Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Ray Soucy <rps () maine edu>]

On a side note,

I've been involved with organizing the New England regional Collegiate
Cyber-Defense Competition for a while, and one our "Red Team" members was
able to make a pretty convincing IOS rootkit using IOS TCL scripting to
mask configuration from the students.  I don't think any students were able
to detect it until word got out after it was used a few years in a row.
 IIRC, Cisco threatened to sue if it was ever released, so no it's not
publicly available.  It is possible, however.

Don't assume that your routers are any safer than your servers. :-)



On Mon, Dec 30, 2013 at 1:35 PM, shawn wilson <ag4ve.us () gmail com> wrote:

> On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell () hathcock org>
> wrote:
> > NANOG:
> >
> > Here's the really scary question for me.
> >
> > Would it be possible for NSA-payload traffic that originates on our
> private
> > networks that is destined for the NSA to go undetected by our IDS
> systems?
> >
>
> Yup. Absolutely. Without a doubt.
>
> > For example tcpdump-based IDS systems like Snort has been rooted to
> ignore
> > or not report packets going back to the NSA?  Or netflow on Cisco devices
> > not reporting NSA traffic?  Or interface traffic counters discarding
> > NSA-packets to report that there is no usage on the interface when in
> fact
> > there is?
>
> Do you detect 100% of malware in your IDS? Why would anyone need to do
> anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything
> else that can run code that people download all the time with payload
> of unknown signature. This isn't really a network discussion. This is
> just to say - I seriously doubt there's anything wrong with your IDS -
> don't skin a cat with a flame thrower, it just doesn't need to be that
> hard.
>
> > Here's another question.  What traffic do we look for on our networks
> that
> > would be going to the NSA?
>
> Standard https on port 443 maybe? That's how I'd send it. If you need
> to send something bigger than normal, maybe compromise the email
> server and have a few people send off some 5 - 10 meg messages?
> Depends on your normal user base. If you've got a big, complex user
> base, it's not hard to stay under the radar. Google 'Mandiant APT1'
> for some real good reading.


-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net