Cisco rootkit

Network World has a nice story today about a researcher who has created a rootkit for Cisco gear. I bring this to your attention, not because I want to criticize Cisco for having security issues, but rather because so many people think that if they just buy Cisco they are safe from this sort of thing. Nothing could be further from the truth!

The myth goes something like this:

1. Everybody has bugs and therefore has the potential for security flaws.
2. Because my proprietary vendor keeps its source code closed, however, the bad guys can't see that code and are thus hampered in developing exploits.
3. My proprietary vendor keeps me safe by employing a large security team to constantly monitor its own development and fix any flaws that it uncovers.
4. If my proprietary vendor uncovers a security flaw, they will use their vast resources to inform me of that flaw with instructions as to what I should do to deal with the problem.

The first statement in that list is true. The rest are all false. The facts are:

• The bad guys already have Cisco's code. The reality here is that no code of any worth can be kept absolutely private. There are too many people at Cisco who have access to that code to keep it safe for long. Ditto with Juniper, Nortel, or anybody else. The same things have happened in the past to Microsoft. If your network security plan relies on the bad guys not having the code, it is fundamentally flawed.
• It's great to have a security team that is monitoring your own products for flaws, but it's better to have a large community that is monitoring your products for flaws. At a certain level, you have to question the conflict-of-interest of an internal security team. Are they really incentivized to release information about potential exploits? How quickly? If security is in conflict with other internal priorities, what wins? We have seen lots of vendors sit on critical bugs for months after they have been discovered and communicated to them.
• Finally, what happens when flaws are discovered? In Cisco's case, it sued a researcher trying to warn the world of potential security problems. Is your vendor really being forthcoming about issues, or are they trying to silence reasonable, serious discussions about security problems?

I have said it before and I'll say it again: There are two types of companies, those that have security issues and those that are lying. Open source tends to handle the exploits better (not perfectly!) when they occur by providing reliable information rapidly to the people who are in the best position to make use of that information.

Many people believe that security is increased when there is a free flow of information about systems. As the source code thefts make clear, you have to assume that the bad guys have the code. If the bad guys are left to work by themselves in a secret back room, trying to discover remote exploits, they will find them. Your only chance to stay ahead of that is to give the good guys all the information they need to find the exploits first. That can only be done when there is free access to the code.

Is a Cisco rootkit surprising? No, not if you have an accurate view of the world. It's only surprising if you were buying into the myth that your proprietary vendor was immune to that sort of thing. Is a Cisco rootkit necessarily a big problem? Again, no, because if you had an accurate view of the world you always knew something like this could be done and you'd be trying to make sure your systems were secure from the start.

Could somebody develop a Vyatta rootkit? Sure. The difference is that we'll tell you that's a possibility up front and we won't act surprised when it happens. In fact, given that Vyatta is based on Linux and there are many Linux rootkits floating around the ether, it's likely that one could be easily adapted to work with a Vyatta system. That's all the more reason to dispense with any other security myths you may be holding on to and get down to securing your systems.