|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Internet vulnerabilities
Ah... "More info ?" When all else fails RTFM. Thanks (non-disgruntled DE?), J -----Original Message----- From: Richard E. Perlotto II [mailto:[email protected]] Sent: Thursday, July 04, 2002 3:28 PM To: 'jnelson'; 'batz'; 'Jason Lewis' Cc: [email protected] Subject: RE: Internet vulnerabilities Actually all the Cisco images have a MD5 hash included on the download page. You can check all of your images verses what is on the web. The 12.2.8T train also has a built in MD5 checksum for validation. We are doing what we can to help. Richard > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of jnelson > Sent: Thursday, July 04, 2002 12:47 PM > To: 'batz'; 'Jason Lewis' > Cc: [email protected] > Subject: RE: Internet vulnerabilities > > > How about this: > ISP X had its tftp server compromised by a wily hacker who evaded > tripwire and covered his track well, uploaded some cracked Cisco code > (the current release for their GSRs). This code was designed to corrupt > the directories and shut down the router at date XX:XX:XX. Each of these > affected GSRs, 7-five new roll-outs and 2 upgrades--went down at the > same time (save one who's time was no set correctly). Each site had to > driven to, flashcards replaced. ISP X severely crippled for 6 hours. The > hacker could have gone the extra leg to have the tftp server expunge the > backup configs at the same time--extra couple hours--but did not. > > We all download code from Cisco/Juniper/Bay in good faith... when's the > last time you saw a signature attached to any of those? Most security > breeches happen from within anyway. A disgruntled DE.... > > Just a wicked thought. > j > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > batz > Sent: Thursday, July 04, 2002 2:17 PM > To: Jason Lewis > Cc: [email protected] > Subject: Re: Internet vulnerabilities > > > On Thu, 4 Jul 2002, Jason Lewis wrote: > >:What are the real threats to the global Internet? > > I realize this seems like nitpicking, but asking what the real risks > are > might be a more useful question. The reason I mention this is because > the > washington post report the other day about threats to SCADA systems was > blown out of proportion, because it equated the seriousness of the > threats > with their associated risks. Yes, most ASN.1 implementations have > serious > vulnerabilities, welcome to 1988. > > The ASN.1 vulnerabilities being talked about right now are serious > threats, > but lower risk than say, millions of unpatched IIS and apache servers, > public exploits and a worm on the loose. Application level > vulnerabilities > that have to be patched on a host by host basis, cause a greater risk > than > say, SNMP vulnerabilities that can be filtered at the gateway, which > protects from opportunistic external attacks. > > When you talk about threats to the global Internet, there are hundreds > of > equally serious vulnerabilities of varying risk. Also, the "global > Internet" > has many different meanings. It can mean "the ability to send and > recieve > packets on layer 3" or "people being able to conduct business > electronically, > with some reasonable expectation of the confidentiality, integrity and > reliability of their transactions." > > So, it all depends on what you mean by the Internet:) I think this is > an extremely important discussion to have on the list, I just think > it should be framed in terms of real risks, root causes, and > potential solutions. > > >:I am looking for anything that might be a potential attack point. I > don't >:want to start a flame war, but any interesting or even way out there > idea >:is welcome. >: >:Is it feasible that a coordinated attack could shutdown the entire net? > I >:am not talking DDoS. What if someone actually had the skills to > disrupt >:BGP on a widescale? > > Once you start thinking about the Internet from a security perspective, > you realize there is no "entire net" subject to the sum of its parts in > any practical sense. It is a network of networks that serves a continuum > > of interests, bounded by economics, and driven by porn. ;) > > The attack point is anywhere you think will do the most harm to the > people you dislike. If you just want to break something, find serious, > easy to exploit, security design limitations in BGP, MPLS, BIND and > drive a major global backbone like UUNet into insolvency. > > ..What? Oh ...Too late. > > -- > batz >
|