- Email: [email protected]
Researcher demonstrates Cisco rootkit
NEWS Continued from Page 1... Editorial Office: Elsevier Ltd, The Boulevard, Langford Lane Kidlington, Oxford OX5 1GB, United Kingdom Programme Editor: Steve Barrett Tel: +44 (0)1865 843239 Fax: +44 (0)1865 853971 Email: [email protected] Web: www.networksecuritynewsletter.com Editor: Danny Bradbury Email: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Editor: Alan Stubley Subscription Information An annual subscription to Network Security includes 12 printed issues and online access for up to 5 users. Prices: 992 for all European countries & Iran US$1110 for all countries except Europe and Japan ¥131 700 for Japan (Prices valid until 31 December 2008) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 E-mail: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, e-mail: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02158
2
Printed by Mayfield Press (Oxford) Limited
Network Security
The company operates a ‘scan ladder’, used to chart projects as they become more secure. Open source projects that did particularly well in removing flaws included PHP, Python, Samba and Perl. These were moved to ‘rung 2’ of the scan ladder in January. Of the 250 open source projects tested, the highest quality showed no defects in the source code at all, while the lowest had a density of 1.44 defects per thousand lines of code.
UK plans Big Brother database
T
he UK is planning a single database that would record details of the telephone calls, text messages and email messages sent by every person in the country. The Data Communications Bill, due to be announced in the Queen’s Speech in November, is causing privacy groups and the Information Commissioner’s Office serious concern.
Under the legislation, the Government would likely store metadata about all phone calls made, including VoIP calls. The system would also store email details, although it is not yet clear whether that includes content or merely header information. “Holding large collections of data is always risky; the more data that is collected and stored, the bigger the problem when the data is lost, traded or stolen,” said Jonathan Bamford, Assistant Information Commissioner. The database would represent a UK implementation of the EU Data Retention directive, which requires member states to retain information about individual communications for 6 months or more. The UK version would hold data for 12 months or more, and it would be available to selected agencies across Europe (including the UK police and security services).
The Government appears undeterred from contentious, large-scale data retention schemes in spite of a series of security gaffes, including the loss of 25m benefits records last year. It is still proceeding with an identity card project, although reports suggest that the cost of the scheme has been reduced by $1bn following a decision to outsource data gathering and registration to players on the open market (meaning, in theory, that you could get your fingerprints taken at the supermarket).
Researcher demonstrates Cisco rootkit
T
he EUSecWest conference was a troubling one for Cisco. Sebastian Muñiz, a researcher for Core Security Technologies, demonstrated a proof of concept rootkit designed to compromise the network vendor’s IOS system, used on its switches and routers. The rootkit had a large footprint and would be easily detectable by anyone using the Cisco Information Retrieval toolkit, although future versions could possibly be engineered to hook the operating system functions relied on by the CIR, Muniz said.
“We thank Mr. Sebastian Muñiz and Core Security Technologies for working with us towards the goal of keeping the Internet and Cisco networks, as a whole, secure,” said Cisco, adding that it was currently analysing the presentation from the conference. “We recommend to our customers that they follow industry best-practices to improve the security of all network devices and read the public Cisco Security Response, which was updated with additional information and recommendations on May 22, 2008.” The recommendation, at http:// www.cisco.com/warp/public/707/ cisco-sr-20080516-rootkits.shtml, emphasises supply chain security. Customers should take steps to ensure that they are in control of the Cisco router before the software image downloaded from Cisco.com is used, it says.
June 2008
02158
2
Printed by Mayfield Press (Oxford) Limited
Network Security
The company operates a ‘scan ladder’, used to chart projects as they become more secure. Open source projects that did particularly well in removing flaws included PHP, Python, Samba and Perl. These were moved to ‘rung 2’ of the scan ladder in January. Of the 250 open source projects tested, the highest quality showed no defects in the source code at all, while the lowest had a density of 1.44 defects per thousand lines of code.
UK plans Big Brother database
T
he UK is planning a single database that would record details of the telephone calls, text messages and email messages sent by every person in the country. The Data Communications Bill, due to be announced in the Queen’s Speech in November, is causing privacy groups and the Information Commissioner’s Office serious concern.
Under the legislation, the Government would likely store metadata about all phone calls made, including VoIP calls. The system would also store email details, although it is not yet clear whether that includes content or merely header information. “Holding large collections of data is always risky; the more data that is collected and stored, the bigger the problem when the data is lost, traded or stolen,” said Jonathan Bamford, Assistant Information Commissioner. The database would represent a UK implementation of the EU Data Retention directive, which requires member states to retain information about individual communications for 6 months or more. The UK version would hold data for 12 months or more, and it would be available to selected agencies across Europe (including the UK police and security services).
The Government appears undeterred from contentious, large-scale data retention schemes in spite of a series of security gaffes, including the loss of 25m benefits records last year. It is still proceeding with an identity card project, although reports suggest that the cost of the scheme has been reduced by $1bn following a decision to outsource data gathering and registration to players on the open market (meaning, in theory, that you could get your fingerprints taken at the supermarket).
Researcher demonstrates Cisco rootkit
T
he EUSecWest conference was a troubling one for Cisco. Sebastian Muñiz, a researcher for Core Security Technologies, demonstrated a proof of concept rootkit designed to compromise the network vendor’s IOS system, used on its switches and routers. The rootkit had a large footprint and would be easily detectable by anyone using the Cisco Information Retrieval toolkit, although future versions could possibly be engineered to hook the operating system functions relied on by the CIR, Muniz said.
“We thank Mr. Sebastian Muñiz and Core Security Technologies for working with us towards the goal of keeping the Internet and Cisco networks, as a whole, secure,” said Cisco, adding that it was currently analysing the presentation from the conference. “We recommend to our customers that they follow industry best-practices to improve the security of all network devices and read the public Cisco Security Response, which was updated with additional information and recommendations on May 22, 2008.” The recommendation, at http:// www.cisco.com/warp/public/707/ cisco-sr-20080516-rootkits.shtml, emphasises supply chain security. Customers should take steps to ensure that they are in control of the Cisco router before the software image downloaded from Cisco.com is used, it says.
June 2008