North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Cisco crapaganda
- From: Michael.Dillon
- Date: Tue Aug 09 11:12:24 2005
> /* ARTICLE
> Experts and users say the hole in IOS appears not to be an immediate
> concern based on what is public knowledge at the moment, since patches
> are available. But what concerns some is that Lynn's exploit
> techniques take router hacking to a new level, which eventually could
> have security implications for Cisco customers.
They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than
Lynn along with source code. And this other person has also
described techniques for attacking other brands of network
equipment not just Cisco.
There is a sea change in hacker activity under way as
they realize that most embedded systems (including routers
and switches) are now based on general purpose computer
technology and that such systems are full of opportunities
for software exploits. Hackers no longer just attack OSes
like Windows and Linux, they now are beginning to go after
any kind of smart device, especially when the exploits can
be leveraged for blackmail or to earn cash from espionage.
You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.
There really is no such thing as closed source. The people
building these exploits are fully capable of taking
code from ROM or flash memory and reading what it does.
It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.
Even if someone managed to eliminate Lynn and all past
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.