Cisco Subnet An independent Cisco community View more

Expert warns of scam to blackmail companies for cash to get back access to their Cisco routers

Recurity Labs Developments in Cisco IOS Forensics
Brian Wilson (the famous Slimjim100 Blogger) attended BlackHat 2008 DC and heard the news of Cisco routers getting hijacked due to poor ACL's and SNMP traffic being sent over public networks in plain-text. Slimjim100 (i.e. Brian Wilson) Blogs:

Brian Wilson
It is important to keep your router locked down and protected. If your router got accessed and changed by an unauthorized person the first thing they might do is to lock you out. I have heard of reports where this is happened to a large multi-site company and they where blackmailed for money to get access back to there routers.

With networks expanding over many miles, cities, and countries it's important to keep you network safe. In the case of this reported company, the cost of sending people out to password recover the routers was a lot more than the blackmailer's offer so the company paid them and then locked down the devices after they regained access. This could of been avoided and the skills needed to lock down a router is not CCIE level stuff! Just using ACL's and a understanding of how the network is designed can prevent this kind of attack. Other issues with unauthorized access is even if you can regain access it's best to reload the IOS and review you config's. I say this since I have learned from Felix's presentation at BlackHat that some attackers load non-Cisco patches to the IOS. If an unauthorized IOS patch was made to your devices it is very difficult to identify the malicious code. With infected IOS code your routers you risk them becoming members of bot-nets, reset unexpectedly, or relay/hide unwanted traffic or tunnels. My recommendation is to only trust IOS code you get directly from Cisco. In the end of the day it does pay to keep your Cisco contracts up to date so when you need that clean IOS fix your CCO login can save the day. -------------------- David Davis - Cisco CCIE and the Expert Cisco Columnist for TechRepublic, suggests that you review his top five best practices to secure your routers, your network, and your company from malicious attacks: Fundamentals: Five ways to secure your Cisco routers and switches


Whitepaper covering Cisco IOS forensic developments, released at BlackHat Briefings Washington DC 2008: Developments in Cisco IOS Forensics Cisco IOS is still the prevalent router operating system in today’s networks. Its architecture and consequently the procedures to debug and analyze it are not suited well for detecting and thoroughly inspecting crash causes, especially intentional attacks. Cisco Systems recently started to distribute the successor, IOS-XR, which features process separation and the QNX commercial microkernel. However, the extremely large population of IOS devices and the significantly higher hardware requirements of the new IOSXR limit the impact it has on the currently deployed routing platforms. Generally, networking engineers are reluctant to move from one image version to another, despite the frequent updates by Cisco Systems. Most production networks stay with two or three minor versions behind the most recent releases, since only older versions provide the reliability they need to operate stable networks. All the discussed factors lead to a large part of the network infrastructure being vulnerable to attacks and malicious modification, without the appropriate tools to detect and analyze it. Developments in Cisco IOS Forensics


Have YOU too ever heard of a company being locked out of their Cisco routers by malicious intruders seeking blackmail money?

Contact Brad Reese
http://www.BradReese.Com

  
From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies