Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco crapaganda

  • From: Michael.Dillon
  • Date: Tue Aug 09 11:12:24 2005

> /* ARTICLE
> Experts and users say the hole in IOS appears not to be an immediate
> concern based on what is public knowledge at the moment, since patches
> are available. But what concerns some is that Lynn's exploit
> techniques take router hacking to a new level, which eventually could
> have security implications for Cisco customers.
> */

They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than 
Lynn along with source code. And this other person has also
described techniques for attacking other brands of network
equipment not just Cisco.

There is a sea change in hacker activity under way as
they realize that most embedded systems (including routers
and switches) are now based on general purpose computer
technology and that such systems are full of opportunities
for software exploits. Hackers no longer just attack OSes
like Windows and Linux, they now are beginning to go after
any kind of smart device, especially when the exploits can
be leveraged for blackmail or to earn cash from espionage.

You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with 
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing 
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.

There really is no such thing as closed source. The people
building these exploits are fully capable of taking 
code from ROM or flash memory and reading what it does.
It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.

Even if someone managed to eliminate Lynn and all past 
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.

--Michael Dillon





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.