NSA able to compromise Cisco, Juniper, Huawei switches

shawn wilson ag4ve.us at gmail.com
Mon Dec 30 18:35:15 UTC 2013


On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell at hathcock.org> wrote:
> NANOG:
>
> Here's the really scary question for me.
>
> Would it be possible for NSA-payload traffic that originates on our private
> networks that is destined for the NSA to go undetected by our IDS systems?
>

Yup. Absolutely. Without a doubt.

> For example tcpdump-based IDS systems like Snort has been rooted to ignore
> or not report packets going back to the NSA?  Or netflow on Cisco devices
> not reporting NSA traffic?  Or interface traffic counters discarding
> NSA-packets to report that there is no usage on the interface when in fact
> there is?
>

Do you detect 100% of malware in your IDS? Why would anyone need to do
anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything
else that can run code that people download all the time with payload
of unknown signature. This isn't really a network discussion. This is
just to say - I seriously doubt there's anything wrong with your IDS -
don't skin a cat with a flame thrower, it just doesn't need to be that
hard.

> Here's another question.  What traffic do we look for on our networks that
> would be going to the NSA?
>

Standard https on port 443 maybe? That's how I'd send it. If you need
to send something bigger than normal, maybe compromise the email
server and have a few people send off some 5 - 10 meg messages?
Depends on your normal user base. If you've got a big, complex user
base, it's not hard to stay under the radar. Google 'Mandiant APT1'
for some real good reading.



More information about the NANOG mailing list