The public demonstration of an attack against a Cisco Systems Inc. router at the Black Hat USA conference showed that a core part of corporate networks may be more vulnerable to hackers than many users had assumed. But, IT managers and security analysts say, companies that follow recommended practices for securing their networks should be reasonably well protected despite the fact that attackers now have information on how to shut down routers by exploiting a previously disclosed software flaw.
"In the end, the Cisco case is no different than [a hack against] a Microsoft or Unix box," said Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a Basel, Switzerland-based drug maker. "Vulnerabilities will always exist. Organizations have to prepare themselves to be able to protect themselves."
Security researcher Michael Lynn triggered the concerns a week ago when he made a presentation about the router flaw at the Black Hat conference in Las Vegas. Cisco and Atlanta-based Internet Security Systems Inc., Lynn's former employer, had tried to stop him from giving his scheduled talk
Cisco attempted to prevent the information from spreading by securing a court injunction against Lynn and getting Black Hat's organizers to remove his presentation from the conference proceedings. But several security-oriented Web sites posted copies of the presentation, prompting Cisco to issue an advisory on July 29 in which it urged users to upgrade to the latest version of its Internetworking Operating System software.
According to the Cisco advisory, products running certain versions of IOS are vulnerable to attacks that use specially written IP Version 6 packets. Only devices that have been explicitly configured to process IPv6 traffic are affected by the flaw, Cisco said.
The information Lynn disclosed shows how malicious hackers can compromise routers to "stop, redirect and scramble network traffic," said Gene Hodges, president of IT security vendor McAfee Inc. in Santa Clara, Calif.
"Up to now, the [security] community, I believe, has somewhat naively assumed that this wasn't possible," Hodges added, citing the complexity of attacking routers.
Although the updated IOS version isn't vulnerable to the hack detailed by Lynn, any newly discovered buffer or heap overflow vulnerability in the software could be exploited using the same process, warned Jian Zhen, director of product management at LogLogic Inc., a Sunnyvale, Calif.-based vendor of tools for managing network data logs.
"That's the most scary part of this whole incident," Zhen said. "The vulnerability is difficult to exploit due to the technical competency required. But all it takes is someone to write the necessary shell code, and 'script kiddies' will be able to use that for new vulnerabilities discovered in the future."
Zhen added that Cisco needs to do "a thorough code audit" to identify possible overflow vulnerabilities in IOS and then eradicate them. "It won't be a simple task, and it will take time, but not doing it will put the Internet at risk," he said.
Even so, attacking routers isn't easy as long as companies employ the right defensive measures, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of network connectivity services to financial firms.
"The first tenet of router security is to make the router inaccessible," Hession said, noting that the devices should be shut off from the Internet as much as possible.
For instance, putting the command-and-control routers that actually process data packets in their own separate network segment can make it harder for hackers to access them, said Paul Mockapetris, inventor of the Internet's core Domain Name System and chairman of IP address management vendor Nominum Inc. in Redwood City, Calif.
"That's why carriers run separate control networks," Mockapetris said. "An attacker has to first get on that net before he can launch an attack. It's just the basic principle of multiple lines of defense."
The bigger headache for large companies from the IOS flaw is the disruption associated with updating vulnerable routers, Hession said. BT Radianz has more than 40,000 routers, the vast majority of them from Cisco, and updating them could require several months of planning, testing and scheduled downtime, Hession said.
As a result, he noted, patching decisions need to be balanced against the mitigation measures that the company already has in place, such as address masking, out-of-band management and access filtering.
Cisco Resets Users' Web Passwords
Cisco this week said it was resetting the passwords for all registered users of its Web site after discovering a security vulnerability in its search engine software that left those passwords exposed.
The passwords are used by Cisco customers, employees and business partners who have registered to get access to special areas of the Web site or receive e-mail alerts, said Cisco spokesman John Noh.
Cisco was made aware of the flaw in the search engine last Monday and corrected it immediately, Noh said. He added that as a precaution, the company began sending out new passwords and blocked users from accessing the password-protected areas of the Web site with their old ones.
According to Noh, Cisco officials don't think the vulnerability could be exploited to gain access to any sensitive information, such as the company's source code. He also said that the security hole didn't affect any of the products or technologies that Cisco sells.
Cisco uses Google Inc.'s software to power the main search feature on its Web site, but the problem didn't involve Google, Noh noted.
"It's a vulnerability related to a Cisco search tool," he said. "It's part of the Web application."
-- Robert McMillan, IDG News Service
Hackers Bypass Microsoft's Antipiracy Checks
Microsoft Corp. has acknowledged that hackers were quickly able to bypass a process it implemented late last month to ensure that users trying to download software updates from its Web site have legitimate copies of Windows.
WGA requires users to run a program to verify that their copies of Windows aren't pirated before they can use Microsoft's software update services. Microsoft had been running it as a pilot program since last September but made the validation process a requirement on July 27.
"Within 24 hours, hackers claimed to have circumvented the process, and it appears that they did," a Microsoft spokesman said. He added that the company will fix the flaw that was exploited in an upcoming version of WGA.
The Boing Boing hack isn't the only way to get around WGA's restrictions that has come to light. David Keller, founder of PC consulting and services firm Compu-Doctor in Cape Coral, Fla., said in an interview conducted via e-mail that he was able to change his Internet Explorer settings to bypass WGA. He discovered means to do so after he encountered a flaw in the program that flagged a legitimate product key on a customer's copy of Windows XP Professional Service Pack 2 as invalid.
Keller wrote that he didn't have much luck working with Microsoft's support technicians, so he disabled the WGA add-on within the browser's Internet Options menu.
-- Elizabeth Montalbano and Robert McMillan, IDG News Service
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.