Re: JETPLOW

Where do you see image requiring proper hash to load? Is it in output at
boot? Might need to tftp off and do integrity check. Also worth tapping
border and looking for anomalous behavior.

Irony is... As more developers/engineers ask for systems to be open (un
restrcted BASH acess) it makes hacks on gear easier.

Freedom is slavery

On Monday, December 30, 2013, Travis Niedens wrote:

> Um to compile Asa code that doesn't fail md5 wouldn't it need to be
> compiled the same way their dev team does? And considering that isn't out
> for the world to play with to avoid well what we see here. Hmm.
>
> --- Original Message ---
>
> From: "Matthew George" <mgeorge_at_geores.net <javascript:;>>
> Sent: December 30, 2013 8:43 PM
> To: "'groupstudy'" <ccielab_at_groupstudy.com <javascript:;>>
> Subject: RE: JETPLOW
>
> So based on what I've been able to dig up so far with the help of Google of
> course... It appears that JETPLOW is an implant subroutine installed in the
> firewalls EEPROM (bootrom) via a binary boot file at the point of
> interdiction. (intercepting your packages between the distribution center
> and the target customer/oem) Once the implant has been installed it is
> persistent meaning it cannot be erased and upgrading the bootrom will not
> affect the subroutine. JETPLOW in and of its self has a persistent backdoor
> capability allowing for remote access but it does not setup covert
> communications channels (as the nsa likes to call it) that is what BANAGLE
> is for.
>
> JETPLOW's sole purpose is to modify the boot process of the linux kernel
> when the ASA boots to allow for unrestricted root access (aka backdoor)
> which in turn could give those who have the root access the ability to see
> everything, change anything and copy anything without you ever knowing
> because when you log into the ASA you're actually logging into the LINA
> application, not the linux cli under the root user account.
>
> BANANAGLEE is another type of implant that based on other documents
> released appears to be a multi-vendor multi-hardware firmware implant that
> works on Cisco, Juniper, Dell, HP and others for the purpose of
> establishing
> a communications link with the NSA ROC via ICP (implant communications
> protocol RC6 Encrypted UDP) For those of you who may remember, RC6 was a
> contender for the AES standard.
>
> BANANAGLEE allows for remote updating and installation of other implants
> including JETPLOW on Cisco, FEEDTHROUGH on Juniper and others only if
> BANANAGLEE is already on the target firewall (pix or asa) which must be
> installed manually. I've not found any evidence showing that BANANAGLEE can
> be installed remotely but this does not completely rule out the possibility
> of such execution could be done through traditional compromising methods.
> After the target firewall has been infiltrated upload the .bin file to a
> standby ASA, reboot the standby to install the implant which will delete
> the
> bin file once finished and reboot once more to load the ASA software and
> force a failover from the Active to the compromised firewall. (speculation)
>
> All this crazy stuff is very interesting but someone has to be able to
> prove
> that such firmware implants exist by first finding an ASA that has the
> implants and dumping the EEPROM contents into a BIN file. Think of it like
> a
> bios backup :)
>
> I'm personally not 100% convinced but if someone comes forward with such
> hard proof evidence of a EEPROM dump showing the implants this could rattle
> the tech industry as we know it.
>
> It also appears that these leaks are starting to hit some pretty big news
> sites now as well.
>
> Cisco has already released a statement regarding this information which can
> be found here:
>
> http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s
> r-20131229-der-spiegel
>
>
> -Matt
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com <javascript:;> [mailto:nobody_at_groupstudy.com<javascript:;>]
> On Behalf Of marc
> edwards
> Sent: Monday, December 30, 2013 10:23 PM
> To: Adam Booth
> Cc: Carl Gosselin; Matthew George; groupstudy
> Subject: JETPLOW
>
> Adam,
>
> Nice catch on the published date and fair assessments regarding software.
> Not much out there in the public domain on ZESTYLEAK or BANANAGLEE...I
> would
> like to know more but a bit weary of the price that comes with that.
>
>
> --
> Marc Edwards
> CCIE #38259
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Marc Edwards
CCIE #38259
Blogs and organic groups at http://www.ccie.net