RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Claussen, Ken (
Date: 05/12/04

  • Next message: ArkanoiD: "widnows vs unix and security Re: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: "Paul D. Robertson" <>, "Erick Mechler" <>
    Date: Wed, 12 May 2004 11:04:05 -0400

    Even Cisco is not immune to the exploits.
    While this was patched quickly by ISPs and others, it did cause
    intermittent outages across the Internet for a period of time (several
    Excerpt from article;
    "On Wednesday, July 16, 2003, Cisco Systems published an advisory
    warning that Cisco IOS - the operating software of the most widely used
    routers and switches in the world - was carrying a vulnerability that
    could put any unprotected IOS device out of order. Two days later, an
    "exploit" was published on a public mailing list, where hackers
    explained in detail how to reproduce the very packet sequence that would
    allow anyone to "exploit" the vulnerability and bring any unprotected
    device down."

    Then there was the Nimda worm which affected Cisco Cable Modem devices
    (800 Series), while not critical infrastructure, this disrupted many
    households Internet Access.

    I think it is fair to say any OS has had it's share of vulnerabilities
    over the years (some more than others in terms of numbers, but that does
    not necessarily account for the severity). A good share of these have
    allowed remote execution of code(System=Owned). Some Historical
    Examples; Sadmind for Solaris, Rootkits for Unix taking advantage of
    Portmapper flaws, Nimda/CodeRed and Slammer for MS. There are many
    others, these are just some off the top of my head. To say that any one
    of these is worse than the other is simply favoritism as they all
    allowed Root/Administrator access to the system.

    I have read several mentions of issues with corporate desktops and no
    one has mentioned the use of Group Policy through AD to control which
    EXEs are allowed to run by a user. This is one of the best methods to
    stop malicious code at the desktop level. While it may be painful to
    setup initially it is effective in many cases. In order to bypass this,
    malicious code would need to use an "approved" EXE to launch itself.
    This raises the bar significantly.

    -----Original Message-----
    From: Paul D. Robertson []
    Sent: Monday, May 10, 2004 2:49 PM
    To: Erick Mechler
    Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility

    On Mon, 10 May 2004, Erick Mechler wrote:

    > I bet you'd see the same sort of behavior from worms no matter what OS

    > the World's critical infrastructures were to run. If they ran *NIX,
    > you'd see more worms targeting those OSs. There's something to be
    > said for heterogenous computing environments.

    Funnily enough, I don't recall a Cisco IOS worm with any traction...

    Paul D. Robertson "My statements in this message are personal
    opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure
    Corporation _______________________________________________
    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: ArkanoiD: "widnows vs unix and security Re: [fw-wiz] Worms, Air Gaps and Responsibility"