NSA able to compromise Cisco, Juniper, Huawei switches

Mon Dec 30 18:17:30 UTC 2013

NANOG:

Here's the really scary question for me.

Would it be possible for NSA-payload traffic that originates on our private
networks that is destined for the NSA to go undetected by our IDS systems?

For example tcpdump-based IDS systems like Snort has been rooted to ignore
or not report packets going back to the NSA?  Or netflow on Cisco devices
not reporting NSA traffic?  Or interface traffic counters discarding
NSA-packets to report that there is no usage on the interface when in fact
there is?

Here's another question.  What traffic do we look for on our networks that
would be going to the NSA?

Thoughts?  (And semi-self-consciously adding myself to the NSA list of
targets.)

Lorell Hathcock

-----Original Message-----
From: Ray Soucy [mailto:rps at maine.edu] 
Sent: Monday, December 30, 2013 11:01 AM
To: Dobbins, Roland
Cc: nanog at nanog.org list
Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches

Looking more at the actual leaked information it seems that if the NSA is
working with companies, it's not anything the companies are likely aware of.

The common form of infection seems to be though software updates performed
by administrators (through the NSA hijacking web traffic).  They are
implimented as firmware and BIOS infections that modify the OS image and
persist through software upgrades to provide a persistant back door (PBD).
 The documents imply that a signiciant of systems deployed are already
infected.

So this isn't an issue of the NSA working with Cisco and Juniper to include
back doors, it's an issue of the NSA modifying those releases after the fact
though BIOS implants.  Where exatcly the NSA is inserting these we can't be
sure.  They could be targeted or they could be at the assembly line.

Quick Summary of Leaked Information:
Source: http://www.spiegel.de/international/world/a-941262.html

Firewalls:

(1) Cisco PIX and ASA: Codename "JETPLOW"
(2) Huawei Eudemon: Codename "HALLUXWATER"
(3) Juniper Netscreen and ISG: Codename: "FEEDTROUGH"
(4) Juniper SSG and Netscreen G5, 25, and 50, SSG-series: Codename:
"GOURMETTROUGH"
(5) Juniper SSG300 and SSG500: Codename "SOUFFLETROUGH"

Routers:

(1) Huawei Router: Codename "HEADWATER"
(2) Juniper J-Series: Codename "SCHOOLMONTANA"
(3) Juniper M-Series: Codename "SIERRAMONTANA"
(4) Juniper T-Series: Codename "STUCCOMONTANA"

Servers:
(1) HP DL380 G5: Codename "IRONCHEF"
(2) Dell PowerEdge: Codename "DEITYBOUNCE"
(3) Generic PC BIOS: Codename "SWAP", able to compromise Windows, Linux,
FreeBSD, or Solaris using FAT32, NTFS, EXT2, EXT3, or UFS filesystems.

USB Cables and VGA Cables:

Codename "COTTONMOUTH", this one is a hardware implmant hidden in a USB
cable.  The diagram shows it's small enough that you would never know its
there.
Codename "RAGEMASTER", VGA cable, mirrors VGA over the air.

Many others.

I'm not sure that the list is comprehensive, so I wouldn't say that since
Cisco routers are not mentioned (for example) that they're any more safe
than Juniper (which is listed often).

On Mon, Dec 30, 2013 at 11:50 AM, Dobbins, Roland <rdobbins at arbor.net>wrote:

>
> On Dec 30, 2013, at 11:18 PM, Sam Moats <sam at circlenet.us> wrote:
>
> > This might be an interesting example of it's (mis)use.
> > http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%93200
> > 5
>
> That's one of the cases I know about; it was utilized via Ericsson gear.
>
> ----------------------------------------------------------------------
> - Roland Dobbins <rdobbins at arbor.net> // 
> <http://www.arbornetworks.com>
>
>           Luck is the residue of opportunity and design.
>
>                        -- John Milton
>
>
>

--
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network www.maineren.net