News

Wednesday, June 04, 2008

Router Rootkits

WIN_SECURITY UPDATE_
A Penton Media Property
June 4, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869891-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
VeriSign, Inc. / SSL

Increase confidence on your site

Provide the best in SSL technology on your site -- VeriSign Extended
Validation (EV) and Server-Gated Cryptography (SGC) SSL Certificates -
which are the best way to protect your web site and your customers'
information. When your site has EV and SGC it allows your customers to
have confidence that they are safe and you will know their information
is secure. Learn how to provide the latest advancements in SSL to your
site visitors in this free white paper.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869892-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--Router Rootkits
by Mark Joseph Edwards, News Editor
Although rootkits certainly aren't new they are becoming more of a
potential problem as time wears on. In the past we've typically had to
contend with defending desktops and servers against such menaces,
however attention must also be paid to network devices, such as routers,
because trends indicate that we're headed into a period of time when
more attacks will be targeted directly at network-enabled devices.

For example, in a recent article (at the URL below) I discussed a
presentation given by Rich Smith of HP Systems Security Lab at the
recent EUSecWest conference in London where he outlined why he thinks
Phlash attacks are destined to become a big security concern. Phlash
attacks target network-enabled devices where faulty code is used to
overwrite existing flash-based code which in turn can cripple a device
beyond the point of recovery.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869893-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869894-0-0-0-1-2-207)

Sebastian Muniz also gave a presentation at the conference regarding
similar attacks against Cisco routers. Muniz's approach doesn't involve
crippling devices but instead involves implanting a rootkit by modifying
an image of Cisco's Internetwork Operating System (commonly referred to
IOS) router code. Muniz explained that to do that one first must obtain
an IOS image, decompress it, analyze the code using specialized tools to
locate strings and functions, overwrite certain strings and functions
with malicious code, re-compress the image, and adjust the checksums to
match the altered image. Later, if someone obtains such an image (e.g.,
from an unofficial distribution site) and installs it into their router
then of course it's game over and the bad guy wins.

What Muniz's research reveals is that it's not only entirely possible to
inject a rootkit into a device that runs IOS, but that it's also
possible to do so without access to IOS source code, that it's possible
to make a rootkit persistent across device reboots, and most importantly
that it's possible to write one IOS rootkit that can be used with
different CPU architectures. Of course the attack might also grow to
involve an administrator (if the administrator acquires an altered IOS
image), thereby turning the administrator into a tool of attack.

The lessons here are fairly clear: Never use IOS images that are not
obtained directly from Cisco. If you happen to buy used Cisco hardware
then be certain that you load new IOS code onto the device, otherwise
you run a high risk because you can't be sure where existing IOS code
came from. The same premise holds true in another context: Be very
careful who you allow to manage your routers because it's entirely
feasible that an employee might be the one to intentionally load altered
IOS code.

Beyond injecting rootkits into Cisco routers, the same sort of approach
could be possible on other network-enabled devices. So for example,
instead of using a Phlash attack to cripple a device, a Phlash attack
could be used to install a rootkit, which might be far more appealing to
the bad guys.

For more information about Muniz's research, view his presentation at
the first URL below. Also read what Nicolas Fischback of COLT Telecom
had to say (at the second URL below) about Minuz's research. Fischback
provided links to related information that can help you better
understand how these trends are evolving over time. You might also want
to read the Recurity Lablog article (dated May 27, 2008, at the third
URL below) that discusses this topic. Be sure to read Cisco's Security
Response to this particular IOS rootkit at the fourth URL below. And
finally, if you're curious as to whether your IOS has been altered then
consider using Recurity Lab's online Cisco Incident Response (CIR) tool
(at the fifth URL below), which incidentally can detect the rootkit
developed by Muniz during his research.


http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869895-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869896-0-0-0-1-2-207)


http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869897-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869898-0-0-0-1-2-207)

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869899-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869900-0-0-0-1-2-207)

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869901-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869902-0-0-0-1-2-207)

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869903-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869904-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
St. Bernard Software

Win a 50" Plasma TV for Attending an Online Demo

See the #1 iPrism Web Filter in action and you could win a 50" TV. Just
for attending, you'll get a cool t-shirt! iPrism delivers unsurpassed
defense against spyware, malware, anonymizers, IM and P2P in the
powerful h-Series appliances. Sign up today and be a winner!

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869905-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--Rohati Goes Head to Head with Cisco's Securent Solution
In mid-May a new company, Rohati, built by former employees of Cisco,
Juniper Networks, Perebit and Cavium, unveiled its new product line,
which is slated to go head to head with Cisco's Securent software
technology.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869906-0-0-0-1-2-207

--Cisco Launches New Mobility Services Engine
Cisco launched a new product aimed at helping companies open up crucial
services to employees without compromising network security.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869907-0-0-0-1-2-207

--Sourcefire Rejects Buy Offer from Barracuda Networks
Open-source intrusion detection system (IDS) and audio/video A/V maker
Sourcefire turned down a stock purchase offer from Barracuda Networks
that would have combined the two companies into one.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869908-0-0-0-1-2-207

--What's Hot
Readers highlight their favorite products from Centertools, STORServer,
and Quest Software.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869909-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869910-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869911-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: TJX Making Unwise Security Decisions
by Mark Joseph Edwards
Some time back, TJX wound up having their servers broken into and as a
result, countless people's private information was stolen, including
credit card data. Apparently security was very lax, and as it turns out
it's still lax. What's it take to learn a lesson? Read this blog article
on our site to learn about some very unwise decisions made at TJX.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869912-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869913-0-0-0-1-2-207)

--FAQ: Choosing a proper role for Windows Server 2008
by John Savill
Q: What are the server roles in Windows Server 2008?

Find the answer at

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869914-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869915-0-0-0-1-2-207)

--FROM THE FORUM: Auditing the Copy Command
A forum participant wants to know whether it's possible to create audit
trails for the Windows Copy command and for when someone right-clicks to
copy an object. Offer your perspective at the URL below:

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869916-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869917-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


PRODUCTS

--Public Key Cryptography for All
by Lavon Peters, Security Editor
Public Key Cryptography for All

PKWARE's SecureZIP 12.1 makes public key cryptography available to all
types of users -- whether home users, small business users, or
enterprise users. The product automatically installs an X.509 digital
certificate and provides global directory services for secure file
exchange. No passwords are required. In addition, the new version of
SecureZIP integrates with all Microsoft Office applications (e.g.,
Outlook, Word, Excel, PowerPoint). SecureZIP is available to commercial
users for $39.95; a free version is available to non-commercial users.
For more information, contact PKWARE at 888-475-9273 or visit
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869918-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869919-0-0-0-1-2-207.


RESOURCES AND EVENTS

The Top 5 Advantages of Using Exchange 2007 and SharePoint Hosting
Services As Your Messaging and Collaboration Solution

Learn how and why businesses of all sizes are evaluating full-featured,
enterprise-class solutions like Microsoft Exchange 2007 and SharePoint
to significantly impact workflow & collaboration. View this Web seminar
to learn why higher quality outcomes are driven by messaging and
collaboration integration and how a business of any size can
strategically acquire the messaging and collaboration infrastructure of
a Fortune 50 enterprise with the right hosting provider.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869920-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869921-0-0-0-1-2-207)

User Provisioning: Get the Biggest Bang for Your IT Buck

Is your user provisioning process as strong as it needs to be? Read this
white paper to learn how to increase IT efficiency and user
productivity, get stronger control over digital identities, and better
prepare for compliance audits.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869922-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869923-0-0-0-1-2-207
)

Are You Gambling with Disaster?

View this on-demand Web seminar to learn the top factors in a successful
disaster recovery plan. Chances are, you won't ever experience a Level
Four disaster, but even the smaller-scale disasters that you'll more
likely encounter can paralyze business operations. This Web seminar will
help you get managerial buy-in to have an operational plan to deal with
downtime and allow your business 24x7 business continuity.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869924-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869925-0-0-0-1-2-207)


FEATURED WHITE PAPER

NAC: Managing Unauthorized Computers

This white paper discusses how Network Access Control (NAC) handles
rogue computers, how to fit NAC into any environment, the components to
look for in a NAC solution, and the results you can expect when you put
such a solution into place. Download this white paper to ensure that
your company can combat today's threats while remaining nimble enough to
address tomorrow's.

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869926-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869927-0-0-0-1-2-207)


ANNOUNCEMENTS

Rev Up Your IT Know-How with Our Recharged Magazine!

The improved Windows IT Pro is packed with trusted content and enhanced
with a fresh new look! Subscribe today to

--Stay ahead of industry trends with comprehensive coverage of topics
such as
Vista and virtualization

--Solve tough technical problems with advice from veteran IT experts
such as Guido Grillenmeier and Mark Minasi

--Find real-world solutions easily with fast facts and quick tips

store.pentontech.com/index.cfm?s=1&promocode=EU2085R1&
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869928-0-0-0-1-2-207)

Windows IT Pro Is Your Definitive Source for BI Tools

--Learn from the top BI experts such as Derek Comingore, Dan Holme,
Michelle A. Poolet, and Rodney Landrum.

--Build the best platforms and reports with help from SQL Server
Magazine.

--Master data-delivery with front-end solutions in Windows IT Pro.

--Get how-to information, industry trends, and commentary by experts:
Subscribe to the Essential BI UPDATE e-newsletter.

Choose the resource that's right for you at

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869929-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869930-0-0-0-1-2-207)


CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869931-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869932-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869933-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869934-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=8647

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869935-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-8647-803-202-62923-869936-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive