RE: JETPLOW

So based on what I've been able to dig up so far with the help of Google of
course... It appears that JETPLOW is an implant subroutine installed in the
firewalls EEPROM (bootrom) via a binary boot file at the point of
interdiction. (intercepting your packages between the distribution center
and the target customer/oem) Once the implant has been installed it is
persistent meaning it cannot be erased and upgrading the bootrom will not
affect the subroutine. JETPLOW in and of its self has a persistent backdoor
capability allowing for remote access but it does not setup covert
communications channels (as the nsa likes to call it) that is what BANAGLE
is for.

JETPLOW's sole purpose is to modify the boot process of the linux kernel
when the ASA boots to allow for unrestricted root access (aka backdoor)
which in turn could give those who have the root access the ability to see
everything, change anything and copy anything without you ever knowing
because when you log into the ASA you're actually logging into the LINA
application, not the linux cli under the root user account.

BANANAGLEE is another type of implant that based on other documents
released appears to be a multi-vendor multi-hardware firmware implant that
works on Cisco, Juniper, Dell, HP and others for the purpose of establishing
a communications link with the NSA ROC via ICP (implant communications
protocol RC6 Encrypted UDP) For those of you who may remember, RC6 was a
contender for the AES standard.

BANANAGLEE allows for remote updating and installation of other implants
including JETPLOW on Cisco, FEEDTHROUGH on Juniper and others only if
BANANAGLEE is already on the target firewall (pix or asa) which must be
installed manually. I've not found any evidence showing that BANANAGLEE can
be installed remotely but this does not completely rule out the possibility
of such execution could be done through traditional compromising methods.
After the target firewall has been infiltrated upload the .bin file to a
standby ASA, reboot the standby to install the implant which will delete the
bin file once finished and reboot once more to load the ASA software and
force a failover from the Active to the compromised firewall. (speculation)

All this crazy stuff is very interesting but someone has to be able to prove
that such firmware implants exist by first finding an ASA that has the
implants and dumping the EEPROM contents into a BIN file. Think of it like a
bios backup :)

I'm personally not 100% convinced but if someone comes forward with such
hard proof evidence of a EEPROM dump showing the implants this could rattle
the tech industry as we know it.

It also appears that these leaks are starting to hit some pretty big news
sites now as well.

Cisco has already released a statement regarding this information which can
be found here:
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s
r-20131229-der-spiegel

-Matt

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of marc
edwards
Sent: Monday, December 30, 2013 10:23 PM
To: Adam Booth
Cc: Carl Gosselin; Matthew George; groupstudy
Subject: JETPLOW

Adam,

Nice catch on the published date and fair assessments regarding software.
Not much out there in the public domain on ZESTYLEAK or BANANAGLEE...I would
like to know more but a bit weary of the price that comes with that.

--
Marc Edwards
CCIE #38259
Blogs and organic groups at http://www.ccie.net