Anti-Virus Protection for Routers?
The recent Cisco IOS vulnerability controversy highlights the attractiveness of routers for hackers.
Hacking/Denial of Service
Cisco IOS vulnerability
re-release: The Cisco advisory that came out
after the Black Hat presentation was a re-release of an April 2005 advisory.
The only thing changed was the inclusion of additional versions of IOS which
were vulnerable. The v.7 re-release added more IOS versions.
The simultaneous discussions of issues with Cisco IPv6 security and IOS might
have caused them to appear related. They are not.
One has to wonder how long it will be before we see anti-virus for routers.
There are a lot of them out there, and they're less secure than a lot of hosts.
And since a hacker can do a lot more with a router than most other types of
hosts, we may see them becoming an increasingly attractive target for attackers.
While it's true that up-to-date versions of IOS have no unpatched vulnerabilities,
there may be routers in various roles which cannot easily run up-to-date IOS
versions because of the roles they're playing in an organization integrating
with older tools. Further, keeping routers up-to-date is no trivial task, and
typically involves insecure techniques like Trivial File Transfer Protocol (TFTP).
IOS is in dire need of an overhaul and I hope we see one soon.
Computer Associates BrightStor ARCserve and Enterprise Backup
agents for Windows contain a buffer overflow vulnerability that could allow
a remote attacker to create a denial of service condition or execute arbitrary
code. Patches are available.
Security company FrSIRT posted a hack to scan for the vulnerability
and a SQL injection exploit. Veritas' backup server got picked on a couple
of weeks ago and there were some .edu intrusions. So far we have not seen any
discussion about intrusions via this vulnerability.
Well-known security researcher Dan Kaminsky got some interesting results
when he recently scanned 2.5 million DNS servers. He found that fewer than 10
percent were vulnerable to cache poisoning, which allows an attacker to control
the IP address returned by a DNS server for the host name being sought.
That's a sign of progress. One of the biggest problems the Internet faces is
the continued use of old and vulnerable software, despite up-to-date and more
secure versions being as freely available as the old and insecure stuff.
Imagine if ISPs stopped delivering packets to old and insecure versions of
products, like out-of-date BIND servers! What a concept.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
The U.K. encryption company nCipher conducted a survey of over two hundred
companies, and concluded that management is holding back the deployment of encryption
technologies. They suggest that a lack of understanding of how encryption works,
or how to deploy it, is causing the now "mainstream" encryption technologies
to be withheld from en-masse deployment. A large majority of those surveyed
indicated they would be encrypting stored data within the next 18 months, but
there is a general lack of knowledge about the latest encryption technologies
involving hardware-based Trusted Platform Modules (TPMs.)
Our take is that this is probably a good thing, since it's debatable about
how useful it is to encrypt everything. It's not a new problem. While 82 percent
of those surveyed indicated they would be encrypting stored data, they would
be doing so only up to the point where it once again needs to be decrypted (e.g.,
when the data is accessed or used.) At that point the data becomes as vulnerable
as it ever had been. There is also the problem of lost keys, such as when S/MIME
encrypted data needs to be read some years after it was sent. The key may have
been lost, or left with a departed employee. In these cases, the risk of having
it encrypted may be larger than some unauthorized person actually reading the
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.