[104808] in North American Network Operators' Group
RE: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (michael.dillon@bt.com)
Tue May 27 15:43:13 2008
Date: Tue, 27 May 2008 20:45:11 +0100
In-Reply-To: <28288.1211915246@turing-police.cc.vt.edu>
From: <michael.dillon@bt.com>
To: <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
> If you were an attacker, which would you go with:
>=20
> 1) The brute-force attack which will require hundreds of=20
> thousands of CPU-years.
In this case an attacker would definitely go with this option. Since=20
they can't change most of the IOS bytes because they contain IOS and=20
the exploit, they would definitely run a brute force attack on the=20
remaining bytes. Granted, the chances of success are slim, but these
are people who are used to playing the odds even if they lose most=20
of the time.
> 3) 'md5sum trojan_ios.bin' and cut-n-paste that into the web page.
One would hope that Cisco is taking measures to protect against that.
> You missed the point - if the *FILE* you downloaded from a=20
> webpage is suspect, why do you trust the MD5sum that *the=20
> same webpage* says is correct?
I wasn't thinking of any old web page but one that belongs to=20
a trusted vendor and which requires some kind of authentication
before you can get to the file. In any case, the whole issue ca
be bypassed using CDs or using a PGP chain of trust.
--Michael Dillon
