Cisco Theft 12 Months on
Twelve months ago Cisco was the victim of a network penetration, which resulted in their IOS source code being compromised. The IOS is the operating system used by Cisco networking hardware, a large number of which effectively form the backbone of the Internet. At the time, there was little news about it, with only some minor reporting on various security and technology related websites. There was little information being made available, with the public reporting starting once a 2.5 MB section of code was posted to a Russian IRC channel. Cisco was keeping quiet, only confirming that they had a compromise, and the details were being left to the hacker, who posted a code sample to prove his story. The complete size of the code copied out was reported at 700 MB, including IOS 12.3 and 12.3t. Although the breach was not widely reported at the time, the New York Times recently ran a story purporting to describe how the network intrusion and compromise took place.
The author of the New York Times article was John Markoff, known for his novel CyberPunk and the Kevin Mitnick story. He is regarded as being responsible for the fear and paranoia surrounding Kevin Mitnick (a gifted conman who also had a decent level of technical skill). While he writes articles that are good reading, there are many information technology people operating in the grey areas of the law who regard him as being obsessed with money and story before factual reporting. In his defence, it is difficult to accurately report technical news in a non-technical manner, but his methods and reporting have been called suspect by the people he reports on (i.e. the people operating in the grey areas of the law).
John Markoff describes the mechanism of the attack as resulting from a compromised university network in Uppsala, Norway. Apparently a teenage hacker managed to exploit a known flaw in an application used to establish a SSH connection between computers. Basically, a SSH connection allows a user to log in remotely to another computer on which they have an account, and do so over an encrypted connection. With this application compromised, the hacker caught the login process from someone who was connecting to an internal Cisco system, which he then grabbed and used to eventually grab the source code to IOS. Eventually the hacker got caught, after he was bragging and taunting users on other networks that he managed to penetrate.
While the details may or may not be true, it does highlight how major security breaches can come from unexpected directions. Information security professionals, who are expected to be paranoid as a part of their job, fear about the network intrusions that are not reported, or never found. With increasing attention payed by organised crime interests to online crime, it is only a matter of time until a hacker, or group of hackers, refine their art to the point that they are effectively undetectable, and work to stay invisible with their crimes. It is possible that such capability already exists, but it would be impossible to know, as they would have made themselves invisible. Technically, it is not possible to be completely anonymous, however, practically, it is relatively simple.
Theoretically, if the hacker who had stolen the IOS source code had kept quiet, and not posted the sample, this probably never would have been reported on. If they had then gone on to find a set of major vulnerabilities in the source code, which they could exploit efficiently, there is no limit to the amount of damage that they could have caused to the Internet. Although the Internet is designed to be decentralised, and able to route around failures, an accurate attack on Cisco hardware would effectively cripple the Internet, especially if a corresponding failure was found in Juniper network hardware. This information could have sold for an immense amount of money to criminal interests or rogue nation-states. The power that could be wielded with such knowledge is almost beyond belief. Being able to pull the plug on the Internet for any country / agency / company at will would just be the start of it. Like any computer based attack, once it is used, it is in the wild and can be deconstructed and disabled. Using such a powerful weapon would also be a one-off, it is unlikely that the flaw exploited would last for long, and the attack source would be traced and wiped out by a number of very annoyed governments.
For the more technical readers who maintain an IDS of some sort, recent reports have indicated that one of the more popular security applications, Ethereal, has had two exploits made public. An IDS, and other related network analysis tools, can be amazingly useful to help administrators determine what is happening on networks of interest, and can be used to highlight malicious traffic as it starts to happen, so action can be taken before it destroys systems and networks. Because these tools can be used to detect major disruptions before they have a major effect, some malicious software aims to disable these tools as a part of the infection. A lot of malicious software is already designed to shut down firewall software, anti-virus software and other protective applications, before continuing with the remainder of the negative payload. The next major problem would be a 'killer packet'. Information being transmitted across any network is broken down into 'packets', transmitted, and then reassembled into a copy of the original information (much as parcels go through the postal system). A 'killer packet' is a specially created parcel of information that enters a network and is designed to disable any application that is monitoring network traffic, which then allows the rest of the malicious software through without being noticed.
Related to the recently reported issues with a Trend Micro anti-virus definitions file, Symantec's Norton Anti-Virus (NAV) on the Apple Macintosh OS X platform has experienced a similar problem, as reported by The Register recently. A recent virus definitions file update falsely identified the swap files (files on the hard disk used to augment the physical RAM in a computer) as containing "Hacktool.Underhand", and led to system crashes for some users. The NAV versions affected by this issue included:
- NAV 9.x with definitions file dated 28 April
- NAV 7.0.2 and 8.x with definitions file dated 1 June
Symantec advises current NAV users to update to the latest versions of the virus definition files, which have been corrected.
Microsoft just don't seem to have a lot of luck with the security of their delivered products. The Register reported recently on an online security competition known as 'The Gatekeeper Test' that Microsoft was running for people from Africa, Europe and the Middle East. While the concept of the competition was sound, and the questions appeared to be reasonable, the implementation of the test left a little to be desired. Users found that sometimes their responses were not accepted (a 404 page was returned), and in other cases users discovered that even if they had submitted an incorrect answer, use of the back button in the browser would allow them to try again without penalty. Apparently similar methods could be used to inflate scores above the maximum daily allowable points allowance.
After disabling the competition interface, Microsoft released a statement which described the source of the issues as being a technical malfunction in their server farm, when several servers lost state information (e.g. the total number of points for a particular user, or their progress through the test), however the test would be reinstated at a later time.
16 May 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.