NSA able to compromise Cisco, Juniper, Huawei switches
rps at maine.edu
Mon Dec 30 18:55:24 UTC 2013
On a side note,
I've been involved with organizing the New England regional Collegiate
Cyber-Defense Competition for a while, and one our "Red Team" members was
able to make a pretty convincing IOS rootkit using IOS TCL scripting to
mask configuration from the students. I don't think any students were able
to detect it until word got out after it was used a few years in a row.
IIRC, Cisco threatened to sue if it was ever released, so no it's not
publicly available. It is possible, however.
Don't assume that your routers are any safer than your servers. :-)
On Mon, Dec 30, 2013 at 1:35 PM, shawn wilson <ag4ve.us at gmail.com> wrote:
> On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell at hathcock.org>
> > NANOG:
> > Here's the really scary question for me.
> > Would it be possible for NSA-payload traffic that originates on our
> > networks that is destined for the NSA to go undetected by our IDS
> Yup. Absolutely. Without a doubt.
> > For example tcpdump-based IDS systems like Snort has been rooted to
> > or not report packets going back to the NSA? Or netflow on Cisco devices
> > not reporting NSA traffic? Or interface traffic counters discarding
> > NSA-packets to report that there is no usage on the interface when in
> > there is?
> Do you detect 100% of malware in your IDS? Why would anyone need to do
> anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything
> else that can run code that people download all the time with payload
> of unknown signature. This isn't really a network discussion. This is
> just to say - I seriously doubt there's anything wrong with your IDS -
> don't skin a cat with a flame thrower, it just doesn't need to be that
> > Here's another question. What traffic do we look for on our networks
> > would be going to the NSA?
> Standard https on port 443 maybe? That's how I'd send it. If you need
> to send something bigger than normal, maybe compromise the email
> server and have a few people send off some 5 - 10 meg messages?
> Depends on your normal user base. If you've got a big, complex user
> base, it's not hard to stay under the radar. Google 'Mandiant APT1'
> for some real good reading.
Ray Patrick Soucy
University of Maine System
MaineREN, Maine's Research and Education Network
More information about the NANOG