Entries Tagged "firewall"

Page 2 of 3

HALLUXWATER: NSA Exploit of the Day

Today’s implant from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.

Once installed, HALLUXWATER communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.

HALLUXWATER provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS upgrades and automatic bootROM upgrades.

Status: (U//FOUO) On the shelf, and has been deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

This one is a big deal politically. For years we have been telling the Chinese not to install hardware back doors into Hauwei switches. Meanwhile, we have been doing exactly that. I wouldn’t want to have been the State Department employee to receive that phone call.

Posted on January 8, 2014 at 1:48 PMView Comments

GOURMETTROUGH: NSA Exploit of the Day

Continuing our walk through the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) GOURMETTROUGH is a user configurable implant for certain Juniper firewalls. It persists DNT’s BANANAGLEE implant across reboots and OS upgrades. For some platforms, it supports a minimal implant with beaconing for OS’s unsupported by BANANAGLEE.

(TS//SI//REL) For supported platforms, DNT may configure without ANT involvement. Except for limited platforms, they may also configure PBD for minimal implant in the case where an OS unsupported by BANANAGLEE is booted.

Status: GOURMETTROUGH is on the shelf and has been deployed on many target platforms. It supports nsg5t, ns50, ns25, isg1000(limited). Soon- ssg140, ssg5, ssg20

Unit Cost: $0

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on. It’s interesting how many of these implants are designed to allow other implants to survive attempts to remove them.

I think it’s important to discuss these implants individually. Because the whole catalog was released at once, it’s easy to focus on the catalog as a whole instead of the individual implants. Blogging them once per day brings back focus.

Posted on January 7, 2014 at 1:16 PMView Comments

FEEDTROUGH: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT’s BANANAGLEE and CES’s ZESTYLEAK used against Juniper Netscreen firewalls.

(TS//SI//REL) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or BANANAGLEE across reboots and software upgrades on known and covered OS’s for the following Netscreen firewalls, ns5xt, ns25, ns50, ns200, ns500 and ISG 1000. There is no direct communication to or from FEEDTROUGH, but if present, the BANANAGLEE implant can receive and transmit covert channel comms, and for certain platforms, BANANAGLEE can also update FEEDTROUGH. FEEDTROUGH however can only persist OS’s included in its databases. Therefore this is best employed with known OS’s and if a new OS comes out, then the customer would need to add this OS to the FEEDTROUGH database for that particular firewall.

(TS//SI//REL) FEEDTROUGH operates every time the particular Juniper firewall boots. The first hook takes it to the code which checks to see if the OS is in the database, if it is, then a chain of events ensures the installation of either one or both implants. Otherwise the firewall boots normally. If the OS is one modified by DNT, it is not recognized, which gives the customer freedom to field new software.

Status: (S//SI//REL) FEEDTROUGH has on the shelf solutions for all of the listed platforms. It has been deployed on many target platforms.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

The plan is to post one of these a day for the next couple of months.

Posted on January 6, 2014 at 1:28 PMView Comments

Skype Security Flaw

Just announced:

The researchers found several properties of Skype that can track not only users’ locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user’s consent.

“Even when a user blocks callers or connects from behind a Network Address Translation (NAT) ­– a common type of firewall ­– it does not prevent the privacy risk,” according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user’s location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person’s IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

Posted on December 7, 2011 at 12:49 PMView Comments

Chinese National Firewall Isn't All that Effective

Interesting research:

The study, carried out by graduate student Earl Barr and colleagues in the computer science department of UC Davis and the University of New Mexico, exploited the workings of the Chinese firewall to investigate its effectiveness.

Unlike many other nations Chinese authorities do not simply block webpages that discuss banned subjects such as the Tiananmen Square massacre.

Instead the technology deployed by the Chinese government scans data flowing across its section of the net for banned words or web addresses.

When the filtering system spots a banned term it sends instructions to the source server and destination PC to stop the flow of data.

Mr Barr and colleagues manipulated this to see how far inside China’s net, messages containing banned terms could reach before the shut down instructions were sent.

The team used words taken from the Chinese version of Wikipedia to load the data streams then despatched into China’s network. If a data stream was stopped a technique known as “latent semantic analysis” was used to find related words to see if they too were blocked.

The researchers found that the blocking did not happen at the edge of China’s network but often was done when the packets of loaded data had penetrated deep inside.

Blocked were terms related to the Falun Gong movement, Tiananmen Square protest groups, Nazi Germany and democracy.

On about 28% of the paths into China’s net tested by the researchers, blocking failed altogether suggesting that web users would browse unencumbered at least some of the time.

Filtering and blocking was “particularly erratic” when lots of China’s web users were online, said the researchers.

Another article.

Posted on September 14, 2007 at 7:52 AMView Comments

U.S. Navy Patents Firewall

At least, that’s what it sounds like to me:

In a communication system having a plurality of networks, a method of achieving network separation between first and second networks is described. First and second networks with respective first and second degrees of trust are defined, the first degree of trust being higher than the second degree of trust. Communication between the first and second networks is enabled via a network interface system having a protocol stack, the protocol stack implemented by the network interface system in an application layer. Data communication from the second network to the first network is enabled while data communication from the first network to the second network is minimized.

Posted on July 7, 2006 at 7:06 AMView Comments

Ignoring the "Great Firewall of China"

Richard Clayton is presenting a paper (blog post here) that discusses how to defeat China’s national firewall:

…the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.

Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).

Posted on June 27, 2006 at 1:13 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.