NANOG: Here's the really scary question for me. Would it be possible for NSA-payload traffic that originates on our private networks that is destined for the NSA to go undetected by our IDS systems? For example tcpdump-based IDS systems like Snort has been rooted to ignore or not report packets going back to the NSA? Or netflow on Cisco devices not reporting NSA traffic? Or interface traffic counters discarding NSA-packets to report that there is no usage on the interface when in fact there is? Here's another question. What traffic do we look for on our networks that would be going to the NSA? Thoughts? (And semi-self-consciously adding myself to the NSA list of targets.) Lorell Hathcock -----Original Message----- From: Ray Soucy [mailto:rps@maine.edu] Sent: Monday, December 30, 2013 11:01 AM To: Dobbins, Roland Cc: nanog@nanog.org list Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches Looking more at the actual leaked information it seems that if the NSA is working with companies, it's not anything the companies are likely aware of. The common form of infection seems to be though software updates performed by administrators (through the NSA hijacking web traffic). They are implimented as firmware and BIOS infections that modify the OS image and persist through software upgrades to provide a persistant back door (PBD). The documents imply that a signiciant of systems deployed are already infected. So this isn't an issue of the NSA working with Cisco and Juniper to include back doors, it's an issue of the NSA modifying those releases after the fact though BIOS implants. Where exatcly the NSA is inserting these we can't be sure. They could be targeted or they could be at the assembly line. Quick Summary of Leaked Information: Source: http://www.spiegel.de/international/world/a-941262.html Firewalls: (1) Cisco PIX and ASA: Codename "JETPLOW" (2) Huawei Eudemon: Codename "HALLUXWATER" (3) Juniper Netscreen and ISG: Codename: "FEEDTROUGH" (4) Juniper SSG and Netscreen G5, 25, and 50, SSG-series: Codename: "GOURMETTROUGH" (5) Juniper SSG300 and SSG500: Codename "SOUFFLETROUGH" Routers: (1) Huawei Router: Codename "HEADWATER" (2) Juniper J-Series: Codename "SCHOOLMONTANA" (3) Juniper M-Series: Codename "SIERRAMONTANA" (4) Juniper T-Series: Codename "STUCCOMONTANA" Servers: (1) HP DL380 G5: Codename "IRONCHEF" (2) Dell PowerEdge: Codename "DEITYBOUNCE" (3) Generic PC BIOS: Codename "SWAP", able to compromise Windows, Linux, FreeBSD, or Solaris using FAT32, NTFS, EXT2, EXT3, or UFS filesystems. USB Cables and VGA Cables: Codename "COTTONMOUTH", this one is a hardware implmant hidden in a USB cable. The diagram shows it's small enough that you would never know its there. Codename "RAGEMASTER", VGA cable, mirrors VGA over the air. Many others. I'm not sure that the list is comprehensive, so I wouldn't say that since Cisco routers are not mentioned (for example) that they're any more safe than Juniper (which is listed often). On Mon, Dec 30, 2013 at 11:50 AM, Dobbins, Roland <rdobbins@arbor.net>wrote:
On Dec 30, 2013, at 11:18 PM, Sam Moats <sam@circlenet.us> wrote:
This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%93200 5
That's one of the cases I know about; it was utilized via Ericsson gear.
---------------------------------------------------------------------- - Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net