Re: JETPLOW

Scott,

Wouldn't that depend on what is being exported? perhaps it is rooted to
grab the private key and taps in the internet intercept/decrypt.

With respect to maintaining equipment. Checking image hashes and border
taps is rather routine but not always practiced.

NSA most likely isn't hunting americans down (besides snowden... for now)
but it is wasting tons of tax payer and borrowed dollars to crank this
program up. All at a time where many governments have irresponsibly put
themselves at the brink of bankruptcy. We are continueally selling out to
them by having less of a voice. Instnaces like this will hurt sales and
cost cycles to correct. Ultimately the price will be seen in the long run.

For those living on the high on hog and head in the sands it is OK to
ignore if it makes you feel better. For those in the trenches, wrenching
gear, and protecting networks it is very important and OK to speculate if
it makes your network safe and you sleeping better at night.

Happy New Years to you as well!

Regards,

On Tuesday, December 31, 2013, Scott Morris wrote:

> Do ya think that you wouldn't also notice a drastic increase in outbound
> traffic to begin with? It's fun to watch all the hype and things like
> that, but to truly sit down and think about what it would actually take
> to make something like this happen, especially on a sustained and
> "unnoticed" basis, is just asinine.
>
> Perhaps more work should be spent maintaining ones own equipment and
> network than debating the chances that the sky may actually be falling or
> the NSA hunting your ass down. ;) Just my two cents for the day!
> Happy New Year!
>
> Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713, CCDE
> #2009::D,
>
> CCNP-Data Center, CCNP-Voice, JNCIE-SP #153, JNCIE-ENT #102, JNCIS-QFX,
> CISSP, et al.
>
> IPv6 Gold Certified Engineer, IPv6 Gold Certified Trainer
>
> CCSI #21903, JNCI-SP, JNCI-ENT, JNCI-QFX
>
> swm_at_emanon.com <javascript:;>
>
> Knowledge is power.
>
> Power corrupts.
>
> Study hard and be Eeeeviiiil......
>
> On 12/31/13, 12:15 PM, marc edwards wrote:
>
> Where do you see image requiring proper hash to load? Is it in output at
> boot? Might need to tftp off and do integrity check. Also worth tapping
> border and looking for anomalous behavior.
>
> Irony is... As more developers/engineers ask for systems to be open (un
> restrcted BASH acess) it makes hacks on gear easier.
>
> Freedom is slavery
>
> On Monday, December 30, 2013, Travis Niedens wrote:
>
> Um to compile Asa code that doesn't fail md5 wouldn't it need to be
> compiled the same way their dev team does? And considering that isn't
> out
> for the world to play with to avoid well what we see here. Hmm.
>
> --- Original Message ---
>
> From: "Matthew George" < mgeorge_at_geores.net <javascript:;>
> <javascript:;> >
> Sent: December 30, 2013 8:43 PM
> To: "'groupstudy'" < ccielab_at_groupstudy.com <javascript:;>
> <javascript:;> >
> Subject: RE: JETPLOW
>
> So based on what I've been able to dig up so far with the help of
> Google of
> course... It appears that JETPLOW is an implant subroutine installed
> in the
> firewalls EEPROM (bootrom) via a binary boot file at the point of
> interdiction. (intercepting your packages between the distribution
> center
> and the target customer/oem) Once the implant has been installed it is
> persistent meaning it cannot be erased and upgrading the bootrom will
> not
> affect the subroutine. JETPLOW in and of its self has a persistent
> backdoor
> capability allowing for remote access but it does not setup covert
> communications channels (as the nsa likes to call it) that is what
> BANAGLE
> is for.
>
> JETPLOW's sole purpose is to modify the boot process of the linux
> kernel
> when the ASA boots to allow for unrestricted root access (aka backdoor)
> which in turn could give those who have the root access the ability to
> see
> everything, change anything and copy anything without you ever knowing
> because when you log into the ASA you're actually logging into the LINA
> application, not the linux cli under the root user account.
>
> BANANAGLEE is another type of implant that based on other documents
> released appears to be a multi-vendor multi-hardware firmware implant
> that
> works on Cisco, Juniper, Dell, HP and others for the purpose of
> establishing
> a communications link with the NSA ROC via ICP (implant communications
> protocol RC6 Encrypted UDP) For those of you who may remember, RC6 was
> a
> contender for the AES standard.
>
> BANANAGLEE allows for remote updating and installation of other
> implants
> including JETPLOW on Cisco, FEEDTHROUGH on Juniper and others only if
> BANANAGLEE is already on the target firewall (pix or asa) which must be
> installed manually. I've not found any evidence showing that
> BANANAGLEE can
> be installed remotely but this does not completely rule out the
> possibility
> of such execution could be done through traditional compromising
> methods.
> After the target firewall has been infiltrated upload the .bin file to
> a
> standby ASA, reboot the standby to install the implant which will
> delete
> the
> bin file once finished and reboot once more to load the ASA software
> and
> force a failover from the Active to the compromised firewall.
> (speculation)
>
> All this crazy stuff is very interesting but someone has to be able to
> prove
> that such firmware implants exist by first finding an ASA that has the
> implants and dumping the EEPROM contents into a BIN file. Think of it
> like
> a
> bios backup :)
>
> I'm personally not 100% convinced but if someone comes forward with
> such
> hard proof evidence of a EEPROM dump showing the implants this could
> rattle
> the tech industry as we know it.
>
> It also appears that these leaks are starting to hit some pretty big
> news
> sites now as well.
>
> Cisco has already released a statement regarding this information
> which can
> be found here:
>
> http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-s r-20131229-der-spiegel
>
> -Matt
>
> -----Original Message-----
> From: nobody_at_groupstudy.com <javascript:;> <javascript:;>
> [ mailto:nobody_at_groupstudy.com <javascript:;> <javascript:;>
> ]
> On Behalf Of marc
> edwards
> Sent: Monday, December 30, 2013 10:23 PM
> To: Adam Booth
> Cc: Carl Gosselin; Matthew George; groupstudy
> Subject: JETPLOW
>
> Adam,
>
> Nice catch on the published date and fair assessments regarding
> software.
> Not much out there in the public domain on ZESTYLEAK or BANANAGLEE...I
> would
> like to know more but a bit weary of the price that comes with that.
>
> --
> Marc Edwards
> CCIE #38259
>
> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Marc Edwards
CCIE #38259
Blogs and organic groups at http://www.ccie.net