested to details of what was discussed
On Sun, May 25, 2008 at 6:27 AM, Gadi Evron <[EMAIL PROTECTED]> wrote: > On Sun, 18 May 2008, Joel Jaeggli wrote: > >> Dragos Ruiu wrote: >> >> First of all about prevention, I'm not at all sure about this being >>> covered by existing router security planning / BCP. >>> I don't believe most operators reflash their routers periodically, nor >>> check existing images (particularly because the tools for this >>> integrity verification don't even exist). If I'm wrong about this I >>> would love to be corrected with pointers to the tools. >>> >> >> I have 6 years worth of rancid logs for every time the reported number >> of blocks in use on my flash changes, I imagine others do as well. >> That's hardly the silver bullet however. >> > > Cisco considerably updated its rootkits page (which was 3 lines, yes, just > 3 lines, last week, you might think it was a previously unknown threat). > > Last Updated 2008 May 22 1600 UTC (GMT) > For Public Release 2008 May 16 0400 UTC (GMT) > Some update! > > The new page gives a lot of information on best practices, MD5 > verifications, etc. Very good as a security best practices page but still > not much of an "anti rootkit" page. Well worth taking a look: > > http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml > > Again, very good page even if it in no way addresses the threat. > > Last week my opinions were well-formed after a few years of thinking on the > subject. I decided to re-examine my take as I may have just stagnated on the > issue and the landscape changed. I reached the same conclusions. > > Still no decent response on why they never spoke to their clients on Trojan > horses on IOS, rootkits on IOS.. or practically, what tools they provide to > deal with them or what their plans are to help us protect ourselves and our > infrastructure. One could guess they have non. > > As someone recently mentioned to me, after the Michael Lynn talk they > started admitting to remote code execution vulnerabilities being more than > just DoS in their announcements. Maybe that is a trend and we will get more > information from them in the future, now that rootkits as a threat to IOS is > a publis issue. > > Cisco's "threats don't exist until our clients already know of them" > strategy is running out of steam, and will soon outlive its usefulness. > Cisco is acting pretty much like Microsoft did 10 years ago, they shouldn't > be surprised if security research treats them the same way as it treated > Microsoft. > > I know what their treatment made _me_ do psychologically, it made me not > want to reach out to them. It seems like the Michael Lynn way is the only > way to go with their current attitude--full disclosure. > > As to the risk itself, it is my personal belief IOS rootkits are currently > a threat as a targeted attack. Therefore, although of serious concern it is > not yet something I fear on the Internet scale. > > Pure FUD, Cisco provided us with no real data: > I do however dread the day XR gains some popularity, then it is as bad as > Windows XP exploitability-wise. 2003, year of the worm. 2013, year of the > Cisco worms? > > Gadi. > >
