nanog mailing list archives
Re: NSA able to compromise Cisco, Juniper, Huawei switches
From: Ray Soucy <rps () maine edu>
Date: Mon, 30 Dec 2013 13:55:24 -0500
On a side note, I've been involved with organizing the New England regional Collegiate Cyber-Defense Competition for a while, and one our "Red Team" members was able to make a pretty convincing IOS rootkit using IOS TCL scripting to mask configuration from the students. I don't think any students were able to detect it until word got out after it was used a few years in a row. IIRC, Cisco threatened to sue if it was ever released, so no it's not publicly available. It is possible, however. Don't assume that your routers are any safer than your servers. :-) On Mon, Dec 30, 2013 at 1:35 PM, shawn wilson <ag4ve.us () gmail com> wrote:
On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell () hathcock org> wrote:NANOG: Here's the really scary question for me. Would it be possible for NSA-payload traffic that originates on ourprivatenetworks that is destined for the NSA to go undetected by our IDSsystems?Yup. Absolutely. Without a doubt.For example tcpdump-based IDS systems like Snort has been rooted toignoreor not report packets going back to the NSA? Or netflow on Cisco devices not reporting NSA traffic? Or interface traffic counters discarding NSA-packets to report that there is no usage on the interface when infactthere is?Do you detect 100% of malware in your IDS? Why would anyone need to do anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything else that can run code that people download all the time with payload of unknown signature. This isn't really a network discussion. This is just to say - I seriously doubt there's anything wrong with your IDS - don't skin a cat with a flame thrower, it just doesn't need to be that hard.Here's another question. What traffic do we look for on our networksthatwould be going to the NSA?Standard https on port 443 maybe? That's how I'd send it. If you need to send something bigger than normal, maybe compromise the email server and have a few people send off some 5 - 10 meg messages? Depends on your normal user base. If you've got a big, complex user base, it's not hard to stay under the radar. Google 'Mandiant APT1' for some real good reading.
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Current thread:
- Re: NSA able to compromise Cisco, Juniper, Huawei switches, (continued)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Valdis . Kletnieks (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Michael Thomas (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Enno Rey (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Sam Moats (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Ray Soucy (Dec 30)
- RE: NSA able to compromise Cisco, Juniper, Huawei switches Lorell Hathcock (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches shawn wilson (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Ray Soucy (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Sabri Berisha (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Blake Dunlap (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Sabri Berisha (Dec 30)