RE: [fw-wiz] Worms, Air Gaps and Responsibility
From: Claussen, Ken (Ken_at_kccweb.com)
To: "Paul D. Robertson" <firstname.lastname@example.org>, "Erick Mechler" <email@example.com> Date: Wed, 12 May 2004 11:04:05 -0400
Even Cisco is not immune to the exploits.
While this was patched quickly by ISPs and others, it did cause
intermittent outages across the Internet for a period of time (several
Excerpt from article;
"On Wednesday, July 16, 2003, Cisco Systems published an advisory
warning that Cisco IOS - the operating software of the most widely used
routers and switches in the world - was carrying a vulnerability that
could put any unprotected IOS device out of order. Two days later, an
"exploit" was published on a public mailing list, where hackers
explained in detail how to reproduce the very packet sequence that would
allow anyone to "exploit" the vulnerability and bring any unprotected
Then there was the Nimda worm which affected Cisco Cable Modem devices
(800 Series), while not critical infrastructure, this disrupted many
households Internet Access.
I think it is fair to say any OS has had it's share of vulnerabilities
over the years (some more than others in terms of numbers, but that does
not necessarily account for the severity). A good share of these have
allowed remote execution of code(System=Owned). Some Historical
Examples; Sadmind for Solaris, Rootkits for Unix taking advantage of
Portmapper flaws, Nimda/CodeRed and Slammer for MS. There are many
others, these are just some off the top of my head. To say that any one
of these is worse than the other is simply favoritism as they all
allowed Root/Administrator access to the system.
I have read several mentions of issues with corporate desktops and no
one has mentioned the use of Group Policy through AD to control which
EXEs are allowed to run by a user. This is one of the best methods to
stop malicious code at the desktop level. While it may be painful to
setup initially it is effective in many cases. In order to bypass this,
malicious code would need to use an "approved" EXE to launch itself.
This raises the bar significantly.
From: Paul D. Robertson [mailto:firstname.lastname@example.org]
Sent: Monday, May 10, 2004 2:49 PM
To: Erick Mechler
Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility
On Mon, 10 May 2004, Erick Mechler wrote:
> I bet you'd see the same sort of behavior from worms no matter what OS
> the World's critical infrastructures were to run. If they ran *NIX,
> you'd see more worms targeting those OSs. There's something to be
> said for heterogenous computing environments.
Funnily enough, I don't recall a Cisco IOS worm with any traction...
Paul D. Robertson "My statements in this message are personal
email@example.com which may have no basis whatsoever in fact."
firstname.lastname@example.org Director of Risk Assessment TruSecure
firewall-wizards mailing list email@example.com
firewall-wizards mailing list