Thursday, 17 May 2012
Could someone place a rootkit on an internal network through a router?
Could someone place a rootkit on an internal network through a router?
By Joel Dubin, past SearchSecurity.com expert | May 18, 2009
1 comments
Digg
PrintIs it possible to gain access to the internal network under the following circumstances: A Cisco Internet border router has TFTP running without SSH, and a bad guy gets the credentials and owns the router, then uploads a new configuration opening ports up for communication. Would the only possible attack be a denial of service, or could a rootkit be placed on the internal network?
EXPERT RESPONSE
Without knowing how the internal network is protected by a DMZ, it would be difficult to say how easy it would be to breach. But this situation, on the surface, sounds quite insecure.
TFTP is an insecure protocol, used mostly for transferring configuration files between routers in a network; it's insecure because it transmits data unencrypted in clear text, doesn't require authentication and is based on UDP. The first two issues are the most critical from a security perspective. If the configuration files are transmitted unencrypted, they can be intercepted, read and manipulated. If they're transmitted without authentication, anybody can access them.
So why would anybody use TFTP? TFTP sits on servers that are accessed by Cisco Systems Inc. routers for updating their configuration files. Some networks still need to run it for backwards compatibility with older network hardware. However, it should be replaced with SSH, which encrypts its traffic and requires authentication.
Again, without knowing if the internal network is protected by a DMZ, it would be hard to tell if compromising the border router would compromise the entire network. Either way, compromising any router with access to the network doesn't bode well for the security of the organization. For instance, if someone controlled access to the routers in the system, and was able to change the configuration files through manipulation of a weak TFTP server, he or she could gain access deep into the network. A denial-of-service (DoS) attack is only one possibility; an attacker could unleash a whole range of malware, including keystroke loggers to obtain account credentials.
Also, if the routers on the network were compromised, the attacker would then have the necessary access to control the servers or hosts on the network, as well. And with server access, installing a rootkit into the operating system would be no problem.
This article originally appeared on SearchSecurity
Similar
Add comment
knowledge_central_tab
Knowledge Central
Trusted Mobility Index
The mobile ecosystem of devices, services and networks is at a critical inflection point.While the mobile revolution is unleashing massive opportunities in both emerging and mature economies, it is also increasing in complexity and confusion. The reality is the lightning-fast adoption of powerful, smart devices is outpacing society’s ability to secure them. Today, trust in mobility hangs in the balance.
The state of the Internet, Q4, 2011
Geography appears to play a role in frequency of observed attacks on specific ports. For example, Port 23 (Telnet) is a favorite target for attacks observed to be originating from South Korea and Turkey, where it accounted for more than five times the number of attacks targeting the next most popular port (445 in both countries). Other instances of geography-based port targeting include observed attacks centered on Port 1433 (Microsoft SQL Server) in China and on Port 80 (WWW/HTTP) in Indonesia.
HID Global deploys a centralized, web-based IP access control solution at Fuxi Power Plant
Unable to meet the needs for real-time monitoring with its traditional patrol system, China's Fuxi Power Plant has deployed HID Global's VertX V2000.
StubHub: How to spot fraud before it happens
Whenever a list of log-on credentials is dumped onto the Web, retailers get hit with waves of automated attacks. Here's how ticket marketplace StubHub fights the threat.
