lawful intercept/IOS at BlackHat DC, bypassing and recommendations
"That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment." More here: http://blogs.iss.net/archive/blackhatlitalk.html Gadi. -- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
On Thu, Feb 4, 2010 at 3:19 PM, Gadi Evron <ge@linuxbox.org> wrote:
"That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment."
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them" <http://www.crypto.com/blog/calea_weaknesses/> Also, cisco publishes the fact that their intercept caps out at 15kpps per line card, so... just keep a steady 15kpps and roll on. -chris
(of course for any LEA that really cares they'll just order a phyiscal tap, and provision things properly)
Would you mind passing along a source/link on the 15kpps? I haven't seen that number yet. tv ----- Original Message ----- From: "Christopher Morrow" <morrowc.lists@gmail.com> To: "Gadi Evron" <ge@linuxbox.org> Cc: "NANOG" <nanog@nanog.org> Sent: Thursday, February 04, 2010 2:27 PM Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations On Thu, Feb 4, 2010 at 3:19 PM, Gadi Evron <ge@linuxbox.org> wrote:
"That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment."
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them" <http://www.crypto.com/blog/calea_weaknesses/> Also, cisco publishes the fact that their intercept caps out at 15kpps per line card, so... just keep a steady 15kpps and roll on. -chris
On 2/4/2010 at 12:27 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote: On Thu, Feb 4, 2010 at 3:19 PM, Gadi Evron <ge@linuxbox.org> wrote:
"That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment."
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them, "...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization." Of course, this has already happened, http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark <Crist.Clark@globalstar.com> wrote:
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them,
"...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization."
Of course, this has already happened,
right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device -> mediation -> lea .... not necessarily IPSEC'd from mediation -> LEA, and udp-encapped from device -> mediation server.
http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular. -chris
On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote:
On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark <Crist.Clark@globalstar.com> wrote:
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them,
"...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization."
Of course, this has already happened,
right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device -> mediation -> lea .... not necessarily IPSEC'd from mediation -> LEA, and udp-encapped from device -> mediation server.
http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular.
There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept. I recommend http://www.spectrum.ieee.org/jul07/5280 (linked to from the Wikipedia article) as a very good reference on what is and isn't known. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Thu, Feb 4, 2010 at 5:49 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote:
On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark <Crist.Clark@globalstar.com> wrote:
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them,
"...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization."
Of course, this has already happened,
right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device -> mediation -> lea .... not necessarily IPSEC'd from mediation -> LEA, and udp-encapped from device -> mediation server.
http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular.
There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept.
hrm, I always equate 'calea' with 'ip intercept', because I (thankfully) never had to see a phone switch (dms type thingy). You are, I believe, correct in that CALEA was first 'telephone' intercept implemented in phone-switch-thingies in ~94?? and was later applied (may 2007ish?) to IP things as well. -Chris
On Feb 4, 2010, at 9:26 PM, Christopher Morrow wrote:
On Thu, Feb 4, 2010 at 5:49 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote:
On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark <Crist.Clark@globalstar.com> wrote:
this seems like much more work that matt blaze's work that said: "Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them,
"...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization."
Of course, this has already happened,
right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device -> mediation -> lea .... not necessarily IPSEC'd from mediation -> LEA, and udp-encapped from device -> mediation server.
http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular.
There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept.
hrm, I always equate 'calea' with 'ip intercept', because I (thankfully) never had to see a phone switch (dms type thingy). You are, I believe, correct in that CALEA was first 'telephone' intercept implemented in phone-switch-thingies in ~94?? and was later applied (may 2007ish?) to IP things as well.
I can make a very good case that CALEA was not just originally intended for voice, but was sold to Congress as something that didn't apply to data networks. The EFF has said it better than I could, though, so look at http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Thu, Feb 04, 2010 at 09:42:24PM -0500, Steven Bellovin wrote:
I can make a very good case that CALEA was not just originally intended for voice, but was sold to Congress as something that didn't apply to data networks. The EFF has said it better than I could, though, so look at http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments.
Corrected URL: http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments.php
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ? Regards
On Thu, Feb 4, 2010 at 5:47 PM, Jorge Amodio <jmamodio@gmail.com> wrote:
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ?
sadly, if you are present in the US and you do ip services (public ones) and you deployed a cisco device + calea capabilites, yes you do! :( -chris
On Thu, 4 Feb 2010 16:47:47 -0600 Jorge Amodio <jmamodio@gmail.com> wrote:
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ?
I worked with an IPsec VPN product around 10 years ago that used SNMPv3 for automated provisioning of the tunnels.
Regards
Big Brother is watching you! so last year! True, but the lawfull intercept has been around for a while, active/passive flow tap monitoring, port mirroring , called ID spoofing .......i also saw an update on the IOS/Junos roadmpap not that long ago. the 7600 has been around for a while now and so the code that comes w/ that feature available ......... lets not generate more data traffic than this .......as in case of infringement all data is recorded, stored, used as evidence and brought to our attention by the home "team", so we know in advance .....:-) snmp v3 has been around for a gd while ....... --- On Sat, 2/6/10, Mark Smith <nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org> wrote:
From: Mark Smith <nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org> Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations To: "Jorge Amodio" <jmamodio@gmail.com> Cc: "NANOG" <nanog@nanog.org> Date: Saturday, February 6, 2010, 6:45 AM On Thu, 4 Feb 2010 16:47:47 -0600 Jorge Amodio <jmamodio@gmail.com> wrote:
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ?
I worked with an IPsec VPN product around 10 years ago that used SNMPv3 for automated provisioning of the tunnels.
Regards
participants (9)
-
Christopher Morrow
-
Crist Clark
-
Gadi Evron
-
isabel dias
-
Jorge Amodio
-
Marcus Reid
-
Mark Smith
-
Steven Bellovin
-
Tony Varriale