Do ya think that you wouldn't also notice a drastic increase in outbound
traffic to begin with? It's fun to watch all the hype and things like
that, but to truly sit down and think about what it would actually take
to make something like this happen, especially on a sustained and
"unnoticed" basis, is just asinine.
Perhaps more work should be spent maintaining ones own equipment and
network than debating the chances that the sky may actually be falling or
the NSA hunting your ass down. ;) Just my two cents for the day!
Happy New Year!
Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713, CCDE
#2009::D,
CCNP-Data Center, CCNP-Voice, JNCIE-SP #153, JNCIE-ENT #102, JNCIS-QFX,
CISSP, et al.
IPv6 Gold Certified Engineer, IPv6 Gold Certified Trainer
CCSI #21903, JNCI-SP, JNCI-ENT, JNCI-QFX
swm_at_emanon.com
Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil......
On 12/31/13, 12:15 PM, marc edwards wrote:
Where do you see image requiring proper hash to load? Is it in output at
boot? Might need to tftp off and do integrity check. Also worth tapping
border and looking for anomalous behavior.
Irony is... As more developers/engineers ask for systems to be open (un
restrcted BASH acess) it makes hacks on gear easier.
Freedom is slavery
On Monday, December 30, 2013, Travis Niedens wrote:
Um to compile Asa code that doesn't fail md5 wouldn't it need to be
compiled the same way their dev team does? And considering that isn't out
for the world to play with to avoid well what we see here. Hmm.
--- Original Message ---
From: "Matthew George" < mgeorge_at_geores.net <javascript:;> >
Sent: December 30, 2013 8:43 PM
To: "'groupstudy'" < ccielab_at_groupstudy.com <javascript:;> >
Subject: RE: JETPLOW
So based on what I've been able to dig up so far with the help of Google of
course... It appears that JETPLOW is an implant subroutine installed in the
firewalls EEPROM (bootrom) via a binary boot file at the point of
interdiction. (intercepting your packages between the distribution center
and the target customer/oem) Once the implant has been installed it is
persistent meaning it cannot be erased and upgrading the bootrom will not
affect the subroutine. JETPLOW in and of its self has a persistent backdoor
capability allowing for remote access but it does not setup covert
communications channels (as the nsa likes to call it) that is what BANAGLE
is for.
JETPLOW's sole purpose is to modify the boot process of the linux kernel
when the ASA boots to allow for unrestricted root access (aka backdoor)
which in turn could give those who have the root access the ability to see
everything, change anything and copy anything without you ever knowing
because when you log into the ASA you're actually logging into the LINA
application, not the linux cli under the root user account.
BANANAGLEE is another type of implant that based on other documents
released appears to be a multi-vendor multi-hardware firmware implant that
works on Cisco, Juniper, Dell, HP and others for the purpose of
establishing
a communications link with the NSA ROC via ICP (implant communications
protocol RC6 Encrypted UDP) For those of you who may remember, RC6 was a
contender for the AES standard.
BANANAGLEE allows for remote updating and installation of other implants
including JETPLOW on Cisco, FEEDTHROUGH on Juniper and others only if
BANANAGLEE is already on the target firewall (pix or asa) which must be
installed manually. I've not found any evidence showing that BANANAGLEE can
be installed remotely but this does not completely rule out the possibility
of such execution could be done through traditional compromising methods.
After the target firewall has been infiltrated upload the .bin file to a
standby ASA, reboot the standby to install the implant which will delete
the
bin file once finished and reboot once more to load the ASA software and
force a failover from the Active to the compromised firewall. (speculation)
All this crazy stuff is very interesting but someone has to be able to
prove
that such firmware implants exist by first finding an ASA that has the
implants and dumping the EEPROM contents into a BIN file. Think of it like
a
bios backup :)
I'm personally not 100% convinced but if someone comes forward with such
hard proof evidence of a EEPROM dump showing the implants this could rattle
the tech industry as we know it.
It also appears that these leaks are starting to hit some pretty big news
sites now as well.
Cisco has already released a statement regarding this information which can
be found here:
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s r-20131229-der-spiegel
-Matt
-----Original Message-----
From: nobody_at_groupstudy.com <javascript:;> [ mailto:nobody_at_groupstudy.com <javascript:;> ]
On Behalf Of marc
edwards
Sent: Monday, December 30, 2013 10:23 PM
To: Adam Booth
Cc: Carl Gosselin; Matthew George; groupstudy
Subject: JETPLOW
Adam,
Nice catch on the published date and fair assessments regarding software.
Not much out there in the public domain on ZESTYLEAK or BANANAGLEE...I
would
like to know more but a bit weary of the price that comes with that.
--
Marc Edwards
CCIE #38259
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 31 2013 - 13:15:57 ART
This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART