As many of you have seen, The Register and other main stream media sources are starting to discuss a new technique to reliably compromise a small subset of Cisco gear.  The new technique was discovered by FX of Phenoelit and was presented last week at the Chaos Communication Congress(CCC) and is probably the best known cisco exploit researchers.

At the moment, he did not find a way to reliably run exploit code on all Cisco gears.  In fact, the method only runs on a small set of powerpc systems (the 1700 and 2600).  The method he found uses the Cisco boot loader (ROMMON) and a tool named CIR from cir.recurity-labs.com which works well for the 1700 and 2600 Cisco routers. Using this technique is may be possible to reliably exploit a vulnerability across a number of routers.

By showing this technique at the CCC, he showed the deep need for multiple layers of defenses for the routing infrastructure.  If the attackers are able to send packets directly to the router interfaces, then we will continue to have very serious issues with trusting the infrastructure.  However, it is recommended that all routers, switches, and other forms of network gear should have appropriate access controls for any traffic which terminates at the router interface.  If ACLs are not a viable option, using rate limiting this same traffic may help to slow attacks which require multiple packets to find the sweet spot for execution.

More detailed information about the technique is available in the presentation by FX.

Scott Fendley ISC Handler

Daniel from OSSEC has reported that a couple Antivirus products are currently detecting the Windows version of OSSEC HIDS as malware. They have been notified and will (we hope) be fixing it soon. Currently the products finding it as malware are (in VirusTotal format of Product,  Version, Last Update, Detection Result):

a-squared 4.0.0.73 2009.01.05 Generic.Qhost!IK
BitDefender 7.2 2009.01.05 Generic.Qhost.E185971A
F-Secure 8.0.14470.0 2009.01.05 Suspicious:W32/Malware!Gemini
GData 19 2009.01.05 Generic.Qhost.E185971A
Ikarus T3.1.1.45.0 2009.01.05 Generic.Qhost
Prevx1 V2 2009.01.05 Worm

An interesting article from the TimesOnline - http://www.timesonline.co.uk/tol/news/politics/article5439604.ece

I'm curious what ISC readers think of this. Here's a short quote from the article to pique your interest:

"THE Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives “a coach and horses” through privacy laws.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room."