Curious on people's comments on types of routers, firewalls and other appliances that might be affected as well as mitigation strategies. Would installing a pfsense and/or other open source firewall be helpful in anyway at a home net location?
-- R. Guerra Phone/Cell: +1 202-905-2081 Twitter: twitter.com/netfreedom Email: [email protected] On 2013-09-04, at 4:12 PM, Eugen Leitl wrote: > > http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ > > NSA Laughs at PCs, Prefers Hacking Routers and Switches > > BY KIM ZETTER09.04.136:30 AM > > Photo: Santiago Cabezas/Flickr > > The NSA runs a massive, full-time hacking operation targeting foreign > systems, the latest leaks from Edward Snowden show. But unlike conventional > cybercriminals, the agency is less interested in hacking PCs and Macs. > Instead, America’s spooks have their eyes on the internet routers and > switches that form the basic infrastructure of the net, and are largely > overlooked as security vulnerabilities. > > Under a $652-million program codenamed “Genie,” U.S. intel agencies have > hacked into foreign computers and networks to monitor communications crossing > them and to establish control over them, according to a secret black budget > document leaked to the Washington Post. U.S. intelligence agencies conducted > 231 offensive cyber operations in 2011 to penetrate the computer networks of > targets abroad. > > This included not only installing covert “implants” in foreign desktop > computers but also on routers and firewalls — tens of thousands of machines > every year in all. According to the Post, the government planned to expand > the program to cover millions of additional foreign machines in the future > and preferred hacking routers to individual PCs because it gave agencies > access to data from entire networks of computers instead of just individual > machines. > > Most of the hacks targeted the systems and communications of top adversaries > like China, Russia, Iran and North Korea and included activities around > nuclear proliferation. > > The NSA’s focus on routers highlights an often-overlooked attack vector with > huge advantages for the intruder, says Marc Maiffret, chief technology > officer at security firm Beyond Trust. Hacking routers is an ideal way for an > intelligence or military agency to maintain a persistent hold on network > traffic because the systems aren’t updated with new software very often or > patched in the way that Windows and Linux systems are. > > “No one updates their routers,” he says. “If you think people are bad about > patching Windows and Linux (which they are) then they are … horrible about > updating their networking gear because it is too critical, and usually they > don’t have redundancy to be able to do it properly.” > > He also notes that routers don’t have security software that can help detect > a breach. > > “The challenge [with desktop systems] is that while antivirus don’t work well > on your desktop, they at least do something [to detect attacks],” he says. > “But you don’t even have an integrity check for the most part on routers and > other such devices like IP cameras.” > > Hijacking routers and switches could allow the NSA to do more than just > eavesdrop on all the communications crossing that equipment. It would also > let them bring down networks or prevent certain communication, such as > military orders, from getting through, though the Post story doesn’t report > any such activities. With control of routers, the NSA could re-route traffic > to a different location, or intelligence agencies could alter it for > disinformation campaigns, such as planting information that would have a > detrimental political effect or altering orders to re-route troops or > supplies in a military operation. > > According to the budget document, the CIA’s Tailored Access Programs and > NSA’s software engineers possess “templates” for breaking into common brands > and models of routers, switches and firewalls. > > The article doesn’t say it, but this would likely involve pre-written scripts > or backdoor tools and root kits for attacking known but unpatched > vulnerabilities in these systems, as well as for attacking zero-day > vulnerabilities that are yet unknown to the vendor and customers. > > “[Router software is] just an operating system and can be hacked just as > Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden > them a little bit more [than these other systems], but for folks at a place > like the NSA or any other major government intelligence agency, it’s pretty > standard fare of having a ready-to-go backdoor for your [off-the-shelf] Cisco > or Juniper models.” > > Not all of the activity mentioned in the budget document involved remote > hacking. In some cases, according to the document, the operations involved > clandestine activity by the CIA or military intelligence units to “physically > place hardware implants or software modifications” to aid the spying. > > “Much more often, an implant is coded entirely in software by an NSA group > called Tailored Access Operations (TAO),” the Post writes in its story about > the document. “As its name suggests, TAO builds attack tools that are > custom-fitted to their targets.” > > A handful of security researchers have uncovered vulnerabilities in routers > in recent years that could be used to do the kind of hacking described in the > budget document. > > In 2005, security researcher Mike Lynn found a serious vulnerability in Cisco > IOS, the operating system running on millions of Cisco routers around the > world. > > Lynn discovered the vulnerability after his employer, Internet Security > Systems, asked him to reverse-engineer the Cisco operating system to see if > he could find security problems with it. Cisco makes the majority of the > routers that operate the backbone of the internet as well as many company > networks and critical infrastructure systems. The Cisco IOS is as ubiquitous > in the backbone as the Windows operating system is on desktops. > > The vulnerability Lynn found, in a new version of the operation system that > Cisco planned to release at the time, would have allowed someone to create a > router worm that would shut down every Cisco router through which it passed, > bringing down a nation’s critical infrastructure. It also would have allowed > an attacker to gain complete control of the router to sniff all traffic > passing through a network in order to read, record or alter it, or simply > prevent traffic from reaching its recipient. > > Once Lynn found the vulnerability, it took him six months to develop a > working exploit to attack it. > > Lynn had planned to discuss the vulnerability at the Black Hat security > conference in Las Vegas, until Cisco intervened and forced him to pull the > talk under threat of a lawsuit. > > But if Lynn knew about the vulnerability, there were likely others who did as > well — including intelligence agencies and criminal hackers. > > Source code for Cisco’s IOS has been stolen at least twice, either by > entities who were interested in studying the software to gain a competitive > advantage or to uncover vulnerabilities that would allow someone to hack or > control them. > > Other researchers have uncovered different vulnerabilities in other Cisco > routers that are commonly used in small businesses and home offices. > > Every year at computer security conferences — including the Black Hat > conference where NSA Director Keith Alexander presented a keynote this year — > U.S. intelligence agencies and contractors from around the world attend to > discover information about new vulnerabilities that might be exploited and to > hire talented researchers and hackers capable of finding more vulnerabilities > in systems. > > In 2008, a researcher at Core Security Technologies developed a root kit for > the Cisco IOS that was designed to give an attacker a persistent foothold on > a Cisco router while remaining undetected. > > According to the Post story, the NSA designs most of the offensive tools it > uses in its Genie operation, but it spent $25.1 million in one year for > “additional covert purchases of software vulnerabilities” from private > malware vendors who operate on the grey market — closed markets that peddle > vulnerabilities and exploits to law enforcement and intelligence agencies, as > opposed to the black market that sells them to cyber criminals. > > The price of vulnerabilities and exploits varies, depending on a number of > factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to > more than a million, depending on the exclusivity of the purchase — some > vulnerabilities are sold to multiple parties with the understanding that > others are using it as well — and their ubiquity. A vulnerability that exists > in multiple versions of an operating system is more valuable than a > vulnerability that exists in just one version. A class of vulnerability that > crosses multiple browser brands is also more valuable than a single > vulnerability that just affects the Safari browser or Chrome. > > The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel > to sabotage centrifuges used in Iran’s uranium enrichment program, used five > zero-day exploits to spread itself among systems in Iran, including a rare > exploit that attacked the .LNK function in multiple versions of the Windows > operating system in order to spread the worm silently via infected USB > sticks. > > Ubiquitous router vulnerabilities are difficult to find since there are so > many different configurations for routers, and an attack that works against > one router configuration might not work for another. But a vulnerability that > affects the core operating system is much more valuable since it is less > likely to be dependent on the configuration. Maiffret says there hasn’t been > a lot of public research on router vulnerabilities, but whenever someone has > taken a look at them, they have found security holes in them. > > “They’re always successful in finding something,” he says. > > Once a vulnerability becomes known to the software maker and is patched, it > loses a lot of its value. But because many users and administrators do not > patch their systems, some vulnerabilities can be used effectively for years, > even after a patch is available. The Conficker worm, for example, continued > to infect millions of computers long after Microsoft released a patch that > should have stopped the worm from spreading. > > Routers in particular often remain unpatched because system administrators > don’t think they will be targeted and because administrators are concerned > about network outages that could occur while the patch is applied or if the > patch is faulty. > > Kim Zetter is a senior reporter at Wired covering cybercrime, privacy, > security and civil liberties. > > Read more by Kim Zetter > > Follow @KimZetter and @ThreatLevel on Twitter. > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > [email protected]. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
