JETPLOW: NSA Exploit of the Day

Today’s implant from the NSA’s Tailored Access Operations (TAO) group implant catalog:

JETPLOW

(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT’s BANANAGLEE software implant. JETPLOW also has a persistent back-door capability.

(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT’s BANANAGLEE software implant and modifies the Cisco firewall’s operating system (OS) at boot time. If BANANAGLEE support is not available for the booting operating system, it can install a Persistent Backdoor (PDB) designed to work with BANANAGLEE’S communications structure, so that full access can be reacquired at a later time. JETPLOW works on Cisco’s 500-series PIX firewalls, as well as most ASA firewalls (5505, 5510, 5520, 5540, 5550).

(TS//SI//REL) A typical JETPLOW deployment on a target firewall with an exfiltration path to the Remote Operations Center (ROC) is shown above. JETPLOW is remotely upgradable and is also remotely installable provided BANANAGLEE is already on the firewall of interest.

Status: (C//REL) Released. Has been widely deployed. Current availability restricted based on OS version (inquire for details).

Unit Cost: $0

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: , , , , , , , , ,

Posted on January 9, 2014 at 1:02 PM51 Comments

Comments

Bob S. January 9, 2014 1:21 PM

Re: ” a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls.”

Maybe this is a dumb comment, but now that the cat is out of the bag, shouldn’t Cisco fix the firewall and tell people they did?

Jason January 9, 2014 1:29 PM

My guess is that Cisco doesn’t know about it. It is installed on targetted ASAs, not all ASAs. It most likely uses an exploit to get the software installed.

packetlevel January 9, 2014 1:49 PM

This is just the Chinese scenario envisioned by @JohnDVillasenor of UCLA, of hidden code from the makers of all our ASICs. The very small tip of a very large iceburg.

BlackAngel January 9, 2014 4:01 PM

Just made a post on router security (eg, cisco os and will be some of the same issues) and compromise that says my opinion there: https://www.schneier.com/blog/archives/2014/01/security_risks_9.html#c3450022

I worked at a security vendor and helped design a fw system… unfortunately, they will compromise these systems, they will find vulnerabilities. It is an extremely valuable system – obviously – to take.

One avenue of detection and correction is quite simple: ensure you have vulnerability management for your embedded devices on the network, not just end user systems. Check the file versions and size, check the hashes where possible. (Likely this can be compromised if the check is performed on a live system and file apis on the infected system are affected, though one can expect limited – to a degree – sophistication at this time against trivial checks.)

To put another way:
The bad guys have to prevent all checks and currently they have no real enemies with these systems. So they likely do not cover all their obvious detection choices. Companies will be lazy. Governments will be lazy. People do not want to go and suddenly check their infrastructure, even if they do know where everything is.

You could go further and download the binaries on the system. This would mean their trojans would have to discover download of the binaries happening and change out the binary when it happens.

Dead system analysis is always decent, of course. Have a system for connecting to a dead OS version and inspect the binaries in that way.

Kind of like lice removal. Difficult to do. But relatively cheap and mindless. (Not in man hours, at all.)

Secondary, upstream systems could potentially notice the unusual traffic. An upstream sniffer, for instance, could be combined with a temporary on-the-box sniffer, and the results combined to see if there is a rootkit which is changing what the sniffer sees.

Though, they very likely do not yet alter such traffic, which require even more changes. Though discovery of a government surveillance software by an adversary is a Very Bad Thing for those guys, especially something sophisticated. (Whereas, when they simply modify existing Bad Guy code, they have plausible deniability and little loss on discovery.)

(The US can have all their adversaries thank them for writing code they will reverse engineer and send right back at them — or reverse engineer and keep any US stamps on it and send to US enemies with a critical flaw in it… framing them for Bad Things…)

A dead box analysis, of course, would just be hooking it up as an extra drive, for instance, and examining the binaries against a known good sample for changes.

On the wire, upstream, they can have normalized traffic from these systems, (hope you tuned that before they were hacked)… or you could simply sniff everything and make sure you know what every packet is, and what every session is. An automated filter set which does this for you could leave out the needle in the haystack.

You could also test slam the firewalls and similar suspect boxes and then have an upstream sniffer see what is writtern out. This may help jump the logging and outbound CNC traffic to aid the needle in a haystack search.

Encrypted traffic can be detected against unencrypted traffic by entropy checks, a simple sum of the entropy between each character of data. Encrypted traffic is almost invariably used by malware and it can stand out, just as encrypted binaries can. This can be used also as a filter with a sniffer or a modified sniffer app.

Good idea to have a passive listening system on the wire, in general, whose function is simply to put everything Known in a box, so those needles stand out, wherever they may be… (though the traffic there can get heavy, and the noise from even mobile devices is strong and diverse — good news is, embedded systems will tend to have limited diversity even if there is much flood of legit traffic…)

Bruce Schneier January 9, 2014 4:28 PM

“I vote “BANANAGLEE” the best codename ever.”

I want to see the random codename generation system that spits these things out.

pointless_hack January 9, 2014 4:43 PM

What’s the superficial argument for the application of this (NSA) “TAO” stuff?

Is it: Cisco sells well reputed good security routers to bad Russian, Chinese and Iranian companies, then sniffs only stolen US Corporate IP NOT foreign innovations and improvements, and prosecutes these IP theft and Copyright infringement/violations as individual incidents in World Court at the Hague?

or: are American companies supposed to get the password from NSA for use as needed?

OK. Forget the vain attempt at humor: what possible justification IS there? Gossipy old women and satanic Mafia would have more justification for such behavior.

(@James: excellent use of the passive voice)

Nick P January 9, 2014 4:52 PM

@ Bruce Schneier

Haha. From what I reverse engineered they generated the dictionary from NSA geek suggestions that Alexander personally approved. Then, each codeword is chosen via output of a Dual_EC_DRBG seeded by Intel TRNG with NSA bit set to 1 by an undocumented instruction.

pointless_hack January 9, 2014 5:14 PM

On point about installations: Maverick installs, or offline updates appear to be a limited security improvement. …not a convenience improvement.

In re firmware exploits. Have ROM’s and PROM’s gotten big enough to hold a small OS? The Atari 520ST (Ebay) and the Apple IIe both had a lot on a PROM type firmware.

Why do we upgrade firmware? Many HW installations never add functionality – P(oint)O(f)S(ale) devices and Cash registers are examples. How important is the upgrade/security trade-off?

These questions may not help Cisco Routers specifically. For these specifically, a LIVE CD of Ubuntu has a built in feature to check hashes. Given due diligence from developers, a similar check might assist the HALLUXWATER/JETPLOW problems.

I wrote these two articles outright:
http://65535sec.com/2013/04/13/antivirus-hashes-improved-a-feasible-protocol/
http://65535sec.com/2013/04/09/live-cds-can-harden-router-configuration/

A-Team January 9, 2014 5:45 PM

Bob S wonders, “now that the cat is out of the bag, shouldn’t Cisco fix the firewall and tell people they did?”

Bob, not a dumb question at all, that is one of the many great enduring mysteries in this field: the months go by but nobody reports any malware, nobody removes any state hacks, nobody fixes any vulns, nobody sues anybody, nobody has the answer even when they’re given the answer.

Now that the cat is out of the bag, shouldn’t Brazil yank the cable splitter on their sovereign ground at Fortaleza and tell users they did?
Now that the cat is out of the bag, shouldn’t Germany seize the Einstein/Castanet RF illuminators on the roofs of the US, Canadian and British embassies?
Now that the cat is out of the bag, shouldn’t Orange file their threatened lawsuit over the SEA-ME-WE4 data theft?
Now that the cat is out of the bag, shouldn’t Google give us an explanation of where and how the Level Three data theft occurred?
Now that the cat is out of the bag, shouldn’t Apple tell us all the ways TAO has been hacking the iOS and if they’re still ongoing?
Now that the cat is out of the bag, shouldn’t more than 8 of 24,000 attendees to RSA security conf be cancelling?

Many stories from Der Spiegel over the last eight months; all talkie talk, minimal docs. Suddenly the epochal batch we’re looking at now. Pointedly not attributed to Snowden. Following hard upon the German delegation getting the middle finger from Ft. Meade when they asked for Five Eyes no-spy status. Der Spiegel is, shall we say, close to the German government. So blowback maybe happening, but back channel, not how you might think.

Note here BananaGlee is not ANT 3222 code, it’s out of another office S323 (DNT, Data Network Technologies). We saw that before with FeedTrough persisting ZestyLeak, code managed by S31 CES Cryptanalysis and Exploitation Services. NSA has over 500 divisions in its organizational chart. Then there’s the FBI installing BlackHeart, the private sector selling Pwnie Express firewall penetration ‘dual purpose’ to all comers, and so forth. And how many pages from this ANT catalogue have been released: all of it, or 49 out of 490?

The holy grail of leaks would be something from the NSRL (National SIGINT Requirements List), there are some 2,000 NSRL pending, the 36,000 pages of contracts that Gen. Alexander calls the crown jewels.

NSA does not freelance. To cover their b*tts, they do nothing on their own initiative, instead responding soley to these onerous NSRL demands placed on them by customers (other agencies). Not one page has been released to date from the National SIGINT Requirements List. Unless it be JETPLOW and FeedTrough.

Brian M. January 9, 2014 5:46 PM

@Bruce Schneier:
I want to see the random codename generation system that spits these things out.

You realize it’s written in BASIC and based on a random insult generator from a book of 100 fun projects published in the late 1970s, right?

wheels.within January 9, 2014 6:02 PM

@pointless hack “what possible justification IS there?”

That’s the big question everyone wants to know the answer to.

What could motivate such an epic scale subversion of the Constitution?

That there is a deeper culture within NSA is hinted at by the requirement that access to BULLRUN required special “indoctrination”. In other words, brainwashing or some sort of religious conversion.

Secret Police January 9, 2014 7:07 PM

I would assume they have updated these backdoors to no longer manipulate the bootloader and instead live inside the proprietary NIC firmware. They would have more than ample space to launch a small dhcp client, forge packets or intercept, corrupt physical memory through DMA, and would be completely unnoticed considering OS would never see this firmware running on the NIC.

I would also assume they are fully taking advantage of modern GPU hidden backdoors, considering the following:

  • the execution of GPU code, and transfer of data between device and host do not require admin privs so it will always run regardless of what the host system privilege settings are.

  • it can be statically linked with the CUDA library in a standalone hidden file that never touches the operating system, so is invisible.

  • due to massive parallel arch of modern GPUs this allows the NSA to encrypt their malware so nobody can tell what it is even if they reverse engineer the GPU code and find it.

  • there are zero tools to detect GPU malware that I know of. GPU memory is not shared with the CPU so encrypted malware can reside there undetected.

  • run-time polymorphism: malware GPU code can be re-encrypted with a new random key causing malware to constantly mutate in completely random ways that would be difficult to detect even if you dumped the GPU memory on a regular basis.

  • GPU NSA code can easily access the screen framebuffer, and broadcast a live link of whatever somebody is doing or clandestinely take images whenever a selector is hit like an email or bank login

  • Clever GPU NSA malware could overwrite the screen output replacing your address bar with something else, or present an “enter decryption password” phony screen in order to trick you into a phishing attack or bypassing SSL/TLS yet making it appear that everything is fine.

Argh.... January 9, 2014 9:33 PM

And I was just about to pull the trigger on an order of 16 of the Cisco 5500’s this week. Now what? How the heck do I know if it is already compromised?

Clockmaker January 9, 2014 10:32 PM

@A-Team

That was one of the most fact-filled and most informative post i’ve read all week. Thanks!!

@wheels.within and others that are asking why??

Yes, we hear echoes to the Cointelpro program of the 60s and 70s … as well as King George’s General Warrants to the Colonies … and the Star Chamber of 15th century England.

Because – whatever governments may say – mass surveillance is always used to crush dissent. Spying is also aimed at keeping politicians in check. And it is clear that the government is using its massive spy programs in order to track those who question government policies. See this:

http://www.zerohedge.com/contributed/2014-01-09/500-years-history-shows-mass-spying-always-aimed-crushing-dissent

Jim K January 10, 2014 12:29 AM

I note a unit cost nil. That would imply that for some techniques they have to pay a licence fee to someone.

Wonder how that DRM system works?

P. January 10, 2014 2:31 AM

@pointless, wheels.within

The justification is very simple and straight forward… After 9/11 the US government passed the order: “never again..”. Translate this to intellegence language and you get the NSA in its current form…

Noname January 10, 2014 3:12 AM

After this, how will Cisco be able to assure customers that their firmware is non-tampered by NSA?

Cap'n O January 10, 2014 4:18 AM

@Jim K
some NSA spying things have bespoke or COTS hardware components that cost money to manufacture, hence the non-zero unit cost.

v January 10, 2014 5:30 AM

@A-Team – Exactly the questions we should all be asking. Thank you for pointing it out so succinctly.

Snarki, child of Loki January 10, 2014 6:18 AM

“why isn’t Cisco patching/fixing their compromised systems?”

WHAT? You think they want to go to all the trouble and expense of rolling out fixes to customers that will NEVER EVER buy their products AGAIN, and also to give all that sweet, secret cash BACK to the NSA?

Unpossible!

So-so January 10, 2014 6:59 AM

I can’t help but wonder at the “widely deployed” phrasing.

Given that some still claim the spying is “targetted”, and that this one single thing is already “widely deployed”, it seems that any targetting must be hunting shotgun style.

65535 January 10, 2014 7:41 AM

Given Cisco’s large market share I have to assume the NSA and other Three Letter Agencies have every communication interdiction point owned and recorded. This must be Mass Surveillance. There is no other way to describe it.

Also, I find it difficult to believe Cisco or Cisco’s top employees did not know of such exploits. Cisco’s firewalls are there to provide security – which they did not! Cisco is either extremely incompetent/negligent or extremely complicit (or both)!

On a higher level why hasn’t Obama made good on his 2008 campaign promises and curtailed the NSA’s mass spying? Is there an ulterior motive? I am very disappointed with him!

@ Bob S

“now that the cat is out of the bag, shouldn’t Cisco fix the firewall and tell people they did?”

You would think so. But, I suspect a big PR firm will handle flack.

@ James
“The fact that these details got released was used against Snowden on NPR…”

I guess the NSA’s PR firm got to NPR.

@ BlackAngel

“One avenue of detection and correction is quite simple: ensure you have vulnerability management for your embedded devices on the network..”

That was a helpful post.

What’s the cost to find the bugs? What’s the cost of wiping the bugs from the firmware after detection v. junking the equipment?

@ pointless hack

“…what possible justification IS there?”

None – except for the same old and dilapidated “National Security” tag line.

@ wheels.within

“What could motivate such an epic scale subversion of the Constitution?”

Money and power – not to mention a huge appetite for large budgets and perks.

@ Brandon Perry

“Not sure how one would dump the firmware of the PIX or ASA, but here are PIX firmware bins. Couldn’t you md5sum your firmware dump vs what is available on this page?”

That is a very good question.

@ Secret Police

“I would assume they have updated these backdoors to no longer manipulate the bootloader and instead live inside the proprietary NIC firmware… due to massive parallel arch of modern GPUs this allows the NSA to encrypt their malware so nobody can tell what it is even if they reverse engineer the GPU code and find it… GPU NSA code can easily access the screen framebuffer, and broadcast a live link of whatever somebody is doing or clandestinely take images whenever a selector is hit like an email or bank login…”

That is a good assumption.

@ Argh

“How the heck do I know if it is already compromised?”

I don’t know. I would not trust Cisco’s answer.

@ Clockmaker

“…whatever governments may say – mass surveillance is always used to crush dissent. Spying is also aimed at keeping politicians in check.”

It looks that way. I wonder how far political stuff has gone.

@ Noname

“After this, how will Cisco be able to assure customers that their firmware is non-tampered by NSA?”

Huge discounts on their new products?

@ v

“@A-Team – Exactly the questions we should all be asking. Thank you for pointing it out so succinctly.”

I agree.

Argh January 10, 2014 10:09 AM

At this point I would not know what to buy. Just because Cisco has been identified, it would be rather naive to assume that other manufacturers had not been compromised. I am starting to feel a bit like how I imagine people felt in the old Soviet Union/East Germany/Romania/… – you are being watched and there is not a thing you can do about it, so just press on with life. Every manufacturer will deny it (the reps would have no idea anyway) and you have no way to know if the hardware is compromised. Great. It’s just boring company stuff I am trying to protect – not deep dark secrets, but just the same….

Bobby January 10, 2014 10:17 AM

One curious fact is that the new ASA series – the 5500-X series – is multi-core (2-8 cores depending on model), yet a number of cores (half or more) are not available to the firewall (neither use nor inspection), but remains “reserved for IPS”. This holds regardless of whether the IPS functionality is in use or not. The same goes for memory – half is unavailable. These resources cannot be re-allocated.

herman January 10, 2014 11:25 AM

@argh: It depends on who you are representing. If you are running a mom and pop shop, then no worries, but if you are running a foreign government facility, then find a different vendor.

herman January 10, 2014 11:31 AM

@argh: “it’s just boring company stuff I am trying to protect”. In that case, I would partition and encrypt.

Encryption only protects data at rest, so you got to partition things such that only a minimum of data is live and connected.

Also, it is very easy to build your own routers and firewalls using industrial computers and Linux – they just end up a bit bigger than the ready built stuff. A combination of strange and diverse hardware with an obscure Linux distribution is sure to make life more difficult for an attacker.

David January 10, 2014 12:36 PM

Also, it is very easy to build your own routers and firewalls using industrial computers and Linux – they just end up a bit bigger than the ready built stuff. A combination of strange and diverse hardware with an obscure Linux distribution is sure to make life more difficult for an attacker.

(Bolding mine.)

Probably the best add-on suggestion with respect to using Open Source software there is. I notice that most of the vulnerabilities discussed so far in this series already use a form of OSS–BSD is popular–even though the companies have made the software their own.

If the vulnerabilities are geared towards specific hardware/software combinations (and they probably are), then this is a good way to raise the expense of the attack. As others have pointed out, there are only a few hardware manufacturers, and if everyone jumps on the same software bandwagon (regardless of which one), then the bad guys can put together a menu of vulnerabilities pretty quickly. That would shorten the development cycles pretty quickly.

Changing up the configuration, though, is not a long term solution. Between the economics of coming up with a “strange brew” for a firewall product and the risks of continued manufacture and support, it’s doubtful that major vendors like Cisco and Juniper will ever go along.

jMerton January 10, 2014 1:06 PM

Bad news everyone:
According to a friend in telecom, this Cisco “back door” is actually promoted as a FEATURE by Cisco. This nullifies many previous comments about Cisco being underhanded and “not protecting their customers.” The general principle probably applies to every router sold. Assume that all routers have back door chip sets. In a nut shell, what this does is packet subversion: any packet can be (1) killed (2) modified, or (3) simply sent on its way. It is “persistent” because it comes that way. It is not installed, but rather activated. Note the “cost” of the exploit: $zero and zero cents. It is called JetPlow because spooks need spook slang for chatting around the water cooler.

BlackAngel January 10, 2014 7:55 PM

@65535
“l
“One avenue of detection and correction is quite simple: ensure you have vulnerability management for your embedded devices on the network..”
That was a helpful post.
What’s the cost to find the bugs? What’s the cost of wiping the bugs from the firmware after detection v. junking the equipment?:”

🙂

That is a good question!

A discovered surveillance point is a gold mine for disinformation purposes. In many cases it would be best to leave it in place and perform an extremely quiet damage assessment.

Like cockroaches, where there is one bug there will tend to be more. Evidence of such attention paid to you may mean you have other points of compromise.

Any sort of noise in this activity would ruin any disinformation efforts.

If you have no value from a disinformation effort, then you might consider destroying the system though a complete wipe (flash/format) should do the job. There is no absolute guarantee they may not get back on. It depends on the box and the vulnerability they had against it.

BlackAngel January 11, 2014 4:00 PM

@Argh
At this point I would not know what to buy. Just because Cisco has been identified, it would be rather naive to assume that other manufacturers had not been compromised. I am starting to feel a bit like how I imagine people felt in the old Soviet Union/East Germany/Romania/… – you are being watched and there is not a thing you can do about it, so just press on with life. Every manufacturer will deny it (the reps would have no idea anyway) and you have no way to know if the hardware is compromised. Great. It’s just boring company stuff I am trying to protect – not deep dark secrets, but just the same….

No small part of my job is in finding security vulnerabilities, and while that is not my primary focus at my current job it has been in the past. Likewise, I know a lot of people who find security bugs for a living.

I assure you there are almost no systems which a security bug will not be found and no one is more aggressive in looking then governments.

In the US, in particular, I am very aware of many jobs in this industry having cropped up where researchers are well paid just to do this, and create new tech. There is also always the ability to sell bugs to the government through a wide variety of agents, where the bug seller need not ever personally deal with the government.

A step down from the black market, but a far step up from more legitimate places of selling bugs. Which pay a pittance, if at all.

I do not think people well understand just what sort of damage a seasoned bug finder can do. And these are being effectively trained by the government.

(Granted, at least, creating undetectable malware is a different area of speciality, as is hacking. Though not so alien that they are difficult to combine.)

Almost never has myself nor my peers gone, “I will find a remote, exploitable bug in a product” and failed.

Jon January 12, 2014 5:18 AM

Strictly speaking, “JETPLOW” could refer to a USSR-developed gadget where to clear snow off airport runways they basically put a jet engine atop a tank chassis to make one of the kings of the snowblower world.

However, I got nothing on “BANANAGLEE” except maybe a pornographic film from the 70’s now only available on Betamax videotapes?

Jon

PS – And it’s truly lousy opsec to have your code names refer to anything. They should very much be randomly generated. J.

lorenzo January 13, 2014 5:51 AM

We do realise that a backdoor in a border router means active injection of packets, right?

For example, unless it’s SSL traffic, a router could inject 0-day code in javascript when the user is viewing certain webpages.

Of course there are ways around SSL, too, but that’s not relevant to this post.

On a side note, does this status mean “it’s installed by default in CISCO routers”? “Status: (C//REL) Released. Has been widely deployed. Current availability restricted based on OS version (inquire for details). Unit Cost: $0”

65535 January 13, 2014 6:09 AM

@ BlackAngel

“…There is no absolute guarantee they may not get back on. It depends on the box and the vulnerability they had against it.”

That doesn’t sound good. The Jetplow seems to be a hardware root kit coupled with a software virus. How to you eradicate both? If the root kit is implanted during shipping or at the factory you are hosed.

Woo January 13, 2014 6:37 AM

@David Cook: Thanks for the laugh! 🙂
“… STELLARACID, a surveillance satellite that indefinitely stores foreign embassies.”
I wonder how’d that get up there…

Steve January 13, 2014 3:34 PM

The first thing I noticed about the Der Spiegel article is that these are all OLD exploits (5+ years). Most chipsets used would be on new designs and there has been ample time for them to refine and generalize their exploits to more flexible and generic processes. If they were working directly with Intel, AMD, Broadcom, ARM, and FPGA vendors then there’s no chance that there’s a non-exploitable device remaining on the market. While most employees would probably accept compartmentalization within a large organization I think that far fewer people would willingly participate if they understood the scope. For that reason I don’t think there are probably too many people who would be aware of it if there were complicity or direct cooperation.

Using the information they have today they can probably run profiles against likely whistleblowers, potential recruits, and reduce the overall risk of someone outing information. More disturbingly they can also likely apply pressure to people they consider compromised.

Reciprocally however you could likely tell if any particular company was involved based on how highly compartmentalized internal design documentation or processes on a given product is. I think we need to find ways to encourage corporate leakers and find ways to incentivize reporting on how business is done internally.

JETPLOW reminds me of IRATEMONK in that it manipulates storage media and supplants the legitimate OS with a compromised version. What a lame and uncreative approach. If they haven’t come out with something better than this by now I would eat my white hat. The real evolution of this class of exploits would be with hypervisors and openstack. I think most of Cisco’s newer routers (NXOS) use linux, intel x86 and modular network ASICs.

Nick P January 13, 2014 3:54 PM

@ Steve

” I think we need to find ways to encourage corporate leakers and find ways to incentivize reporting on how business is done internally. ”

Tim May’s BLACKNET? 🙂

Steve January 13, 2014 4:15 PM

@ Nick P

Actually I think that’s precisely the wrong approach. We need to enable transparency and trust, not rely on financial motives.

What I’m saying is that you can trust most groups of 10k people. You don’t want to have to trust 10 individuals.

Nick P January 13, 2014 7:31 PM

@ Steve

How do you expect to enable transparency and trust here? Remember that anything you do must work with the strong market and political forces rather than against it. Here’s a few of them:

  1. Chip makers keep improving stuff but nobody sees how their processes really work. And they certainly won’t tell us and barrier to entry is astronomically high.
  2. People making commercial chips and software won’t risk loosing money by openness.
  3. Businesses in general have to be opaque to maximize profits. Exception is certain information to potential investors and customers.
  4. The patent system of the US means that openness increases one’s risk of a dirty, big player (or troll) taking out/over the business. This is especially true in hardware.

Points 3 and 4 make transparency a no-go from the beginning unless it’s some small project unlikely to sell much. Part 2 is almost our entire software and systems industry. I don’t see Congress passing laws to get rid of that part of the GDP esp after consulting with their trustworthy lobbyists. And the chip makers haven’t changed a bit overtime except in the amount of competition (lower).

So, the system is unlikely to change. The opposition would be huge. So, the solution would need to allow transparency and accountability in legal systems designed to allow opaque operation occupied by companies preferring opaque operation. Blacknet, joke or not, can work in such an environment. Most solutions can’t.

I’m all ears if you have an idea that fits in the constraints without requiring subterfuge or financial incentives.

Steve January 13, 2014 10:29 PM

While that may have been directed at my comments, I don’t think the best ideas around this will probably come from me. I’m curious what others here think.

The only comment I’ll make directly is that most companies are driven by profit. If corporations no longer trust that security products protect them in the ways advertised, or if individuals no longer believe that services provide security, then there will be a huge market shift in what security products are designed to do.

It’s my opinion that you have to counter or change anything. Enabling whatever motivates whistle blowers is more than sufficient because I don’t think anyone in the security industry really thinks these sorts of things make us safer.

BlackAngel January 15, 2014 8:59 PM

@65535

@ BlackAngel
“…There is no absolute guarantee they may not get back on. It depends on the box and the vulnerability they had against it.”
That doesn’t sound good. The Jetplow seems to be a hardware root kit coupled with a software virus. How to you eradicate both? If the root kit is implanted during shipping or at the factory you are hosed.

I think they are suffering quite a bit here as their primary adversaries have counterintelligence who would utilize these discovered siphons back on them for false intelligence. And would likely lead them to later technology not disclosed by Snowden.

That can sound trifling, but it is not at all difficult to get someone’s attention if you know who they are. And if they believe they are listening in secret, and having worked for that information, it is the one surveilling who is at a distinct disadvantage.

They would believe this kind of intelligence more then if someone said some false information publicly.

There is complete deniability for the party engaging in this manner of ruse, as well.

This does not work so well for individuals. Good example is a englishman in south america in the 19th century who suspected his letters were being read. He put in some fake incriminating information and went to jail for it.

But it works great for larger entities. 🙂 :-/

JL August 18, 2016 10:07 AM

Step 1 – set a persistent presence on a security device with a Tier-1 vendor/producer, preferably a chip bakery. maybe have a consultancy company influence to have it integrated with a AAA system so attacking specific users becomes a breeze. Even when working from home.

Step 2a – Inject partial non-functional parts of code into the products. Validate a number of discovered attack vectors are left out of scope. Later, one may deliver a puzzle-piece to the product triggering the code fragments to connect and execute. It may even be injected into a product update so nothing suspicious is happening at any time.

Step 2b – Dope that chip at a very late stage

Step 3 – dump somewhat older exploits to detract the attention

Yawn

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.