Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2014-01-01 23:51 +0200), Eugeniu Patrascu wrote: Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? If not, what is the incentive for private company to cooperate? As you might have seen from the beginning of time, people in power assume anything can go until proven otherwise. This is mostly academic, as being legal or not being legal it's not appealing attack vector due to difficulties containing the information. But what I implied is, if it is legal, you'd have paper trail, like legal document from court. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Thu, Jan 2, 2014 at 10:01 AM, Saku Ytti s...@ytti.fi wrote: On (2014-01-01 23:51 +0200), Eugeniu Patrascu wrote: Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? If not, what is the incentive for private company to cooperate? As you might have seen from the beginning of time, people in power assume anything can go until proven otherwise. This is mostly academic, as being legal or not being legal it's not appealing attack vector due to difficulties containing the information. But what I implied is, if it is legal, you'd have paper trail, like legal document from court. I can't speak for NSA practices, but for example FBI asserted that they are entitled to put GPS trackers on cars owned by people they suspected of something without a court order. And they fought to the death in courts when the suspects brought suits against them for violating their rights with these practices. It would assume that other agencies employ the same tactics and strong-arm companies into doing their bidding with minimal paperwork. Let's not forget that NSA vets all the security vendors and products that the USG uses and it would be pretty easy for them to stop recommending SecurID tokens (main RSA business is authentication) for government use. The above presumption would have sounded crazy six months ago, but now...
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-31 23:04 +), Warren Bailey wrote: that RSA had a check cut for their participation (sell outs..), would it be out of the realm of possibility cisco knowingly placed this into their product line? And would it be their mistake to come out with a “we had no idea!” rather than “guys with badges and court orders made us do it!”? Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? If not, what is the incentive for private company to cooperate? If legal, consider risk to NSA. Official product ran inside company to add requested feature, hundred of people aware of it. Seems both expensive to order such feature and almost guaranteed to be exposed by some of the employees. Alternative method is to presume all software is insecure, hire 1 expert whose day job is to search for vulnerabilities in IOS. Much cheaper, insignificant risk. Which method would you use? techniques isn’t a surprise to me, what is a surprise to me is the level of acceptance the IT community has shown thus far on NANOG. This seems like generalization, majority opinion seems to be, government has no business spying on us. Someone contacted me yesterday, after reading how I'd love to see some of these attacks dissected and analysed to gain higher quality data than screenshot of PDF. He told me, he and his employer are cooperating with their vendor right now looking at attack done against router they operate and claimed they are aware of other operators being targeted. Unfortunately he couldn't share any specifics, so hopefully we'll soon have situation where someone can dissect publicly any of the attacks. If this is as widespread as claimed, and if we'll gain knowledge how to see if you are affected, there are potentially repercussions on geopolitical scale, as I'm sure many on these lists would go public and share information if they'd find being targeted. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
If legal, consider risk to NSA. Official product ran inside company to add requested feature, hundred of people aware of it. Seems both expensive to order such feature and almost guaranteed to be exposed by some of the employees. Alternative method is to presume all software is insecure, hire 1 expert whose day job is to search for vulnerabilities in IOS. Much cheaper, insignificant risk. Which method would you use? I'd also look at having people work in the factory in china designing test or at (/own) the QA/test equipment manufacturer as when they connect the product jtag to test you can give a little extra. Both smaller groups of people and nobody knows what they do anyway but they do get legit access to the product perhaps with low level details handed on a plate. If this is as widespread as claimed, and if we'll gain knowledge how to see if you are affected, there are potentially repercussions on geopolitical scale, as I'm sure many on these lists would go public and share information if they'd find being targeted. Would they leave them out there gathering data for as long as possible or remove the evidence as soon as people start looking (then put some back later once the fuss has died down)? brandon
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Thank you Randy for pointing that out. However take into account the NANOG list is moderated, and my comment was delayed for moderation. I was commenting on posts about trivial things, before that nice post with nice codenames. A good year to all. May this be a smoother year to you all that have short SLAs to keep :) Em 30/12/2013 20:57, Randy Bush ra...@psg.com escreveu: These are not backdoor issues, NSA related, whatever... This is noise. Trying to get this thread on track, can the original poster provide any proof of this so called ability of the so called inteligence agency beeing able to access cisco/juniper, taking into account that management access has been correctly configured ? since you don't seem to read the articles, perhaps an info-graphic http://www.spiegel.de/international/world/a-941262.html randy
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Warren Bailey wbai...@satelliteintelligencegroup.com I find it insanely difficult to believe cisco systems has a backdoor into some of their product lines with no knowledge or participation. actually, i suspect a mix of both, the usg encouraging calea gone bad (while committing to bad-mouth huawei), and the TAO crew developing serious attacks based on unintended product vulnerabilities. Google has some deniability, as their networks were compromised without their knowledge. i doubt we will ever learn the extent of surprise vs culpability of google, apple, twitter, msoft, ... Saku Ytti s...@ytti.fi Is this legal? ROFL If this is as widespread as claimed, and if we'll gain knowledge how to see if you are affected, there are potentially repercussions on geopolitical scale, as I'm sure many on these lists would go public and share information if they'd find being targeted. we are dealing with a world in which there are attackers and victims and very few white hats to be seen. exposure via journalism, thanks @ioerror, wikileaks, ... and constructive hacking to make protocols and products more resistant are the main paths available to us. and if you want to be ambarrassed for our peers, see the ietf pissing all over itself deciding whether they can make simple statements that these things are attacks and the ietf needs to do something about its protocols. --- https://www.youtube.com/watch?v=cOCWTRJCnf0 randy pgpdm5A8dysWv.pgp Description: PGP signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Wed, 01 Jan 2014 11:55:37 +0200, Saku Ytti said: Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? Well, legal or not... we will probably never know exactly what was said, but apparently the NSA was able to convince/coerce many of the 800 pound telecom gorillas to install taps and backdoors at the server end. If not, what is the incentive for private company to cooperate? The same incentive that was used to enforce secrecy on National Security Letters for many years - play nice or you'll end up in an oublette, with a trial to (maybe) be held behind closed doors, where you won't see any of the evidence against you because it's classified. Remember, the US sprouted this indefinite detention concept a while back, and still hasn't backtracked on it, because of its enormous usefulness as a cudgel to deal with enemies of the State. pgpUACle31otS.pgp Description: PGP signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Wed, Jan 1, 2014 at 3:55 AM, Saku Ytti s...@ytti.fi wrote: Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? If not, what is the incentive for private company to cooperate? As evidenced by Lavabit; apparently, one thing that they CAN do is issue an order to the US based company to release their secret cryptography keys such as RSA secret keys to the government, including the secret keys that correspond to the public keys on their X509 certificates; possibly including certificates used for code signing and code distribution to users. AND maintain confidentiality that they were required to release keys. Recall, Lavabit was deemed in violation of the order: due to halting their service, after being forced to release the cryptography keys. The RSA secret keys can then be used to forge the company's signature on a payload containing a malicious copy of the firmware or operating system. And perform man in the middle attacks against web sites, and other software update infrastructure --- in order to distributed tampered with software with forged code signatures. -- -JH
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Wed, Jan 1, 2014 at 11:55 AM, Saku Ytti s...@ytti.fi wrote: On (2013-12-31 23:04 +), Warren Bailey wrote: that RSA had a check cut for their participation (sell outs..), would it be out of the realm of possibility cisco knowingly placed this into their product line? And would it be their mistake to come out with a “we had no idea!” rather than “guys with badges and court orders made us do it!”? Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? If not, what is the incentive for private company to cooperate? As you might have seen from the beginning of time, people in power assume anything can go until proven otherwise.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Tue, Dec 31, 2013 at 5:38 AM, Sabri Berisha sa...@cluecentral.netwrote: Hi Roland. I don't know much about Juniper gear, but it appears that the Juniper boxes listed are similar in nature, albeit running FreeBSD underneath (correction welcome). With most Juniper gear, it is actually quite difficult to achieve wire-tapping on a large scale using something as simple as a backdoor in the BIOS. You would just need an entry-point into the system, nothing fancy at first. Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel. However, that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the router itself), will not be forwarded via the control-plane. This means that whatever the backdoor is designed to do, simply can not touch the traffic. There are a few exceptions, such as a carefully crafted backdoor capable of altering the next-hop database (the PFEs forwarding table) and mirroring traffic. This however, would mean that the network would already have to be compromised. Another option would be to duplicate target traffic into a tunnel (GRE or IPIP based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform those operations at all on the target chipset. From my experience with Juniper, you can actually tell the PFEs to do quite a lot to the packets that flow through the router, I would imagine that programmatically you can tell the router to mirror packets which match a certain criteria (source, destination, ports, protocol) to a chosen destination and it would not get noticed by the NOC monitoring systems (it may not even blip on the throughput graphs) However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target, as well as the ability to partially rewrite that. Furthermore, to embed such a sophisticated attack in a BIOS would seem impossible to me with the first reason being the limited amount of storage available on the EEPROM to store all that binary code. All you need is a hook into the system and load your code, the main payload can be easily downloaded from the internet. An attack based on corrupted firmware loaded post-manufacturing would also be difficult due to the signed binaries and microcode. If someone were to embed a backdoor it is extremely difficult without Juniper's cooperation. And the last time I looked at the code (I left Juniper a few months ago), I saw nothing that would indicate a backdoor of any kind. Who checks the binaries when they are loaded when the OS boots up ? :)
Re: NSA able to compromise Cisco, Juniper, Huawei switches
I think there needs to be some clarification on how these tools get used, how often they're used, and if they're ever cleaned up when no longer part of an active operation. Of course we'll never get that. The amount of apologists with the attitude this isn't a big deal, nothing to see here, the NSA does this kind of thing is kind of shocking for this community; especially with the information that's been released over the past few months. This whole backdoor business is a very, very, dangerous game. On Tue, Dec 31, 2013 at 12:19 AM, Blair Trosper blair.tros...@gmail.comwrote: To supplement and amend what I said: These are the KINDS of things we want the NSA to do; however, the institutional oversight necessary to make sure it's Constitutional, warranted, and kept in bounds is woefully lacking (if any exists at all). Even FISA is unsatisfactory. At any rate, I agree that the current disposition of the NSA (or, at least, what's been leaking the last few months) is simply unacceptable and cannot be allowed. I say that last part from the perspective of a US citizen, though I'd imagine most people of other nationalities would agree with me, but probably for different reasons. On Mon, Dec 30, 2013 at 11:08 PM, Jimmy Hess mysi...@gmail.com wrote: On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper blair.tros...@gmail.com wrote: I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. [snip] The NSA's role is not supposed to include subterfuge and undermining the integrity or security of domestic enterprise infrastructure With any luck, we'll hopefully find absolutely nothing, or that it was targetted backdooring against specific targets only. And people have a need to know that the security agencies haven't left a trail of artificially inserted bugs and backdoors in common IT equipment providing critical infrastructures services, and that the agencies haven't prepared a collection of instant-root 0days, that are no more protected then the agencies' other poorly guarded secrets. There would be a risk that any 'backdoors' are ready to be exploited by other unintended nefarious actors! Because the NSA are apparently great at prepping the flammables and setting fires,but totally incapable of keeping the fires contained, once they (or someone else) lights it. It is not the least bit necessary for the NSA itself to be a nefarious actor exploiting things or even complicit; for the mere presence of any backdoor or surreptitious code to eventually have the potential for serious damage. It could well be a rogue ex-employee of the NSA, such as Snowden, or others, that happened to be aware of technical details, hackers, or members of a foreign nation state, who will just happen to have the time and energy to track down open doors waiting for the taking, AND figure out how to abuse them for evil purposes. There are enough potential 0day risks, without intentional ones, waiting for bad guys to co-opt! -- -JH -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Tue, Dec 31, 2013 at 8:05 AM, Ray Soucy r...@maine.edu wrote: This whole backdoor business is a very, very, dangerous game. While I agree with this (and the issues brought up with NSA's NIST approved PRNG that RSA used). If I were in their shoes, I would have been collecting every bit of data I could (ie, I can't fault them on PRISM and have some serious issues with most of these disclosures). I don't believe that anyone has said this isn't a big deal. I think even the NSA has said the exact opposite (for different reasons). I have no oppinion at this point of whether they put a back door in routers - I think it's possible. Maybe even with multiple moving parts (submit some HDL to a manufacturer for their own project and allow them to use it for others under an NDA, knowing that the chip could be used in hardware and knowing that something would hit that part of the chip) and no one on either end has to know a back door has been inserted. It's also possible that ANT stuff is propaganda (though the ideas in there are pretty cool and should be implemented under open source).
RE : Re: NSA able to compromise Cisco, Juniper, Huawei switches
+1, I fully agree. And not only concerning the domestic use by country, but also with regards to information peering with neighbors, and such. Enjoy '14! mh Message d'origine De : Ray Soucy r...@maine.edu Date : A : Blair Trosper blair.tros...@gmail.com Cc : nanog@nanog.org list nanog@nanog.org Objet : Re: NSA able to compromise Cisco, Juniper, Huawei switches I think there needs to be some clarification on how these tools get used, how often they're used, and if they're ever cleaned up when no longer part of an active operation. Of course we'll never get that. The amount of apologists with the attitude this isn't a big deal, nothing to see here, the NSA does this kind of thing is kind of shocking for this community; especially with the information that's been released over the past few months. This whole backdoor business is a very, very, dangerous game. On Tue, Dec 31, 2013 at 12:19 AM, Blair Trosper blair.tros...@gmail.comwrote: To supplement and amend what I said: These are the KINDS of things we want the NSA to do; however, the institutional oversight necessary to make sure it's Constitutional, warranted, and kept in bounds is woefully lacking (if any exists at all). Even FISA is unsatisfactory. At any rate, I agree that the current disposition of the NSA (or, at least, what's been leaking the last few months) is simply unacceptable and cannot be allowed. I say that last part from the perspective of a US citizen, though I'd imagine most people of other nationalities would agree with me, but probably for different reasons. On Mon, Dec 30, 2013 at 11:08 PM, Jimmy Hess mysi...@gmail.com wrote: On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper blair.tros...@gmail.com wrote: I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. [snip] The NSA's role is not supposed to include subterfuge and undermining the integrity or security of domestic enterprise infrastructure With any luck, we'll hopefully find absolutely nothing, or that it was targetted backdooring against specific targets only. And people have a need to know that the security agencies haven't left a trail of artificially inserted bugs and backdoors in common IT equipment providing critical infrastructures services, and that the agencies haven't prepared a collection of instant-root 0days, that are no more protected then the agencies' other poorly guarded secrets. There would be a risk that any 'backdoors' are ready to be exploited by other unintended nefarious actors! Because the NSA are apparently great at prepping the flammables and setting fires, but totally incapable of keeping the fires contained, once they (or someone else) lights it. It is not the least bit necessary for the NSA itself to be a nefarious actor exploiting things or even complicit; for the mere presence of any backdoor or surreptitious code to eventually have the potential for serious damage. It could well be a rogue ex-employee of the NSA, such as Snowden, or others, that happened to be aware of technical details, hackers, or members of a foreign nation state, who will just happen to have the time and energy to track down open doors waiting for the taking, AND figure out how to abuse them for evil purposes. There are enough potential 0day risks, without intentional ones, waiting for bad guys to co-opt! -- -JH -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: NSA able to compromise Cisco, Juniper, Huawei switches
I think there needs to be some clarification on how these tools get used, how often they're used, and if they're ever cleaned up when no longer part of an active operation. Of course we'll never get that. Highly unlikely, I'd say. The amount of apologists with the attitude this isn't a big deal, nothing to see here, the NSA does this kind of thing is kind of shocking for this community; especially with the information that's been released over the past few months. This whole backdoor business is a very, very, dangerous game. It *is* a big deal. And if you want to get even more scared, listen to Jacob Appelbaum's talk at the CCC here: http://www.youtube.com/watch?v=b0w36GAyZIA Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-31 14:45 +0100), sth...@nethelp.no wrote: This whole backdoor business is a very, very, dangerous game. It *is* a big deal. And if you want to get even more scared, listen to Jacob Appelbaum's talk at the CCC here: I'm going to wait calmly for some of the examples being recovered from the field, documented and analysed. I'd love to see for example the pwned Juniper code in action, how do they manage from BIOS to inspect data from HW path, without relying on specific version of FreeBSD, JunOS, control-plane, HW NPU/ASIC. What is it capable of doing, what is it not capable of doing. How does it deliver the data. As they are presented as pervasive and common, I'm sure it's just matter of time when we'll have higher quality of data than screencapture of PDF. -- ++ytti, Commander, FUSAG
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 8:32 AM, Saku Ytti s...@ytti.fi wrote: I'm going to wait calmly for some of the examples being recovered from the field, documented and analysed. If I were Cisco/Juniper/et all I would have a team working on this right now. It should be trivial for them to insert code into the routers that say, hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and such on the linecards) and submits all of those signatures back. Any APT that has been snuck into those things should be able to be detected. For most of them the signatures should be known, as the code shipped from the factory and was never intended to be modified (e.g. BIOS). A transparent public report about how many devices are running signatures they do not know would be very interesting. Plus, it's an opportunity to sell new equipment to those people, so they can rid themselves of the infection. I also wonder how this will change engineering going forward. Maybe the BIOS should be a ROM chip, not an EEPROM again. Maybe the write line needs to be run through a physical jumper on the motherboard that is normally not present. Why do we accept our devices, be it a PC or a router, can be persistently infected. The hardware industry needs to do better. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Since some weeks all my cisco / juniper equipment was replaced with open source solutions (sometimes with embedded devices) and that works fine. Google as search engine and Facebook accounts are deleted and some more things. Cloud solutions outside europe now are forbidden for me. Thank you NSA Co. for your great work :-( A real thank to Snowden! Best regards, Markus, Germany
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-31 09:03 -0600), Leo Bicknell wrote: If I were Cisco/Juniper/et all I would have a team working on this right now. It should be trivial for them to insert code into the routers that say, hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and such on the linecards) and submits all of those signatures back. Any I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet. I'm dubious, it might be possible even with existing tools. At least it's possible to reflash the BIOS with stock JunOS, as lot of us had to do due to misformatted SSD disks. But fully agreed some of these sanity checks should be added, it's not cure all, maybe the attack changes the answers before showing them, maybe BIOS comes infected from Juniper or from Kontron. But it would create additional barrier. I also emailed Kontrol and told it would be prudent for them to do press release also. Just to know what their public/official statement is. I also wonder how this will change engineering going forward. Maybe the BIOS should be a ROM chip, not an EEPROM again. Maybe the write line needs to be run through a physical jumper on the motherboard that is normally not present. We can take page from XBOX360 which is designed to be resistant against attack with physical access. Key idea is that use PKI and hide key in such place where it's difficult to recover, namely, if it's inside modern lithography CPU in read-only, it's just financially unviable vector. MS just goofed and forgot to sign DVD firmware. Why do we accept our devices, be it a PC or a router, can be persistently infected. The hardware industry needs to do better. I'm still taking all these revelations with grain of salt, until real speciment is dissected. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 11:50 AM, Saku Ytti s...@ytti.fi wrote: I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet. I'm dubious, it might be possible even with existing tools. At least it's possible to reflash the BIOS with stock JunOS, as lot of us had to do due to misformatted SSD disks. But fully agreed some of these sanity checks should be added, it's not cure all, maybe the attack changes the answers before showing them, maybe BIOS comes infected from Juniper or from Kontron. But it would create additional barrier. I also emailed Kontrol and told it would be prudent for them to do press release also. Just to know what their public/official statement is. Most of the vendors (I think Cisco/Juniper) have many of their staff out on vacation this week. I believe both are doing the mandatory shutdown or similar that I've seen other folks do around this season. Arbor networks did something similar as well this year. If you are looking at your hardware, you can get inexpensive flash readers/writers out there. I have one I use when doing low level hardware work. There's also tools for your servers (eg: Flashrom) which are available in your favorite repos/ports/elsewhere and work on Linux/FreeBSD/others. You can use this to typically read/checksum your bios quickly on supported hardware. I'm sure they would love to have the efforts that have gone into this e-mail thread followed-up with hardware/research/contributions to improve the software. It shouldn't be too hard for you to read your bios and load it into ida pro or similar to perform checks. - Jared
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-31 16:22 +0100), na...@mitteilung.com wrote: Since some weeks all my cisco / juniper equipment was replaced with open source solutions (sometimes with embedded devices) and that works fine. Google as search engine and Facebook accounts are deleted and some more things. Cloud solutions outside europe now are forbidden for me. Thank you NSA Co. for your great work :-( Back in 2008 when Sweden publicly stated that their SIGINT police, 'FRA', starts to spy all traffic coming and going to Swedish borders. Finnish pirate party had two suggestions to this revelation 1) Finland needs own direct fibre connection to Germany, to by-pass Swedish spying -- sounds good, since only those who tell about spying, spy -- germany has flawless recent history record about spying 2) Finland needs goverment operated mandator VPN box in border -- Just like other civilized states, like China and Saudi Arabia. Point I'm making, it's naive to think landscape has changed or that non-implied instances are safer. The most local cloud providers I know personally, and conversely they know me personally, so there is quite high degree of likelyhood for them to come up with reason to access my data. If I'm worried about the data, I should store it myself. If the data is non-encrypted email, there are so many points to intercept it at, make sure it is something that survives being published. If it's encrypted, it does not much matter where you store it, as long as you don't decrypt it there. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Hi, some approaches were discussed in 2010, by Graeme Neilson from NZ here: https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Netscreen_of_the_Dead_Graeme_Neilson.pdf a later year, at the same conference, he gave a private session demonstrating basically the same stuff for JunOS, as ongoing (and, at the time, non-public) research. happy NYE to everybody Enno On Tue, Dec 31, 2013 at 06:50:11PM +0200, Saku Ytti wrote: On (2013-12-31 09:03 -0600), Leo Bicknell wrote: If I were Cisco/Juniper/et all I would have a team working on this right now. It should be trivial for them to insert code into the routers that say, hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and such on the linecards) and submits all of those signatures back. Any I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet. I'm dubious, it might be possible even with existing tools. At least it's possible to reflash the BIOS with stock JunOS, as lot of us had to do due to misformatted SSD disks. But fully agreed some of these sanity checks should be added, it's not cure all, maybe the attack changes the answers before showing them, maybe BIOS comes infected from Juniper or from Kontron. But it would create additional barrier. I also emailed Kontrol and told it would be prudent for them to do press release also. Just to know what their public/official statement is. I also wonder how this will change engineering going forward. Maybe the BIOS should be a ROM chip, not an EEPROM again. Maybe the write line needs to be run through a physical jumper on the motherboard that is normally not present. We can take page from XBOX360 which is designed to be resistant against attack with physical access. Key idea is that use PKI and hide key in such place where it's difficult to recover, namely, if it's inside modern lithography CPU in read-only, it's just financially unviable vector. MS just goofed and forgot to sign DVD firmware. Why do we accept our devices, be it a PC or a router, can be persistently infected. The hardware industry needs to do better. I'm still taking all these revelations with grain of salt, until real speciment is dissected. -- ++ytti -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 12:49 PM, Enno Rey e...@ernw.de wrote: Hi, some approaches were discussed in 2010, by Graeme Neilson from NZ here: https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Netscreen_of_the_Dead_Graeme_Neilson.pdf a later year, at the same conference, he gave a private session demonstrating basically the same stuff for JunOS, as ongoing (and, at the time, non-public) research. happy NYE to everybody What I found mildly amusing this summer was most of the outlines of the summer Snowden stuff was covered in this book: http://www.amazon.com/dp/B00DNL1AXE/ref=nosim?tag=pucknethernet-20linkCode=sb1camp=212353creative=380549 If you have no plans for tomorrow and like this type of stuff, go ahead and take a quick read :) Much of this stuff isn't new. There have been industry groups working on these supply chain assurance and risk models for years. If you are truly paranoid you will be working with these groups already. Pointers available in private if you want them. - Jared
Re: NSA able to compromise Cisco, Juniper, Huawei switches
* Randy Bush: Clay Kossmeyer here from the Cisco PSIRT. shoveling kitty litter as fast as you can, eh? http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel The article does not discuss or disclose any Cisco product vulnerabilities. this is disengenuous at best. from the nsa document copied in der spiegel and now many other places: JETPLOW is a firmware persistence implant for Cisco PIX series and ASA firewalls ... There's a limit to what can reasonably be called a *product* vulnerability. If you physically plant a bug in a phone, does it exploit a vulnerability in the phone? I don't think so. Theoretically, the manufacturer could have filled it completely with glue. But the next step up is drilling out some of that to place the bug, and then you're looking at tamper evidence, and that's an extremely difficult matter. Routers are expected to be modular, so it's difficult to avoid that they have exposed buses with something that approaches DMA capability. On-site debugging hooks through JTAG ports or similar might be essential to reduce downtime in case of severe problems, so I doubt one can get rid of them. Same for firmware downgrade and recovery options. In the end, the defense has to be political, not technical. We don't want to do this because it's wrong, and not we can't do this because it's impossible. After all, what's possible can change very quickly. Appeasement in the form of lawful intercept turned out to be failure: even if you comply, it's likely that your own, domestic intelligence agencies consider your infrastructure, you and your colleagues legitimate targets.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-31 18:49 +0100), Enno Rey wrote: some approaches were discussed in 2010, by Graeme Neilson from NZ here: https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Netscreen_of_the_Dead_Graeme_Neilson.pdf a later year, at the same conference, he gave a private session demonstrating basically the same stuff for JunOS, as ongoing (and, at the time, non-public) research. If I read that correctly, it requires someone to install malicious code to the box and won't persist if someone upgrades it later to non malicious code. What the screenshot of NSA 'implant' says is persistently broken, through malicious BIOS, which dynamically rewrites kernel in-memory post-boot. The netscreen hack, is cute, but it's rather on the same difficulty level as it is to build savegame editor for game. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 7:05 AM, Ray Soucy wrote: I think there needs to be some clarification on how these tools get used, how often they're used, and if they're ever cleaned up when no longer part of an active operation. Of course we'll never get that. But that's exactly what we need. Look at CALEA. It has its warts and issues, but the rules are published so everyone knows how the game is played. Even with NSLs, there's apparently some oversight, and you can challenge certain aspects (though it's a long and expensive process). But backdooring gear, servers, BIOS, etc. has no rules. It's just chaos. You don't know if a customer has been targeted, so you can't take appropriate steps. You have no way of knowing if your gear is backdoored or who is using the backdoor. And simply knowing that there is a backdoor will increase the chances that it will be found and used by others. The known threat landscape has been increased by orders of magnitude. --Chris
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Mon, 30 Dec 2013 19:38:12 -0800, Sabri Berisha said: However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target, Already solved problem, from back in the Internet Stone Age. I remember seeing an exploit that asked you whether the target was SunOS 3.2, patch 1, 2, or 3, and launched the correct attack for each. And I can think of a lot of different ways to make the router cough up the needed info (or you can just brute-force loop over all the options till one works - leave the vendor support guy wondering why that line card rebooted 5 time in an hour and then suddenly became rock solid again :) pgpYFkmmhi8a8.pgp Description: PGP signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
There's a limit to what can reasonably be called a *product* vulnerability. right. if the product was wearing a low-cut blouse and a short skirt, it's not. it's weasel words (excuse the idiom). shoveling kitty litter over a big steaming pile. let me insert a second advert for jake's 30c3 preso, https://www.youtube.com/watch?v=b0w36GAyZIA randy pgpLBn1Vc7TJv.pgp Description: PGP signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
+1 NSA states very clearly this is baked in and ³widely deployed². Either Cisco is not very happy with their government overlords today, or they are having long meetings at those oversized conference tables trying to figure out what to tell everyone. I¹m curious about the implications to the US DoD STIG¹s that are put out, as I¹m fairly sure they do not mention there is a backdoor that anyone who knows how to knock can access. My other question is.. How are they identifying unique ASA and PIX? Is there a fingerprint mechanism that tells it what¹s going on? I¹d think there would be quite a few admins out there with really weird syslog entries?? Randy is right here.. Cisco has some Œsplainin to do - we buy these devices as ³security appliances², not NSA rootkit gateways. I hope the .cn guys don¹t figure out what¹s going on here, I¹d imagine there are plenty of ASA¹s in the .gov infrastructures. //warren PS - I mentioned .cn specifically because of the Huawei aspect, in addition to the fact that it has been widely publicized we are in a ³cyber war² with them. On 12/31/13, 12:07 PM, Randy Bush ra...@psg.com wrote: There's a limit to what can reasonably be called a *product* vulnerability. right. if the product was wearing a low-cut blouse and a short skirt, it's not. it's weasel words (excuse the idiom). shoveling kitty litter over a big steaming pile. let me insert a second advert for jake's 30c3 preso, https://www.youtube.com/watch?v=b0w36GAyZIA randy
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Jan 1, 2014, at 2:07 AM, Randy Bush ra...@psg.com wrote: it's weasel words (excuse the idiom). shoveling kitty litter over a big steaming pile. Clayton is responding to the ability that he's allowed, and he's using words very precisely. Here's Cisco's official responses, so far. http://blogs.cisco.com/news/comment-on-der-spiegel-articles-about-nsa-tao-organization/ http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel I know both Clay and jns quite well, and they're both straight-shooters. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton signature.asc Description: Message signed with OpenPGP using GPGMail
Re: NSA able to compromise Cisco, Juniper, Huawei switches
The best response I've seen to all this hype and I completely agree with Scott: Do ya think that you wouldn't also notice a drastic increase in outbound traffic to begin with? It's fun to watch all the hype and things like that, but to truly sit down and think about what it would actually take to make something like this happen, especially on a sustained and unnoticed basis, is just asinine. Perhaps more work should be spent maintaining ones own equipment and network than debating the chances that the sky may actually be falling or the NSA hunting your ass down. ;) Just my two cents for the day! Happy New Year! Scott Morris, CCIEx4 (RS/ISP-Dial/Security/Service Provider) #4713, CCDE #2009::D, CCNP-Data Center, CCNP-Voice, JNCIE-SP #153, JNCIE-ENT #102, JNCIS-QFX, CISSP, et al. IPv6 Gold Certified Engineer, IPv6 Gold Certified Trainer CCSI #21903, JNCI-SP, JNCI-ENT, JNCI-QFX s...@emanon.com Knowledge is power. Power corrupts. Study hard and be Eeeevl.. Jonathan On Tue, Dec 31, 2013 at 11:16 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: +1 NSA states very clearly this is baked in and ³widely deployed². Either Cisco is not very happy with their government overlords today, or they are having long meetings at those oversized conference tables trying to figure out what to tell everyone. I¹m curious about the implications to the US DoD STIG¹s that are put out, as I¹m fairly sure they do not mention there is a backdoor that anyone who knows how to knock can access. My other question is.. How are they identifying unique ASA and PIX? Is there a fingerprint mechanism that tells it what¹s going on? I¹d think there would be quite a few admins out there with really weird syslog entries?? Randy is right here.. Cisco has some Œsplainin to do - we buy these devices as ³security appliances², not NSA rootkit gateways. I hope the .cn guys don¹t figure out what¹s going on here, I¹d imagine there are plenty of ASA¹s in the .gov infrastructures. //warren PS - I mentioned .cn specifically because of the Huawei aspect, in addition to the fact that it has been widely publicized we are in a ³cyber war² with them. On 12/31/13, 12:07 PM, Randy Bush ra...@psg.com wrote: There's a limit to what can reasonably be called a *product* vulnerability. right. if the product was wearing a low-cut blouse and a short skirt, it's not. it's weasel words (excuse the idiom). shoveling kitty litter over a big steaming pile. let me insert a second advert for jake's 30c3 preso, https://www.youtube.com/watch?v=b0w36GAyZIA randy -- Jonathan Greenwood II CCIE #22744
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Jan 1, 2014, at 2:16 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Randy is right here.. Cisco has some Œsplainin to do - we buy these devices as ³security appliances², not NSA rootkit gateways http://blogs.cisco.com/news/comment-on-der-spiegel-articles-about-nsa-tao-organization/ http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
* Randy Bush: There's a limit to what can reasonably be called a *product* vulnerability. right. if the product was wearing a low-cut blouse and a short skirt, it's not. Uh-oh, is this an attempt at an argument based on a blame the victim rape analogy?
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Jan 1, 2014, at 2:34 AM, Jonathan Greenwood II gwoo...@gmail.com wrote: The best response I've seen to all this hype and I completely agree with Scott: Do ya think that you wouldn't also notice a drastic increase in outbound traffic to begin with? It's fun to watch all the hype and things like that, but to truly sit down and think about what it would actually take to make something like this happen, especially on a sustained and unnoticed basis, is just asinine. Hopefully, this drives home the importance of all the various BCPs like iACLs, isolated jump-off boxes for interactive access, config-file management, and network telemetry - including visibility into DCN/OOB traffic. There are open-source tools out there which can be used for these purposes. It doesn't require a lot of capex, mainly opex - i.e., elbow-grease. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
it's weasel words (excuse the idiom). shoveling kitty litter over a big steaming pile. Clayton is responding to the ability that he's allowed, and he's using words very precisely. qed pgp7iFOpQgLqE.pgp Description: PGP signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
The best response I've seen to all this hype and I completely agree with Scott: Do ya think that you wouldn't also notice a drastic increase in outbound traffic to begin with? It's fun to watch all the hype and things like that, but to truly sit down and think about what it would actually take to make something like this happen, especially on a sustained and unnoticed basis, is just asinine. A drastic increase, definitely. Smaller increases (say a couple of Mbps on a link normally carrying 100 Mbps or more), doubtful. It all depends on the volume of the information you're looking for. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: NSA able to compromise Cisco, Juniper, Huawei switches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/2013 12:33 PM, sth...@nethelp.no wrote: The best response I've seen to all this hype and I completely agree with Scott: Do ya think that you wouldn't also notice a drastic increase in outbound traffic to begin with? It's fun to watch all the hype and things like that, but to truly sit down and think about what it would actually take to make something like this happen, especially on a sustained and unnoticed basis, is just asinine. A drastic increase, definitely. Smaller increases (say a couple of Mbps on a link normally carrying 100 Mbps or more), doubtful. It all depends on the volume of the information you're looking for. More than you know. As someone who has seen firsthand, in real time, an adversary exfiltrate documents and other data out of an organization which he has gained unauthorized internal access -- real professionals know how to blend in with the noise fly under the radar successfully. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSwywoq1pz9mNUZTMRAtFaAKDrbdnfnnPOP6G0DSRUxK4WmbtGhwCfRaQ/ V7MRFxg+dGwNKZgx4qK0Ogs= =XiSA -END PGP SIGNATURE- -- Paul Ferguson PGP Public Key ID: 0x63546533
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Explaining, not a denial written by their legal department. I find it insanely difficult to believe cisco systems has a backdoor into some of their product lines with no knowledge or participation. Given the fact that RSA had a check cut for their participation (sell outs..), would it be out of the realm of possibility cisco knowingly placed this into their product line? And would it be their mistake to come out with a “we had no idea!” rather than “guys with badges and court orders made us do it!”? Google has some deniability, as their networks were compromised without their knowledge. Placing code into a PC BIOS or IOS image is a far different beast than asking a fiber provider to give a split to a governmental agency. Secret squirrel wires with secret squirrel modulation techniques isn’t a surprise to me, what is a surprise to me is the level of acceptance the IT community has shown thus far on NANOG. On a side note, I found it unbelievable the NSA was so pissed off about aeronautical access being hard to capture. The initial article made it seem like they had already gotten ahold of the data, which would have really pissed me off. If it’s really that difficult, I have a NSA proof satellite platform with capacity should anyone need it.. ;) //warren On 12/31/13, 12:34 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Jan 1, 2014, at 2:16 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Randy is right here.. Cisco has some Œsplainin to do - we buy these devices as ³security appliances², not NSA rootkit gateways http://blogs.cisco.com/news/comment-on-der-spiegel-articles-about-nsa-tao -organization/ http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisc o-sr-20131229-der-spiegel --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
* Warren Bailey: Explaining, not a denial written by their legal department. I find it insanely difficult to believe cisco systems has a backdoor into some of their product lines with no knowledge or participation. As far as I understand it, these are firmware tweaks or implants sitting on a privileged bus (think PCI with busmaster DMA). Such things can be added after the device has left the factory by a sufficiently knowledgeable third party.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/2013 4:02 PM, Florian Weimer wrote: * Warren Bailey: Explaining, not a denial written by their legal department. I find it insanely difficult to believe cisco systems has a backdoor into some of their product lines with no knowledge or participation. As far as I understand it, these are firmware tweaks or implants sitting on a privileged bus (think PCI with busmaster DMA). Such things can be added after the device has left the factory by a sufficiently knowledgeable third party. That's really interesting. Where are these Cisco devices manufactured? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSw1z/q1pz9mNUZTMRAvbIAKCYZn3slg1wMak/nlc/hb3ZHkS29wCg3ucb OJTl+SLgBtQDMGi+cTdDRtQ= =VAdw -END PGP SIGNATURE- -- Paul Ferguson PGP Public Key ID: 0x63546533
Re: NSA able to compromise Cisco, Juniper, Huawei switches
China. ;) lol Sent from my Mobile Device. Original message From: Paul Ferguson fergdawgs...@mykolab.com Date: 12/31/2013 4:13 PM (GMT-08:00) To: nanog@nanog.org Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/2013 4:02 PM, Florian Weimer wrote: * Warren Bailey: Explaining, not a denial written by their legal department. I find it insanely difficult to believe cisco systems has a backdoor into some of their product lines with no knowledge or participation. As far as I understand it, these are firmware tweaks or implants sitting on a privileged bus (think PCI with busmaster DMA). Such things can be added after the device has left the factory by a sufficiently knowledgeable third party. That's really interesting. Where are these Cisco devices manufactured? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSw1z/q1pz9mNUZTMRAvbIAKCYZn3slg1wMak/nlc/hb3ZHkS29wCg3ucb OJTl+SLgBtQDMGi+cTdDRtQ= =VAdw -END PGP SIGNATURE- -- Paul Ferguson PGP Public Key ID: 0x63546533
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-30 20:30 +1100), sten rulz wrote: Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx The quality of this data is too damn low. Not as bad as this though, http://cryptome.org/2013/12/Full-Disclosure.pdf I really think we're doing disservice to an issue which might be at scale of human-rights issue, by spamming media with 0 data news. Where is this backdoor? How does it work? How can I recreate on my devices? Large audience already seems to largely be in ignore mode about NSA revelations, since revelations are very noisy but little signal. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Saku Ytti s...@ytti.fi wrote: On (2013-12-30 20:30 +1100), sten rulz wrote: I really think we're doing disservice to an issue which might be at scale of human-rights issue, by spamming media with 0 data news. Where is this backdoor? How does it work? How can I recreate on my devices? I don't really want you to know how to recreate it until the companies have had a chance to fix said issue. I'd hope, if such issues were disclosed, those news outlets would go through proper channels of disclosure before going to press with it. Large audience already seems to largely be in ignore mode about NSA revelations, since revelations are very noisy but little signal. I think the NSA is hoping that to be the case. But just based on the fact that 60 Minutes did a story on the NSA and the NSA, POTUS, congress, and that half my Twitter, Facebook, and mailing lists are still talking about it (though my networks are probably biased) shows that people are still interested. Also, I think there's a fair chance SCOTUS will take this up due to differing rulings. Before this goes the way of Crypto-AG or clapper, its got quite a fair distance left in it.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On (2013-12-30 06:12 -0500), Shawn Wilson wrote: I don't really want you to know how to recreate it until the companies have had a chance to fix said issue. I'd hope, if such issues were disclosed, those news outlets would go through proper channels of disclosure before going to press with it. Until disclosed it's just speculation and conjecture. If vendors are cooperating with NSA, there is no incentive to fix, there is incentive to claim fix or non-existence of such features. I welcome the short-term havok and damage of such disclose if it would be anywhere near the magnitude implied, it would create pressure to change things. -- ++ytti
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 5:06 PM, Saku Ytti s...@ytti.fi wrote: The quality of this data is too damn low. The #1 way that Cisco routers and switches are compromised is brute-forcing against an unsecured management plane, with username 'cisco' and password 'cisco. The #1 way that Juniper and switches are compromised is brute-forcing against an unsecured management plane, with username 'cisco' and password 'cisco. ; Note that both Cisco and Juniper have many platforms, running on various hardware, and running various OSes/trains/releases/throttles --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 6:18 PM, Saku Ytti s...@ytti.fi wrote: I welcome the short-term havok and damage of such disclose if it would be anywhere near the magnitude implied, it would create pressure to change things. This is the type of change we're likely to see, IMHO: http://lauren.vortex.com/archive/001074.html --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Even more outrageous than the domestic spying is the arrogance to think that they can protect the details on backdoors into critical infrastructure. They may have basically created the framework for an Internet-wide kill switch, that likely also affects every aspect of modern communication. Since they don't disclose any of this to other agencies, it's very likely that even parts of the DOD is vulnerable. I hope when [if] the truth is learned it is a lot less prevalent than it sounds, but I'm not optimistic. This is why we need all infrastructure to be implemented using open standards, open hardware designs, and open source software IMHO. I hope Cisco, Juniper, and others respond quickly with updated images for all platforms affected before the details leak. On Mon, Dec 30, 2013 at 6:29 AM, Dobbins, Roland rdobb...@arbor.net wrote: On Dec 30, 2013, at 6:18 PM, Saku Ytti s...@ytti.fi wrote: I welcome the short-term havok and damage of such disclose if it would be anywhere near the magnitude implied, it would create pressure to change things. This is the type of change we're likely to see, IMHO: http://lauren.vortex.com/archive/001074.html --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Mon, Dec 30, 2013 at 8:07 AM, Ray Soucy r...@maine.edu wrote: I hope Cisco, Juniper, and others respond quickly with updated images for all platforms affected before the details leak. So, if this plays out nice (if true, it won't), the fix will come months before the disclosure. Think, if you're leasing a router from your ISP, you might not have the ability to update it (or might violate your contract). So, you need to wait for [manufacturer] to update, test, and release an update, then you need to work with your provider to make sure the update gets pushed correctly. Also, even open hardware isn't completely open - see the Pi - probably the most open of hardware stacks. The CPU isn't completely open. Also, see FreeBSD not using hardware PRNG for this reason.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 8:07 PM, Ray Soucy r...@maine.edu wrote: I hope Cisco, Juniper, and others respond quickly with updated images for all platforms affected before the details leak. During my time at Cisco, I was involved deeply enough with various platform teams as well as PSIRT, etc., to assert with a pretty high degree of confidence that there were no deliberate secret backdoors inserted into any major Cisco router/switch code prior to 2009, when I left Cisco. And Cisco is such a large company, with so many people involved in coding, compilation, auditing, security issue remediation, et. al. that I doubt very seriously that something like that could be accomplished without leaking pretty promptly. In terms of exploits, the Cisco PSIRT team work with security researchers all the time; while I wasn't a member of PSIRT, I worked very closely with them, and if they'd run across something like that prior to 2009, I'm pretty sure I'd know about it. Every so often, they'd find a non-router/-switch product with default admin credentials, and would work with the product team in question to fix it (this is all public knowledge; you can look through PSIRT advisories on cisco.com and find advisories for default admin credentials for various products, along with links to fixed software versions). And I was also pretty well-acquainted with most of the major software/platform architects, some of whom are still there; none of them would be a party to something like a hidden backdoor, because they all know that it would only be a matter of time until it was found and exploited. The lawful intercept stuff is a partial exception to this, but Fred Baker, Chip Sharp, and Bill Foster went out of their way to proof it as much as possible against unauthorized exploitation, as long as it's implemented correctly, and they put it out there in the public domain via RFC3924. In point of fact, RFC3924 was intended to pre-empt pressure for secret backdoors from LEAs; the idea was to get something that was reasonably secure if implemented correctly out there in the public domain, and adopted as a standard, so that network infrastructure vendors could point to an RFC in order to fend off demands for all this secret-squirrel nonsense. Lawful intercept systems have been exploited in the wild by malicious insiders, but none of the incidents I know about involved Cisco gear. CVE-2008-0960 indirectly impacted lawful intercept due to its SNMP management plane, but responsible network operators should've patched this by now, and should've implemented all the generic BCPs surrounding management-plane traffic, as well. I can't speak for the various third-party lawful-intercept mediation systems, as I've no firsthand knowledge of those. My assumption is that this allegation about Cisco and Juniper is the result of non-specialists reading about lawful intercept for the first time, and failing to do their homework. I don't work for Cisco, and I can't speak for them, but I simply don't find the allegation that there are backdoors hidden in Cisco router/switch code to be credible. Maybe I'm wrong; but since folks are constantly fuzzing Cisco code and looking for ways to exploit it, my guess is that any backdoors would've been found and exploits would be in use in the wild to such a degree that it would've become apparently a long time ago. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
RE: NSA able to compromise Cisco, Juniper, Huawei switches
I'd love to know how they were getting in flight wifi. Sent from my Mobile Device. Original message From: sten rulz stenr...@gmail.com Date: 12/30/2013 12:32 AM (GMT-09:00) To: nanog@nanog.org Subject: NSA able to compromise Cisco, Juniper, Huawei switches Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx Regards, Steven.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Mon, 30 Dec 2013 14:34:52 +, Dobbins, Roland said: My assumption is that this allegation about Cisco and Juniper is the result of non-specialists reading about lawful intercept for the first time, and failing to do their homework. That does raise an interesting question. What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? pgp8jGvrDqnsl.pgp Description: PGP signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton signature.asc Description: Message signed with OpenPGP using GPGMail
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 11:03 PM, Dobbins, Roland rdobb...@arbor.net wrote: AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. It's also possible they're talking about something along these lines: http://ids.cs.columbia.edu/sites/default/files/paper.pdf --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton signature.asc Description: Message signed with OpenPGP using GPGMail
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On 12/30/2013 08:03 AM, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. Also, the way that things are integrated it's usually an explicit decision to pull a piece of functionality in rather than inheriting it. Product managers don't willingly want to waste time pulling things in that a) don't make them money, and b) require support. So I doubt very seriously that CALEA functionality is accidentally included into inappropriate things. Doubly so because of the performance implications. Mike
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. at least back in 2007 it could be enabled/configured by SNMP RW access [see slide 43 of the presentation referenced in this post http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/] so knowing the term private m ight be enough to perform the task remotely. have a good one Enno --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: NSA able to compromise Cisco, Juniper, Huawei switches
This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005 Sam Moats On 2013-12-30 11:16, Enno Rey wrote: On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. at least back in 2007 it could be enabled/configured by SNMP RW access [see slide 43 of the presentation referenced in this post http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/] so knowing the term private m ight be enough to perform the task remotely. have a good one Enno --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On 12/30/2013 9:05 AM, Warren Bailey wrote: I'd love to know how they were getting in flight wifi. Sent from my Mobile Device. Original message From: sten rulz stenr...@gmail.com Date: 12/30/2013 12:32 AM (GMT-09:00) To: nanog@nanog.org Subject: NSA able to compromise Cisco, Juniper, Huawei switches Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx Regards, Steven. Simple. Grab it from where it hits the base stations. One of the two big in-flight Wifi carriers in the US uses Sprint towers, I believe the other used satellite. They have to get back to a ground station somewhere in order to get network access. Easy to tap it there and send it wherever you want. Grabbing an ad-hoc signal between two endpoints in the air is probably significantly more involved. Implementation of this is left as an exercise for the VERY well-funded reader. ;-) Jeremy TheBrez Bresley b...@brezworks.com
Re: NSA able to compromise Cisco, Juniper, Huawei switches
We had a hell of a time finding anything that supported the calea stuff past a 7206. This was for an in flight global wifi network, hence my original concern. Also note that when we did get it to work, it pretty much didn't. Or I should say.. It worked when it wanted to. How they are mapping pnr to user sessions is beyond me. In our case all of our aaa was being done by a German partner, which further complicated matters. I always assumed they had our traffic via listening stations but they weren't getting it from us. I no longer have a hand in that network, but I am honestly shocked this morning. Sent from my Mobile Device. Original message From: valdis.kletni...@vt.edu Date: 12/30/2013 6:48 AM (GMT-09:00) To: Dobbins, Roland rdobb...@arbor.net Cc: nanog@nanog.org list nanog@nanog.org Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches On Mon, 30 Dec 2013 14:34:52 +, Dobbins, Roland said: My assumption is that this allegation about Cisco and Juniper is the result of non-specialists reading about lawful intercept for the first time, and failing to do their homework. That does raise an interesting question. What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed?
Re: NSA able to compromise Cisco, Juniper, Huawei switches
I built the other. Sent from my Mobile Device. Original message From: Jeremy Bresley b...@brezworks.com Date: 12/30/2013 7:34 AM (GMT-09:00) To: nanog@nanog.org Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches On 12/30/2013 9:05 AM, Warren Bailey wrote: I'd love to know how they were getting in flight wifi. Sent from my Mobile Device. Original message From: sten rulz stenr...@gmail.com Date: 12/30/2013 12:32 AM (GMT-09:00) To: nanog@nanog.org Subject: NSA able to compromise Cisco, Juniper, Huawei switches Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx Regards, Steven. Simple. Grab it from where it hits the base stations. One of the two big in-flight Wifi carriers in the US uses Sprint towers, I believe the other used satellite. They have to get back to a ground station somewhere in order to get network access. Easy to tap it there and send it wherever you want. Grabbing an ad-hoc signal between two endpoints in the air is probably significantly more involved. Implementation of this is left as an exercise for the VERY well-funded reader. ;-) Jeremy TheBrez Bresley b...@brezworks.com
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 11:16 PM, Enno Rey e...@ernw.de wrote: at least back in 2007 it could be enabled/configured by SNMP RW access [see slide 43 of the presentation referenced in this post http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/] so knowing the term private might be enough to perform the task remotely. SNMP RW = configuration. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 11:18 PM, Sam Moats s...@circlenet.us wrote: This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005 That's one of the cases I know about; it was utilized via Ericsson gear. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Looking more at the actual leaked information it seems that if the NSA is working with companies, it's not anything the companies are likely aware of. The common form of infection seems to be though software updates performed by administrators (through the NSA hijacking web traffic). They are implimented as firmware and BIOS infections that modify the OS image and persist through software upgrades to provide a persistant back door (PBD). The documents imply that a signiciant of systems deployed are already infected. So this isn't an issue of the NSA working with Cisco and Juniper to include back doors, it's an issue of the NSA modifying those releases after the fact though BIOS implants. Where exatcly the NSA is inserting these we can't be sure. They could be targeted or they could be at the assembly line. Quick Summary of Leaked Information: Source: http://www.spiegel.de/international/world/a-941262.html Firewalls: (1) Cisco PIX and ASA: Codename JETPLOW (2) Huawei Eudemon: Codename HALLUXWATER (3) Juniper Netscreen and ISG: Codename: FEEDTROUGH (4) Juniper SSG and Netscreen G5, 25, and 50, SSG-series: Codename: GOURMETTROUGH (5) Juniper SSG300 and SSG500: Codename SOUFFLETROUGH Routers: (1) Huawei Router: Codename HEADWATER (2) Juniper J-Series: Codename SCHOOLMONTANA (3) Juniper M-Series: Codename SIERRAMONTANA (4) Juniper T-Series: Codename STUCCOMONTANA Servers: (1) HP DL380 G5: Codename IRONCHEF (2) Dell PowerEdge: Codename DEITYBOUNCE (3) Generic PC BIOS: Codename SWAP, able to compromise Windows, Linux, FreeBSD, or Solaris using FAT32, NTFS, EXT2, EXT3, or UFS filesystems. USB Cables and VGA Cables: Codename COTTONMOUTH, this one is a hardware implmant hidden in a USB cable. The diagram shows it's small enough that you would never know its there. Codename RAGEMASTER, VGA cable, mirrors VGA over the air. Many others. I'm not sure that the list is comprehensive, so I wouldn't say that since Cisco routers are not mentioned (for example) that they're any more safe than Juniper (which is listed often). On Mon, Dec 30, 2013 at 11:50 AM, Dobbins, Roland rdobb...@arbor.netwrote: On Dec 30, 2013, at 11:18 PM, Sam Moats s...@circlenet.us wrote: This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005 That's one of the cases I know about; it was utilized via Ericsson gear. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
RE: NSA able to compromise Cisco, Juniper, Huawei switches
NANOG: Here's the really scary question for me. Would it be possible for NSA-payload traffic that originates on our private networks that is destined for the NSA to go undetected by our IDS systems? For example tcpdump-based IDS systems like Snort has been rooted to ignore or not report packets going back to the NSA? Or netflow on Cisco devices not reporting NSA traffic? Or interface traffic counters discarding NSA-packets to report that there is no usage on the interface when in fact there is? Here's another question. What traffic do we look for on our networks that would be going to the NSA? Thoughts? (And semi-self-consciously adding myself to the NSA list of targets.) Lorell Hathcock -Original Message- From: Ray Soucy [mailto:r...@maine.edu] Sent: Monday, December 30, 2013 11:01 AM To: Dobbins, Roland Cc: nanog@nanog.org list Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches Looking more at the actual leaked information it seems that if the NSA is working with companies, it's not anything the companies are likely aware of. The common form of infection seems to be though software updates performed by administrators (through the NSA hijacking web traffic). They are implimented as firmware and BIOS infections that modify the OS image and persist through software upgrades to provide a persistant back door (PBD). The documents imply that a signiciant of systems deployed are already infected. So this isn't an issue of the NSA working with Cisco and Juniper to include back doors, it's an issue of the NSA modifying those releases after the fact though BIOS implants. Where exatcly the NSA is inserting these we can't be sure. They could be targeted or they could be at the assembly line. Quick Summary of Leaked Information: Source: http://www.spiegel.de/international/world/a-941262.html Firewalls: (1) Cisco PIX and ASA: Codename JETPLOW (2) Huawei Eudemon: Codename HALLUXWATER (3) Juniper Netscreen and ISG: Codename: FEEDTROUGH (4) Juniper SSG and Netscreen G5, 25, and 50, SSG-series: Codename: GOURMETTROUGH (5) Juniper SSG300 and SSG500: Codename SOUFFLETROUGH Routers: (1) Huawei Router: Codename HEADWATER (2) Juniper J-Series: Codename SCHOOLMONTANA (3) Juniper M-Series: Codename SIERRAMONTANA (4) Juniper T-Series: Codename STUCCOMONTANA Servers: (1) HP DL380 G5: Codename IRONCHEF (2) Dell PowerEdge: Codename DEITYBOUNCE (3) Generic PC BIOS: Codename SWAP, able to compromise Windows, Linux, FreeBSD, or Solaris using FAT32, NTFS, EXT2, EXT3, or UFS filesystems. USB Cables and VGA Cables: Codename COTTONMOUTH, this one is a hardware implmant hidden in a USB cable. The diagram shows it's small enough that you would never know its there. Codename RAGEMASTER, VGA cable, mirrors VGA over the air. Many others. I'm not sure that the list is comprehensive, so I wouldn't say that since Cisco routers are not mentioned (for example) that they're any more safe than Juniper (which is listed often). On Mon, Dec 30, 2013 at 11:50 AM, Dobbins, Roland rdobb...@arbor.netwrote: On Dec 30, 2013, at 11:18 PM, Sam Moats s...@circlenet.us wrote: This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%93200 5 That's one of the cases I know about; it was utilized via Ericsson gear. -- - Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock lor...@hathcock.org wrote: NANOG: Here's the really scary question for me. Would it be possible for NSA-payload traffic that originates on our private networks that is destined for the NSA to go undetected by our IDS systems? Yup. Absolutely. Without a doubt. For example tcpdump-based IDS systems like Snort has been rooted to ignore or not report packets going back to the NSA? Or netflow on Cisco devices not reporting NSA traffic? Or interface traffic counters discarding NSA-packets to report that there is no usage on the interface when in fact there is? Do you detect 100% of malware in your IDS? Why would anyone need to do anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything else that can run code that people download all the time with payload of unknown signature. This isn't really a network discussion. This is just to say - I seriously doubt there's anything wrong with your IDS - don't skin a cat with a flame thrower, it just doesn't need to be that hard. Here's another question. What traffic do we look for on our networks that would be going to the NSA? Standard https on port 443 maybe? That's how I'd send it. If you need to send something bigger than normal, maybe compromise the email server and have a few people send off some 5 - 10 meg messages? Depends on your normal user base. If you've got a big, complex user base, it's not hard to stay under the radar. Google 'Mandiant APT1' for some real good reading.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On a side note, I've been involved with organizing the New England regional Collegiate Cyber-Defense Competition for a while, and one our Red Team members was able to make a pretty convincing IOS rootkit using IOS TCL scripting to mask configuration from the students. I don't think any students were able to detect it until word got out after it was used a few years in a row. IIRC, Cisco threatened to sue if it was ever released, so no it's not publicly available. It is possible, however. Don't assume that your routers are any safer than your servers. :-) On Mon, Dec 30, 2013 at 1:35 PM, shawn wilson ag4ve...@gmail.com wrote: On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock lor...@hathcock.org wrote: NANOG: Here's the really scary question for me. Would it be possible for NSA-payload traffic that originates on our private networks that is destined for the NSA to go undetected by our IDS systems? Yup. Absolutely. Without a doubt. For example tcpdump-based IDS systems like Snort has been rooted to ignore or not report packets going back to the NSA? Or netflow on Cisco devices not reporting NSA traffic? Or interface traffic counters discarding NSA-packets to report that there is no usage on the interface when in fact there is? Do you detect 100% of malware in your IDS? Why would anyone need to do anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything else that can run code that people download all the time with payload of unknown signature. This isn't really a network discussion. This is just to say - I seriously doubt there's anything wrong with your IDS - don't skin a cat with a flame thrower, it just doesn't need to be that hard. Here's another question. What traffic do we look for on our networks that would be going to the NSA? Standard https on port 443 maybe? That's how I'd send it. If you need to send something bigger than normal, maybe compromise the email server and have a few people send off some 5 - 10 meg messages? Depends on your normal user base. If you've got a big, complex user base, it's not hard to stay under the radar. Google 'Mandiant APT1' for some real good reading. -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: NSA able to compromise Cisco, Juniper, Huawei switches
IIRC, Cisco threatened to sue if it was ever released you gotta love it. they will roll over and piss themselves for nsa and other who are violating every principle, but threaten paying customers who would report a hole. the question is what have these companies and gov people not violated? randy
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Hi all, I've been watching this list for a couple weeks now and while risking beeing flamed, i just wanted to say that any network professional that puts any equipment into production without securing it against the kind of issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and should be fired on the spot. These are not backdoor issues, NSA related, whatever... This is noise. Trying to get this thread on track, can the original poster provide any proof of this so called ability of the so called inteligence agency beeing able to access cisco/juniper, taking into account that management access has been correctly configured ? Regards -Marco --- Cumprimentos / Best regards Marco Teixeira email/gtalk/msn: ad...@marcoteixeira.com skype: admin-marcoteixeira.com --- Did you know that Marco Teixeira is an independent, industry expert, senior consultant ? His expertise is available for hire. --- On Mon, Dec 30, 2013 at 4:16 PM, Enno Rey e...@ernw.de wrote: On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. at least back in 2007 it could be enabled/configured by SNMP RW access [see slide 43 of the presentation referenced in this post http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/] so knowing the term private m ight be enough to perform the task remotely. have a good one Enno --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: NSA able to compromise Cisco, Juniper, Huawei switches
There are many ways a backdoor could be used in a properly secured system. To think otherwise is a huge mistake. I can think of several ways, if tasked and given the resources of a large gov't that I would attack this problem. To assume that those tasked and focused only this type of solution aren't even more capable would be foolhardy. -jim On Mon, Dec 30, 2013 at 12:28 PM, Marco Teixeira ad...@marcoteixeira.comwrote: Hi all, I've been watching this list for a couple weeks now and while risking beeing flamed, i just wanted to say that any network professional that puts any equipment into production without securing it against the kind of issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and should be fired on the spot. These are not backdoor issues, NSA related, whatever... This is noise. Trying to get this thread on track, can the original poster provide any proof of this so called ability of the so called inteligence agency beeing able to access cisco/juniper, taking into account that management access has been correctly configured ? Regards -Marco --- Cumprimentos / Best regards Marco Teixeira email/gtalk/msn: ad...@marcoteixeira.com skype: admin-marcoteixeira.com --- Did you know that Marco Teixeira is an independent, industry expert, senior consultant ? His expertise is available for hire. --- On Mon, Dec 30, 2013 at 4:16 PM, Enno Rey e...@ernw.de wrote: On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abusable without being noticed? AFAIK, it must be explicitly enabled in order to be functional. It isn't the sort of thing which is enabled by default, nor can it be enabled without making explicit configuration changes. at least back in 2007 it could be enabled/configured by SNMP RW access [see slide 43 of the presentation referenced in this post http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/ ] so knowing the term private m ight be enough to perform the task remotely. have a good one Enno --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: NSA able to compromise Cisco, Juniper, Huawei switches
These are not backdoor issues, NSA related, whatever... This is noise. Trying to get this thread on track, can the original poster provide any proof of this so called ability of the so called inteligence agency beeing able to access cisco/juniper, taking into account that management access has been correctly configured ? since you don't seem to read the articles, perhaps an info-graphic http://www.spiegel.de/international/world/a-941262.html randy
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Hi Folks - Clay Kossmeyer here from the Cisco PSIRT. We've published the following document in response to the original (Dec. 29) Der Spiegel article: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel and are investing the claims in the Dec. 30 Der Spiegel article referencing 'persistent implants' for the PIX and ASA product lines under case number PSIRT-1384943056. Any vulnerabilities we discover will be disclosed via our standard vulnerability handling process documented here: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html I'm not currently subscribed to NANOG, so if you have a reply you'd like me to see, please copy me directly. Regards, Clay - Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx Regards, Steven. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Clay Kossmeyer here from the Cisco PSIRT. shoveling kitty litter as fast as you can, eh? http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel The article does not discuss or disclose any Cisco product vulnerabilities. this is disengenuous at best. from the nsa document copied in der spiegel and now many other places: JETPLOW is a firmware persistence implant for Cisco PIX series and ASA firewalls ... so in cisco kitty litter lingo, what would be discuss[ing] or disclos[ing] any Cisco product vulnerabilities? the exploit code itself? randy
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Hi, you gotta love it. they will roll over and piss themselves for nsa and other who are violating every principle, but threaten paying customers who would report a hole. Don't forget that for C and J, the U.S. government is a large customer as well. Thanks, Sabri
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On 12/30/2013 3:51 PM, Randy Bush wrote: Clay Kossmeyer here from the Cisco PSIRT. shoveling kitty litter as fast as you can, eh? http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel The article does not discuss or disclose any Cisco product vulnerabilities. this is disengenuous at best. from the nsa document copied in der spiegel and now many other places: JETPLOW is a firmware persistence implant for Cisco PIX series and ASA firewalls ... so in cisco kitty litter lingo, what would be discuss[ing] or disclos[ing] any Cisco product vulnerabilities? the exploit code itself? randy What is the vulnerability in Cisco product Randy? That a 3rd party can replace the firmware in your firewall? There isn't enough information to determine if this is a software vulnerability triggered with exploit code or wholesale firmware replacement. The document refers to an implant but not how it gets there. -- The first rule of any game is to know that you're in one. -Sandy Lerner, co-founder, Cisco Systems
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 30, 2013, at 11:28 PM, Marco Teixeira ad...@marcoteixeira.com wrote: i just wanted to say that any network professional that puts any equipment into production without securing it against the kind of issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and should be fired on the spot. Yes, but keep in mind that with near-infinite resources, one can go after internal machines used by network operations personnel, etc. There are multiple things that network operators can and should do to prevent direct unauthorized configuration, to prevent tampering with configuration-management systems, to securing jump-off boxes, to implementing AAA with per-command auth and logging, to monitoring for config changes, etc. Unfortunately, many network operators don't do all these various things, and so it's quite possible for an organization with time and resources to attack via a side-channel. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 12:00 AM, Ray Soucy r...@maine.edu wrote: So this isn't an issue of the NSA working with Cisco and Juniper to include back doors, it's an issue of the NSA modifying those releases after the fact though BIOS implants. Yes, I see this now, thanks. AFAICT, the Cisco boxes listed are ASAs and PIXes, which are essentially Linux PCs running a bunch of userland firewall stuff and which have BIOSes and so forth; they aren't routers/switches. I don't know much about Juniper gear, but it appears that the Juniper boxes listed are similar in nature, albeit running FreeBSD underneath (correction welcome). I know nothing at all about Huawei gear. Compromising PCs with persistent malware/rootkits is pretty routine, so this isn't really surprising, IMHO. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
So this isn't an issue of the NSA working with Cisco and Juniper to include back doors, it's an issue of the NSA modifying those releases after the fact though BIOS implants. Yes, I see this now, thanks. AFAICT, the Cisco boxes listed are ASAs and PIXes, which are essentially Linux PCs running a bunch of userland firewall stuff and which have BIOSes and so forth; they aren't routers/switches. you may want to read the more complete, well let's say extensive http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 9:41 AM, Randy Bush ra...@psg.com wrote: you may want to read the more complete, well let's say extensive Thanks, Randy - now I see the JunOS stuff in there for J-series and M-series. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
The cynic in me says that cisco switch/router gear isn't part of that report on clandestine backdoors, because they don't need said clandestine backdoors to access them... -Blake On Mon, Dec 30, 2013 at 8:54 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Dec 31, 2013, at 9:41 AM, Randy Bush ra...@psg.com wrote: you may want to read the more complete, well let's say extensive Thanks, Randy - now I see the JunOS stuff in there for J-series and M-series. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 10:16 AM, Blake Dunlap iki...@gmail.com wrote: The cynic in me says that cisco switch/router gear isn't part of that report on clandestine backdoors, because they don't need said clandestine backdoors to access them... T-series is in there, too. It's also important to keep in mind that all these purported documents refer to technologies which were supposedly available 5 years ago, based on the dates in the slides. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Hi Roland. I don't know much about Juniper gear, but it appears that the Juniper boxes listed are similar in nature, albeit running FreeBSD underneath (correction welcome). With most Juniper gear, it is actually quite difficult to achieve wire-tapping on a large scale using something as simple as a backdoor in the BIOS. Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel. However, that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the router itself), will not be forwarded via the control-plane. This means that whatever the backdoor is designed to do, simply can not touch the traffic. There are a few exceptions, such as a carefully crafted backdoor capable of altering the next-hop database (the PFEs forwarding table) and mirroring traffic. This however, would mean that the network would already have to be compromised. Another option would be to duplicate target traffic into a tunnel (GRE or IPIP based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform those operations at all on the target chipset. However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target, as well as the ability to partially rewrite that. Furthermore, to embed such a sophisticated attack in a BIOS would seem impossible to me with the first reason being the limited amount of storage available on the EEPROM to store all that binary code. An attack based on corrupted firmware loaded post-manufacturing would also be difficult due to the signed binaries and microcode. If someone were to embed a backdoor it is extremely difficult without Juniper's cooperation. And the last time I looked at the code (I left Juniper a few months ago), I saw nothing that would indicate a backdoor of any kind. -- Thanks, Sabri
Re: NSA able to compromise Cisco, Juniper, Huawei switches
- Original Message - From: Ray Soucy r...@maine.edu I hope when [if] the truth is learned it is a lot less prevalent than it sounds, but I'm not optimistic. This is why we need all infrastructure to be implemented using open standards, open hardware designs, and open source software IMHO. I hope Cisco, Juniper, and others respond quickly with updated images for all platforms affected before the details leak. I hate to be Even More Paranoid Than That (and if I go off-air for more than about a week, assume those Black Eyeshades types whose mention got me kicked off the list after Katrina came for me :-), but contemplate this: === If you were the NSA, and you had a spandy new image with lots of great backdooring and kill-switching all ready to do, and you'd plunked it in Cisco's TAC download site (with or without their knowledge)... ...what do you suppose you'd do? Wouldn't you want some way to motivate everyone to grab that new image and plonk it on all their devices as fast as possible? Wouldn't it be the definition of irony if the way you got everyone to install your bug on their router ... was because they were afraid you already had? Is Ken Thompson turning over in his grave yet? === Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Is Ken Thompson turning over in his grave yet? I certainly hope not...
Re: NSA able to compromise Cisco, Juniper, Huawei switches
It's also important to keep in mind that all these purported documents refer to technologies which were supposedly available 5 years ago, based on the dates in the slides. assumptions that the TAO folk have been taking a long much-deserved sabbatical are probably naive the shocking revelation will come tomorrow when it is announced that there is some piece of equipment or technology which has not been violated randy
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Sabri, As I was going through reading all these replies, the one thing that continued to poke at me was the requirement of the signed binaries and microcode. The same goes for many of the Cisco binaries, without direct assistance, which is unclear at this point through the cloud of smoke so to speak, it would be difficult to load this code post implementation or manufacturing. Then looking at things from the evil side though, if they owned the system which provides the signing then they could sign virtually anything they wish. This is similar to what happened to Red Hat a number a years ago when they had their repos owned and the packages were compromised but passed just fine because the signing server was owned as well. Not say this is or isn't the case, but I know from my experience were I worked in an ISP running Juniper routers (M J Series) coast to coast, that with the number of eyes watching these devices, it would have to be done at the firmware level not to be seen by the analysts. This is not out of reach either, it was roughly 5-7 years ago when Ethernet cards were owned with a firmware hack and all the traffic crossing that interface was seen then reported back. I know that all the conversations surrounding this topic were shut down quickly and the conference talks surrounding it dried up as well, everyone I talked to was curious why the conversations of such an attack all of a sudden went silent and have yet to resurface... I think we need to watch and listen/read over the coming weeks and months before we go assuming we have it figured out. Keep in mind the best way to cover up a covert mission is not to cover it up to start with. Put it out there, then flood the channels with false or miss information, until the real mission is so clouded with miss information you can no longer see the real mission resulting in the perfect execution of the op. Just a few thoughts, sorry no answers... -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 12/30/13, 10:38 PM, Sabri Berisha wrote: Hi Roland. I don't know much about Juniper gear, but it appears that the Juniper boxes listed are similar in nature, albeit running FreeBSD underneath (correction welcome). With most Juniper gear, it is actually quite difficult to achieve wire-tapping on a large scale using something as simple as a backdoor in the BIOS. Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel. However, that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the router itself), will not be forwarded via the control-plane. This means that whatever the backdoor is designed to do, simply can not touch the traffic. There are a few exceptions, such as a carefully crafted backdoor capable of altering the next-hop database (the PFEs forwarding table) and mirroring traffic. This however, would mean that the network would already have to be compromised. Another option would be to duplicate target traffic into a tunnel (GRE or IPIP based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform those operations at all on the target chipset. However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target, as well as the ability to partially rewrite that. Furthermore, to embed such a sophisticated attack in a BIOS would seem impossible to me with the first reason being the limited amount of storage available on the EEPROM to store all that binary code. An attack based on corrupted firmware loaded post-manufacturing would also be difficult due to the signed binaries and microcode. If someone were to embed a backdoor it is extremely difficult without Juniper's cooperation. And the last time I looked at the code (I left Juniper a few months ago), I saw nothing that would indicate a backdoor of any kind.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 10:59 AM, Randy Bush ra...@psg.com wrote: assumptions that the TAO folk have been taking a long much-deserved sabbatical are probably naive Indeed; that is my point. These documents allege that the capabilities in question were present five years ago, which is an eternity in tech-time. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 10:38 AM, Sabri Berisha sa...@cluecentral.net wrote: Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel. And the management plane, too? However, that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the router itself), will not be forwarded via the control-plane. These same concepts apply to most Cisco gear, as well. Another option would be to duplicate target traffic into a tunnel (GRE or IPIP based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform those operations at all on the target chipset. Something along these lines would be a good guess, along with the ability to alter the config of the device and to mask said alteration. Other purported documents speak of tunneling duplicated traffic, and in fact we've seen tunnels on compromised routers + NAT used by spammers in conjunction with BGP hijacking in order to send out spam-bursts from allocated space (i.e., the precise opposite use-case, heh). Assuming these alleged documents describe actual capabilities, there is some reason for having developed them in the first place. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Dec 31, 2013, at 11:06 AM, [AP] NANOG na...@armoredpackets.com wrote: Then looking at things from the evil side though, if they owned the system which provides the signing then they could sign virtually anything they wish. Or if they owned *people* with the right level of access to do so, or if there were implementation bugs which could be utilized to bypass or obviate the signing . . . None of the alleged capabilities described in the purported documents is really standalone; they all rely upon other methods/mechanisms in order to provide the required foundation to accomplish their stated goals. I think we need to watch and listen/read over the coming weeks and months before we go assuming we have it figured out. This is the most pertinent and insightful comment made in this thread. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Roland, I did fail to mention the HUMINT (Human Intelligence) side of things, thank you for bringing that up! -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 12/30/13, 11:33 PM, Dobbins, Roland wrote: On Dec 31, 2013, at 11:06 AM, [AP] NANOG na...@armoredpackets.com wrote: Then looking at things from the evil side though, if they owned the system which provides the signing then they could sign virtually anything they wish. Or if they owned *people* with the right level of access to do so, or if there were implementation bugs which could be utilized to bypass or obviate the signing . . . None of the alleged capabilities described in the purported documents is really standalone; they all rely upon other methods/mechanisms in order to provide the required foundation to accomplish their stated goals. I think we need to watch and listen/read over the coming weeks and months before we go assuming we have it figured out. This is the most pertinent and insightful comment made in this thread. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. I'm not saying it's right or wrong...it creeps me out a little, though...but these are the kinds of things we have demanded that they do (via our elected representatives). More to the point, I really doubt the NSA has any interest whatsoever in my Facebook or Twitter account. It's probable a means to and end...a transitory stop on their way to propagating more widely. They need regular folks to propagate, but in reality, they likely have zero interest in our actual accounts at the end of the day. I think of it a bit like a virus with a slightly less hysterical outcome/plan. On Mon, Dec 30, 2013 at 10:33 PM, Dobbins, Roland rdobb...@arbor.netwrote: On Dec 31, 2013, at 11:06 AM, [AP] NANOG na...@armoredpackets.com wrote: Then looking at things from the evil side though, if they owned the system which provides the signing then they could sign virtually anything they wish. Or if they owned *people* with the right level of access to do so, or if there were implementation bugs which could be utilized to bypass or obviate the signing . . . None of the alleged capabilities described in the purported documents is really standalone; they all rely upon other methods/mechanisms in order to provide the required foundation to accomplish their stated goals. I think we need to watch and listen/read over the coming weeks and months before we go assuming we have it figured out. This is the most pertinent and insightful comment made in this thread. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On 12/30/2013 11:06 PM, [AP] NANOG wrote: As I was going through reading all these replies, the one thing that continued to poke at me was the requirement of the signed binaries and microcode. The same goes for many of the Cisco binaries, without direct assistance, which is unclear at this point through the cloud of smoke so to speak, it would be difficult to load this code post implementation or manufacturing. Signed binaries?? Surely you jest... Try download *anything* from Cisco TAC these days with a new browser and latest Java and see how many exceptions you have to make to get an allegedly legitimate copy of anything. If you don't like it, open a TAC case, and count the number of exceptions you have to make to get to THAT point as well. And of course they'll want you to upload a show tech first thing, and see how many MORE exceptions you have to make to get that to work. Geez, just open ASDM today I have to honor Java exceptions. We're all getting far too conditioned for the click OK to proceed overload, and the sources aren't helping. Jeff
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper blair.tros...@gmail.comwrote: I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. [snip] The NSA's role is not supposed to include subterfuge and undermining the integrity or security of domestic enterprise infrastructure With any luck, we'll hopefully find absolutely nothing, or that it was targetted backdooring against specific targets only. And people have a need to know that the security agencies haven't left a trail of artificially inserted bugs and backdoors in common IT equipment providing critical infrastructures services, and that the agencies haven't prepared a collection of instant-root 0days, that are no more protected then the agencies' other poorly guarded secrets. There would be a risk that any 'backdoors' are ready to be exploited by other unintended nefarious actors! Because the NSA are apparently great at prepping the flammables and setting fires,but totally incapable of keeping the fires contained, once they (or someone else) lights it. It is not the least bit necessary for the NSA itself to be a nefarious actor exploiting things or even complicit; for the mere presence of any backdoor or surreptitious code to eventually have the potential for serious damage. It could well be a rogue ex-employee of the NSA, such as Snowden, or others, that happened to be aware of technical details, hackers, or members of a foreign nation state, who will just happen to have the time and energy to track down open doors waiting for the taking, AND figure out how to abuse them for evil purposes. There are enough potential 0day risks, without intentional ones, waiting for bad guys to co-opt! -- -JH
RE: NSA able to compromise Cisco, Juniper, Huawei switches
We're all getting far too conditioned for the click OK to proceed overload, and the sources aren't helping. If one embarks with deliberation upon a course of action which may entertain certain results then the intent to cause the result so obtained is, by implication, proved.
Re: NSA able to compromise Cisco, Juniper, Huawei switches
To supplement and amend what I said: These are the KINDS of things we want the NSA to do; however, the institutional oversight necessary to make sure it's Constitutional, warranted, and kept in bounds is woefully lacking (if any exists at all). Even FISA is unsatisfactory. At any rate, I agree that the current disposition of the NSA (or, at least, what's been leaking the last few months) is simply unacceptable and cannot be allowed. I say that last part from the perspective of a US citizen, though I'd imagine most people of other nationalities would agree with me, but probably for different reasons. On Mon, Dec 30, 2013 at 11:08 PM, Jimmy Hess mysi...@gmail.com wrote: On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper blair.tros...@gmail.comwrote: I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. [snip] The NSA's role is not supposed to include subterfuge and undermining the integrity or security of domestic enterprise infrastructure With any luck, we'll hopefully find absolutely nothing, or that it was targetted backdooring against specific targets only. And people have a need to know that the security agencies haven't left a trail of artificially inserted bugs and backdoors in common IT equipment providing critical infrastructures services, and that the agencies haven't prepared a collection of instant-root 0days, that are no more protected then the agencies' other poorly guarded secrets. There would be a risk that any 'backdoors' are ready to be exploited by other unintended nefarious actors! Because the NSA are apparently great at prepping the flammables and setting fires,but totally incapable of keeping the fires contained, once they (or someone else) lights it. It is not the least bit necessary for the NSA itself to be a nefarious actor exploiting things or even complicit; for the mere presence of any backdoor or surreptitious code to eventually have the potential for serious damage. It could well be a rogue ex-employee of the NSA, such as Snowden, or others, that happened to be aware of technical details, hackers, or members of a foreign nation state, who will just happen to have the time and energy to track down open doors waiting for the taking, AND figure out how to abuse them for evil purposes. There are enough potential 0day risks, without intentional ones, waiting for bad guys to co-opt! -- -JH
