RE: JETPLOW

This can be easily tested in QEMU but any files transferred at the root
level would not appear in the LINA application on the ASA.

You could however monitor this traffic using an IPS closer to your internet
pipe but at the end of the day if the IPS is compromised do you think that
would really make a difference. Most small deployments I've worked with have
the Ethernet handoff's plugged directly into the ASA's. I agree with marc
that the target audience is probably not American citizens but based on the
NSA track record which quite frankly sucks donkey balls, it can easily be
assumed that these implants, if they exist, will exist in firewalls on
American soil.

We're not talking about a small group of hackers, we're talking about the
most powerful intelligence group in the world that spend billions of dollars
of your tax money developing such intelligence technologies and no offense
to anyone on this list but they're probably way smarter than us.

Any security analyst that puts their head in the sand and brushes off the
leaked NSA documents without scrutiny or investigation after everything
Snowden has released thus far is extremely poor at doing their job.

If these documents are proven to be factually correct and the NSA can
execute such intrusions unnoticed, it's not going to take long before those
with malicious intent figure out how to do the same damn thing, especially
if they already know how the NSA is doing it based on eeprom dumps.

Lets' face it, the world is full of monkeys... monkey see monkey do.

-Matt

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of marc
edwards
Sent: Tuesday, December 31, 2013 1:29 PM
To: Scott Morris
Cc: ccielab_at_groupstudy.com
Subject: Re: JETPLOW

Scott,

Wouldn't that depend on what is being exported? perhaps it is rooted to grab
the private key and taps in the internet intercept/decrypt.

With respect to maintaining equipment. Checking image hashes and border taps
is rather routine but not always practiced.

NSA most likely isn't hunting americans down (besides snowden... for now)
but it is wasting tons of tax payer and borrowed dollars to crank this
program up. All at a time where many governments have irresponsibly put
themselves at the brink of bankruptcy. We are continueally selling out to
them by having less of a voice. Instnaces like this will hurt sales and cost
cycles to correct. Ultimately the price will be seen in the long run.

For those living on the high on hog and head in the sands it is OK to ignore
if it makes you feel better. For those in the trenches, wrenching gear, and
protecting networks it is very important and OK to speculate if it makes
your network safe and you sleeping better at night.

Happy New Years to you as well!

Regards,

On Tuesday, December 31, 2013, Scott Morris wrote:

> Do ya think that you wouldn't also notice a drastic increase in
> outbound traffic to begin with? It's fun to watch all the hype and
> things like that, but to truly sit down and think about what it would
> actually take to make something like this happen, especially on a
> sustained and "unnoticed" basis, is just asinine.
>
> Perhaps more work should be spent maintaining ones own equipment and
> network than debating the chances that the sky may actually be falling or
> the NSA hunting your ass down. ;) Just my two cents for the day!
> Happy New Year!
>
> Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> CCDE #2009::D,
>
> CCNP-Data Center, CCNP-Voice, JNCIE-SP #153, JNCIE-ENT #102,
> JNCIS-QFX, CISSP, et al.
>
> IPv6 Gold Certified Engineer, IPv6 Gold Certified Trainer
>
> CCSI #21903, JNCI-SP, JNCI-ENT, JNCI-QFX
>
> swm_at_emanon.com <javascript:;>
>
> Knowledge is power.
>
> Power corrupts.
>
> Study hard and be Eeeeviiiil......
>
> On 12/31/13, 12:15 PM, marc edwards wrote:
>
> Where do you see image requiring proper hash to load? Is it in output at
> boot? Might need to tftp off and do integrity check. Also worth tapping
> border and looking for anomalous behavior.
>
> Irony is... As more developers/engineers ask for systems to be open (un
> restrcted BASH acess) it makes hacks on gear easier.
>
> Freedom is slavery
>
> On Monday, December 30, 2013, Travis Niedens wrote:
>
> Um to compile Asa code that doesn't fail md5 wouldn't it need to be
> compiled the same way their dev team does? And considering that
> isn't out
> for the world to play with to avoid well what we see here. Hmm.
>
> --- Original Message ---
>
> From: "Matthew George" < mgeorge_at_geores.net <javascript:;>
> <javascript:;> >
> Sent: December 30, 2013 8:43 PM
> To: "'groupstudy'" < ccielab_at_groupstudy.com <javascript:;>
> <javascript:;> >
> Subject: RE: JETPLOW
>
> So based on what I've been able to dig up so far with the help of
> Google of
> course... It appears that JETPLOW is an implant subroutine
> installed in the
> firewalls EEPROM (bootrom) via a binary boot file at the point of
> interdiction. (intercepting your packages between the distribution
> center
> and the target customer/oem) Once the implant has been installed it is
> persistent meaning it cannot be erased and upgrading the bootrom
> will not
> affect the subroutine. JETPLOW in and of its self has a persistent
> backdoor
> capability allowing for remote access but it does not setup covert
> communications channels (as the nsa likes to call it) that is what
> BANAGLE
> is for.
>
> JETPLOW's sole purpose is to modify the boot process of the linux
> kernel
> when the ASA boots to allow for unrestricted root access (aka
backdoor)
> which in turn could give those who have the root access the
> ability to see
> everything, change anything and copy anything without you ever knowing
> because when you log into the ASA you're actually logging into the
LINA
> application, not the linux cli under the root user account.
>
> BANANAGLEE is another type of implant that based on other documents
> released appears to be a multi-vendor multi-hardware firmware
> implant that
> works on Cisco, Juniper, Dell, HP and others for the purpose of
> establishing
> a communications link with the NSA ROC via ICP (implant communications
> protocol RC6 Encrypted UDP) For those of you who may remember, RC6
> was a
> contender for the AES standard.
>
> BANANAGLEE allows for remote updating and installation of other
> implants
> including JETPLOW on Cisco, FEEDTHROUGH on Juniper and others only if
> BANANAGLEE is already on the target firewall (pix or asa) which must
be
> installed manually. I've not found any evidence showing that
> BANANAGLEE can
> be installed remotely but this does not completely rule out the
> possibility
> of such execution could be done through traditional compromising
> methods.
> After the target firewall has been infiltrated upload the .bin
> file to a
> standby ASA, reboot the standby to install the implant which will
> delete
> the
> bin file once finished and reboot once more to load the ASA
> software and
> force a failover from the Active to the compromised firewall.
> (speculation)
>
> All this crazy stuff is very interesting but someone has to be able to
> prove
> that such firmware implants exist by first finding an ASA that has the
> implants and dumping the EEPROM contents into a BIN file. Think of
> it like
> a
> bios backup :)
>
> I'm personally not 100% convinced but if someone comes forward
> with such
> hard proof evidence of a EEPROM dump showing the implants this
> could rattle
> the tech industry as we know it.
>
> It also appears that these leaks are starting to hit some pretty
> big news
> sites now as well.
>
> Cisco has already released a statement regarding this information
> which can
> be found here:
>
>
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s
r-20131229-der-spiegel
>
> -Matt
>
> -----Original Message-----
> From: nobody_at_groupstudy.com <javascript:;> <javascript:;>
> [ mailto:nobody_at_groupstudy.com <javascript:;> <javascript:;>
> ]
> On Behalf Of marc
> edwards
> Sent: Monday, December 30, 2013 10:23 PM
> To: Adam Booth
> Cc: Carl Gosselin; Matthew George; groupstudy
> Subject: JETPLOW
>
> Adam,
>
> Nice catch on the published date and fair assessments regarding
> software.
> Not much out there in the public domain on ZESTYLEAK or BANANAGLEE...I
> would
> like to know more but a bit weary of the price that comes with that.
>
> --
> Marc Edwards
> CCIE #38259
>
> Blogs and organic groups at http://www.ccie.net
>
Received on Tue Dec 31 2013 - 14:07:00 ART