Re: JETPLOW

*removes foil hat and places it atop ASA*

On Dec 31, 2013, at 1:09 PM, "Matthew George" <mgeorge_at_geores.net> wrote:

> This can be easily tested in QEMU but any files transferred at the root
> level would not appear in the LINA application on the ASA.
>
> You could however monitor this traffic using an IPS closer to your internet
> pipe but at the end of the day if the IPS is compromised do you think that
> would really make a difference. Most small deployments I've worked with have
> the Ethernet handoff's plugged directly into the ASA's. I agree with marc
> that the target audience is probably not American citizens but based on the
> NSA track record which quite frankly sucks donkey balls, it can easily be
> assumed that these implants, if they exist, will exist in firewalls on
> American soil.
>
> We're not talking about a small group of hackers, we're talking about the
> most powerful intelligence group in the world that spend billions of dollars
> of your tax money developing such intelligence technologies and no offense
> to anyone on this list but they're probably way smarter than us.
>
> Any security analyst that puts their head in the sand and brushes off the
> leaked NSA documents without scrutiny or investigation after everything
> Snowden has released thus far is extremely poor at doing their job.
>
> If these documents are proven to be factually correct and the NSA can
> execute such intrusions unnoticed, it's not going to take long before those
> with malicious intent figure out how to do the same damn thing, especially
> if they already know how the NSA is doing it based on eeprom dumps.
>
> Lets' face it, the world is full of monkeys... monkey see monkey do.
>
> -Matt
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of marc
> edwards
> Sent: Tuesday, December 31, 2013 1:29 PM
> To: Scott Morris
> Cc: ccielab_at_groupstudy.com
> Subject: Re: JETPLOW
>
> Scott,
>
> Wouldn't that depend on what is being exported? perhaps it is rooted to grab
> the private key and taps in the internet intercept/decrypt.
>
> With respect to maintaining equipment. Checking image hashes and border taps
> is rather routine but not always practiced.
>
> NSA most likely isn't hunting americans down (besides snowden... for now)
> but it is wasting tons of tax payer and borrowed dollars to crank this
> program up. All at a time where many governments have irresponsibly put
> themselves at the brink of bankruptcy. We are continueally selling out to
> them by having less of a voice. Instnaces like this will hurt sales and cost
> cycles to correct. Ultimately the price will be seen in the long run.
>
> For those living on the high on hog and head in the sands it is OK to ignore
> if it makes you feel better. For those in the trenches, wrenching gear, and
> protecting networks it is very important and OK to speculate if it makes
> your network safe and you sleeping better at night.
>
> Happy New Years to you as well!
>
> Regards,
>
> On Tuesday, December 31, 2013, Scott Morris wrote:
>
>> Do ya think that you wouldn't also notice a drastic increase in
>> outbound traffic to begin with? It's fun to watch all the hype and
>> things like that, but to truly sit down and think about what it would
>> actually take to make something like this happen, especially on a
>> sustained and "unnoticed" basis, is just asinine.
>>
>> Perhaps more work should be spent maintaining ones own equipment and
>> network than debating the chances that the sky may actually be falling or
>> the NSA hunting your ass down. ;) Just my two cents for the day!
>> Happy New Year!
>>
>> Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>> CCDE #2009::D,
>>
>> CCNP-Data Center, CCNP-Voice, JNCIE-SP #153, JNCIE-ENT #102,
>> JNCIS-QFX, CISSP, et al.
>>
>> IPv6 Gold Certified Engineer, IPv6 Gold Certified Trainer
>>
>> CCSI #21903, JNCI-SP, JNCI-ENT, JNCI-QFX
>>
>> swm_at_emanon.com <javascript:;>
>>
>> Knowledge is power.
>>
>> Power corrupts.
>>
>> Study hard and be Eeeeviiiil......
>>
>> On 12/31/13, 12:15 PM, marc edwards wrote:
>>
>> Where do you see image requiring proper hash to load? Is it in output at
>> boot? Might need to tftp off and do integrity check. Also worth tapping
>> border and looking for anomalous behavior.
>>
>> Irony is... As more developers/engineers ask for systems to be open (un
>> restrcted BASH acess) it makes hacks on gear easier.
>>
>> Freedom is slavery
>>
>> On Monday, December 30, 2013, Travis Niedens wrote:
>>
>> Um to compile Asa code that doesn't fail md5 wouldn't it need to be
>> compiled the same way their dev team does? And considering that
>> isn't out
>> for the world to play with to avoid well what we see here. Hmm.
>>
>> --- Original Message ---
>>
>> From: "Matthew George" < mgeorge_at_geores.net <javascript:;>
>> <javascript:;> >
>> Sent: December 30, 2013 8:43 PM
>> To: "'groupstudy'" < ccielab_at_groupstudy.com <javascript:;>
>> <javascript:;> >
>> Subject: RE: JETPLOW
>>
>> So based on what I've been able to dig up so far with the help of
>> Google of
>> course... It appears that JETPLOW is an implant subroutine
>> installed in the
>> firewalls EEPROM (bootrom) via a binary boot file at the point of
>> interdiction. (intercepting your packages between the distribution
>> center
>> and the target customer/oem) Once the implant has been installed it is
>> persistent meaning it cannot be erased and upgrading the bootrom
>> will not
>> affect the subroutine. JETPLOW in and of its self has a persistent
>> backdoor
>> capability allowing for remote access but it does not setup covert
>> communications channels (as the nsa likes to call it) that is what
>> BANAGLE
>> is for.
>>
>> JETPLOW's sole purpose is to modify the boot process of the linux
>> kernel
>> when the ASA boots to allow for unrestricted root access (aka
> backdoor)
>> which in turn could give those who have the root access the
>> ability to see
>> everything, change anything and copy anything without you ever knowing
>> because when you log into the ASA you're actually logging into the
> LINA
>> application, not the linux cli under the root user account.
>>
>> BANANAGLEE is another type of implant that based on other documents
>> released appears to be a multi-vendor multi-hardware firmware
>> implant that
>> works on Cisco, Juniper, Dell, HP and others for the purpose of
>> establishing
>> a communications link with the NSA ROC via ICP (implant communications
>> protocol RC6 Encrypted UDP) For those of you who may remember, RC6
>> was a
>> contender for the AES standard.
>>
>> BANANAGLEE allows for remote updating and installation of other
>> implants
>> including JETPLOW on Cisco, FEEDTHROUGH on Juniper and others only if
>> BANANAGLEE is already on the target firewall (pix or asa) which must
> be
>> installed manually. I've not found any evidence showing that
>> BANANAGLEE can
>> be installed remotely but this does not completely rule out the
>> possibility
>> of such execution could be done through traditional compromising
>> methods.
>> After the target firewall has been infiltrated upload the .bin
>> file to a
>> standby ASA, reboot the standby to install the implant which will
>> delete
>> the
>> bin file once finished and reboot once more to load the ASA
>> software and
>> force a failover from the Active to the compromised firewall.
>> (speculation)
>>
>> All this crazy stuff is very interesting but someone has to be able to
>> prove
>> that such firmware implants exist by first finding an ASA that has the
>> implants and dumping the EEPROM contents into a BIN file. Think of
>> it like
>> a
>> bios backup :)
>>
>> I'm personally not 100% convinced but if someone comes forward
>> with such
>> hard proof evidence of a EEPROM dump showing the implants this
>> could rattle
>> the tech industry as we know it.
>>
>> It also appears that these leaks are starting to hit some pretty
>> big news
>> sites now as well.
>>
>> Cisco has already released a statement regarding this information
>> which can
>> be found here:
> http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s
> r-20131229-der-spiegel
>>
>> -Matt
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com <javascript:;> <javascript:;>
>> [ mailto:nobody_at_groupstudy.com <javascript:;> <javascript:;>
>> ]
>> On Behalf Of marc
>> edwards
>> Sent: Monday, December 30, 2013 10:23 PM
>> To: Adam Booth
>> Cc: Carl Gosselin; Matthew George; groupstudy
>> Subject: JETPLOW
>>
>> Adam,
>>
>> Nice catch on the published date and fair assessments regarding
>> software.
>> Not much out there in the public domain on ZESTYLEAK or BANANAGLEE...I
>> would
>> like to know more but a bit weary of the price that comes with that.
>>
>> --
>> Marc Edwards
>> CCIE #38259
>>
>> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> --
> Marc Edwards
> CCIE #38259
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 31 2013 - 18:53:07 ART