[j-nsp] juniper hack news

[Hugo Slabbert]

On Sun 2015-Dec-27 03:46:48 +0000, Scott Granados <scott at granados-llc.net> wrote:

>So I wonder about your statements about the governments.  I would tend to 
>agree and trust me there’s little about the scumbags in Washington (or 
>insert your nations capitol here) that would surprise me but I’m not 
>convinced.  There’s been a ton of bellyaching at least in the US and 
>probably globally about strong cryptography.  For example here in the US 
>the folks in jackboots are trying to convince us that strong cryptography 
>was used in the Paris attacks and if we could only break the cyphers the 
>world would be a  safer place. Maybe if we send all our snail mail on post 
>cards as well.  But this bellyaching makes me think they aren’t nearly as 
>good at this signals thing as we’re lead to believe.  So while I have 
>heard of hacks before and it is absolutely with in the realm of 
>possibility the NSA or whom ever has backdoors in everything but if they 
>did would they cry so much about being able to get in the middle and do 
>what spooks do?  Or is this complaining a false cover and they are so 
>intertwined and back door hacked in to everything it doesn’t matter and 
>they want to create a false sense to throw off potential baddies?  

I think an important factor here is that the current political 
"Cryptopocalypse" talk around crypto is not *just* about "strong 
cryptography" but more about end-to-end encryption schemes that leverage 
strong crypto.  Compromising Internet infrastructure points (or appliances 
that handle crypto for a large number of users e.g. this ScreenOS issue) 
results in a large amount of successfully compromised traffic per 
compromised host/vector, as the traffic of dozens, thousands, or millions 
of users may flow through those points.  Basically: there is good ROI on 
your exploit work.

The "problem" (from the perspectives of those wanting to eavesdrop) with 
e2e is that getting in the middle somewhere doesn't get you the cleartext 
anymore.  So, rather than being able to compromise ScreenOS or Junos or 
IOS/-XE/-XR and then getting a nice spigot of data from that, you need to 
do any of:

1) compromise the private keys of the specific users you are targeting and 
still pick up their traffic through existing taps of Internet transit 
traffic

2) compromise whatever myriad software/solutions are being used for e2e 
encryption by the targeted users, get the targeted users to use the 
compromised version of those applications/solutions, and still pick up 
their traffic through existing taps of Internet transit traffic

3) compromise the hosts/devices of the targeted users to get on-host, 
cleartext copies of the data post-decryption

That's a *lot* more work than being able to tap reams of data in flight on 
a specific nexus point and makes dragnet surveillance *much* less feasible 
as the time and costs involved would grow significantly.

Just my 2c.

>This is something I’ve been very curious about and the Government’s 
>ability to collect this intelligence fascinates me.  I also wonder, if in 
>fact this was in the ScreenOS source code does that mean that an agency or 
>2 has plants in Juniper?  I think something similar to this happened with 
>a company producing SIM cards and a plant on the inside was able to gather 
>information enabling the cards to be compromised by the NSA.  Wonder how 
>far this is spread and how many vendors.
>
>Excuse me while I go fashion a hat out of tin foil and stock up on canned 
>goods.:)
>
>Thank you
>Scott
>

-- 
Hugo

hugo at slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20151228/19237cba/attachment.sig>