North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IOS Rookit: the sky isn't falling (yet)
On Tue, May 27, 2008 at 8:42 AM, Alexander Harrowell <[email protected]> wrote: >>An alternative rootkit ? Privilege level 16 used by the Lawful Intercept >>[12] feature could be abused to do some of this too. Or the other way >>around: use a "patched" IOS to keep an eye on Law Enforcement's >operations > on the router as privilege level 15 doesn't allow it and the only >>alternative is to sniff the traffic export. > > The combination of rootkits and specially privileged Lawful Intercept > functions is a very dangerous one. This was precisely what was exploited in > the now-legendary and still unsolved Vodafone Greece hack. to be clear though, the LI functions on cisco are audit-able (assuming the ios is still cisco not patched/hacked) you just have to snmp-v3 to audit the activities... which most mediation devices have to do because the settings don't get committed to config so upon system reload they have to be re-set to baseline again. -Chris
|