-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keep in mind that rootkit functionality itself isn't all bad, take anti-virus software for example. Its like a shark trawling the bottom of the sea floor, looking up at its next meal on high; how deeply can you hook the OS core...
Elazar On Sun, 18 May 2008 14:45:48 -0400 Kurt Dillard <[EMAIL PROTECTED]> wrote: >Apparently Gadi doesn't understand either. Rootkits don't need >to exploit >vulnerabilities in an OS, they leverage the design of the OS or >the >underlying hardware platform. You don't 'patch' the design of >something. You >want to stop rootkits in IOS? Don't allow it to run arbitrary >code, run the >OS in firmware rather than from writable storage. Go study up on >rootkits >for a few weeks before you complain about someone demonstrating >one. Unlike >you guys I happen to know what I am talking about as I've been >studying >malware including rootkits for over 10 years. By studying I mean >taking them >apart, figuring out how they work, and finding tools to deal with >them; not >reading some half-assed article on CNET or Ziff-Davis full of >technical >errors. > >Over the past few years Cisco, Apple, and Oracle have behaved an >awful lot >like Microsoft did 10 years ago, trying to pretend that their >platforms are >immune to malware and refusing to approach vulnerabilities head-on >with an >attitude of rational pragmatism. Dave Litchfield and his team have >dragged >Oracle kicking and screaming to the world of reality, the same has >yet to >happen with the other two firms. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >n3td3v >Sent: Sunday, May 18, 2008 12:50 PM >To: [email protected] >Subject: Re: [Full-disclosure] [NANOG] IOS rootkits > >On Sun, May 18, 2008 at 4:37 PM, Kurt Dillard ><[EMAIL PROTECTED]> wrote: >> NETDOVE, >> Obviously you have no idea how a rootkit works much less how to >defend >> against them, your rants make no sense. >> >> Kurt > >Dude, > >Gadi Evron is punching into this guy as well, check this out: > >---------- Forwarded message ---------- >From: Gadi Evron <[EMAIL PROTECTED]> >Date: Sun, May 18, 2008 at 3:48 PM >Subject: Re: [NANOG] IOS rootkits >To: Dragos Ruiu <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], >[EMAIL PROTECTED] > > >On Sun, 18 May 2008, Dragos Ruiu wrote: >> >> On 17-May-08, at 3:12 AM, Suresh Ramasubramanian wrote: >> >>> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft >>> <[EMAIL PROTECTED]> wrote: >>>> If the way of running this isn't out in the wild and it's >actually >>>> dangerous then a pox on anyone who releases it, especially to >gain >>>> publicity at the expensive of network operators sleep and well >being. >>>> May you never find a reliable route ever again. >>> >>> This needs fixing. It doesnt need publicity at security >conferences >>> till after cisco gets presented this stuff first and asked to >release >>> an emergency patch. >> >> Bullshit. >> >> There is nothing to patch. >> >> It needs to be presented at conferences, exactly because people >will >> play ostrich and stick their heads in the sand and pretend it >can't >> happen to them, and do nothing about it until someone shows >them, "yes >> it can happen" and here is how.... >> >> Which is exactly why we've accepted this talk. We've all known >this is >> a possibility for years, but I haven't seen significant motion >forward >> on this until we announced this talk. So in a fashion, this has >> already helped make people more realistic about their >infrastructure >> devices. And the discussions, and idea interchange that will >happen >> between the smart folks at the conference will undoubtedly usher >forth >> other related issues and creative solutions. Problems don't get >fixed >> until you talk about them. > >Dragus, while I hold full disclosure very close and it is dear to >my >heart, I admit the fact that it can be harmful. Let me link that >to >network operations. > >People forget history. A few years back I had a chat with Aleph1 >on the >first days of bugtraq. He reminded me how things are not always >black and >white. > >Full disclosure, while preferable in my ideology, is not the best >solution >for all. One of the reasons bugtraq was created is because vendors >did not >care about security, not to mention have a capability to handle >security >issues, or avoid them to begin with. > >Full disclosure made a lot of progress for us, and while still a >useful >tool, with some vendors it has become far more useful to report to >them >and let them provide with a solution first. > >In the case of routers which are used for infrastructure as well >as >critical infrastructure, it is my strong belief that full >disclosure is, >at least at face value, a bad idea. > >I'd like to think Cisco, which has shown capability in the past, >is as >responsible as it should be on these issues. Experience tells me >they have >a ways to go yet even if they do have good processes in place with >good >people to employ them. > >I'd also like to think tier-1 and tier-2 providers get patches >first >before such releases. This used to somewhat be the case, last I >checked it >no longer is -- for legitimate concerns by Cisco. has this >changed? > >So, if we don't patch the infrastructure up first, and clients >don't know >of problems until they are public "for their own security" (an >argument >that holds water only so much) perhaps it is the time for full >disclosure >to be considered a viable alternative. > >All that aside, this is a rootkit, not a vulnerability. There is >no >inherent vulnerability to patch (unless it is very local). There >is the >vulnerability of operators who don't so far even consider trojan >horses >as a threat, and the fact tools don't exist for them to do >something once >they do. > > Gadi. > > > > > > cheers, >> --dr >> >> >> >> -- >> World Security Pros. Cutting Edge Training, Tools, and >Techniques >> London, U.K. May 21/22 - 2008 http://cansecwest.com >> pgpkey http://dragos.com/ kyxpgp > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkgwi9AACgkQi04xwClgpZja4wP+LItuGYEbfP4lnTsVY1Yg6ct3YWxB HxuuzQVAr3/oUM277IjSHNetjfZmQy76gvo+98G3vs1nFQFdoFYvzCL0zIvoDqdQWTmE biTeEFZGDzbj2bXT9GmEdRKE6FJCHW9fhBNo8IC2/HA/Yo/eMXNOF9O4YQIoy7ZiOZvN VrfDCUA= =Rfys -----END PGP SIGNATURE----- -- Click here and enhance your romance with the perfect honeymoon vacation. http://tagline.hushmail.com/fc/Ioyw6h4dydz7TgMpyAUaBg2f10zdUDSgsuoAmpzKWDv7nSpmQA0FFu/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
