Cisco IOS Rootkit thoughts
Sebastian Muniz of Core Security was due to give his talk on Cisco IOS Rootkits at EUsecwest today. After reading the interview with Sebastian Muniz by Sean Comeau I began thinking of the implications to enterprise operations.
While most enterprises have come to distrust the OS and applications, most still implicitly trust devices. Whether the device is a printer, a wireless access point, or a router, most operations teams do little beyond applying patches to vulnerable systems. Most security teams avoid the clash with the operations teams over testing and hardening network devices.
In the case of the printers, we have seen many printer compromises over the years. I first ran into one almost ten years ago. These were old office document printers running AIX... you know the ones. Since that event, I have handled on average 3 investigations a year where a core printer is involved in the theft of corporate data.
Most organizations treat these devices as unmanaged machines leased from a 3rd party vendor. The vendor barely supports the device beyond providing paper and toner. Many of these printers have POTS capability (remote admin, status, as well as fax), network functionality, and wireless. HP offers a lockdown guide and configuration tool to lockdown their printers. Here's a link:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999
If anyone doubts the capabilities of a simple access point, one only needs to go so far as checking in with Paul Asadoorian and Larry Pesce (of pauldotcom.com fame). Their awesome book http://www.amazon.com/Linksys-WRT54G-Ultimate-Hacking-Asadoorian/dp/1597491667 (shameless plug) and SANS course ( SANS Security 535: Network Security Projects Using Hacked Wireless Routers ) provide much depth and coverage on the topic.
Now, on to the more sensitive topic... hacking IOS. We can all remember just a few years ago when the Mike Lynn debacle occured at Black Hat when he was scheduled to present on IOS hacking. Lawyers got involved, goons ripped pages out of conference giveaways, etc. A couple thoughts come to mind when dealing with the potential of a hacked router:
1. How to validate the IOS running on the device. Obviously, it can lie just as a kernel level root kit can lie. My preference might be a steady routine of flashing the device, although that would go against most organizations notions of uptime (and Im usually ok with that). I do like that Muniz points to CIR as a remedy in this case:
<From the article>
Sean Comeau: Are there any existing tools to detect unauthorized modification
of IOS?
Sebastian Muniz: Yes, CIR "Cisco Information Retrieval" created by FX is THE
TOOL in this case. It's a framework capable of detecting those kind of
modifications. This tool analyzes crash dumps by performing several tests to
it and taking a clean IOS image as a starting point. This is a great tool and
probably the only one able to do this but it relies in the IOS functions that
generate the crash dump so, if those functions are hooked by the rootkit, the
result may not be correct. The thing is not that easy because CIR is able to
perform several tests and could detect the rootkit but this will probably be
like a race, competing with each other to see who has the latest trick to
bother it's counterpart. But in the case of the version of rootkit (DIK) that
will be presented at the conference, CIR will be able to detect it.
</From the article>
2. Router lockdown.
Cisco has its Security Device Manager (SDM) http://www.cisco.com/go/sdm with a good article on it here: http://www.cisco.com/en/US/prod/collateral/routers/ps5318/product_data_sheet0900aecd800fd118.html
The Center for Internet Security (CIS) has a Router Assessment Tool (RAT) that can be used on Windows or Unix-like operating systems to assess the security of a Cisco Router. This tool can be found here:
http://cisecurity.org/bench_cisco.html
Given the amount of interesting things to think about and do presented here... its great that its Memorial Day weekend in the U.S.A. Have a great weekend, think of those that have given their lives so that we can enjoy ours...
Mike Poor, Handler on Duty
Intelguardians, Inc.
Wiping your mobile devices
Some recent emails to the Storm Center have further focused our attention on the need to wipe your mobile devices if you intend to sell/donate/pass them along. I have a large box of mobile phones that I have done nothing with as I dont feel confident in the manufacturers suggestions for wiping data. Many of them just involve resetting settings back to default, which in most cases just leaves all your information in memory.
My recommendation would have to be to do a complete wipe of the device, then reflash the system. In most cases though, this is easier said than done. For example, one recent post (Rich Mogul from Securosis http://securosis.com/2008/05/20/formatting-an-iphone-to-wipe-data/) suggested reflashing the iphone, then un-checking the sync functionality for contacts, calendar etc. Following this, fill the iphone with music and sync three times. Then reflash to default, and sell your "clean" iphone.
I would prefer to do a bit by bit wipe of devices if I were to part with them ...
<comment> you can have my iphone when you pry it from my cold dead hands </comment> :-)
I would be interested in hearing peoples stories/tips for wiping mobile devices and or performing forensics on mobile devices.
Here are some links to Forensics hardware and software.
http://www.paraben-forensics.com/handheld_forensics.html
http://www.hex-dump.com/PB/index.html
http://www.gsmserver.com/software/gsm_products.php
Links to articles on wiping iPhone and Blackberry:
http://securosis.com/2008/05/20/formatting-an-iphone-to-wipe-data/
http://www.bbgeeks.com/blackberry-guides/guide-to-wiping-your-blackberry-88202
Mike Poor, H.O.D.
Intelguardians, Inc
Comments