On Thu, Mar 13, 2014 at 11:13 AM, Jason Iannone <jason.iannone@gmail.com> wrote:

And remain undetected? That's a nontrivial task and one that I would suspect generates interesting CPU or other resource utilization anomalies. It's a pretty high risk activity. The best we can hope for is someone discovering the exploit and publicly dissecting it.

See, the standard defense for all this is to lock down the cert fingerprints of your real destination to prevent cert games. Then add in DNSSEC [1] and even IPSEC [1] to make sure things all match up. That does make things much harder. Problem still lies where your adversary has stolen or co-op'd the PK of your dest cert, and rigged the routing path to route-map your applicable src/dest/port IP tuples to residing off their private port in the local (to you or your dest) DC. Right???

From which they proceed to bugger you through their transparent proxy to the real dest. It's not a bulk tool as that might tip off some non-moled-out-cert-group network groupie at the dest site that a lot of users come from some IP. And it's definitely for 'high value only' given the work/risk. But still... PKI-WOT bidirectional security between you and your dest of global bgp advert/nexthop routing infrastructure anyone? Everyone seems to trust the network to route... and even then [1]. [1] Similarly stolen/co-op'd as need be.

pg This is relatively easy for home routers, since the self-signed certs they're configured with are frequently CA certs. In other words they ship from the factory in a MITM-ready state.

On Thu, Mar 13, 2014 at 8:50 AM, Greg Rose <ggr@seer-grog.net> wrote:

...

You get the routers to create valid-looking certificates for the endpoints, to mount man-in-the-middle attacks.

On Mar 13, 2014, at 6:28 , Jason Iannone <jason.iannone@gmail.com> wrote:

...

The First Look article is light on details so I don't know how one gets from "infect[ing] large-scale network routers" to "perform[ing] “exploitation attacks” against data that is sent through a Virtual Private Network." I'd like to better understand that.

On Thu, Mar 13, 2014 at 7:22 AM, Jeffrey Walton <noloader@gmail.com> wrote: On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone <jason.iannone@gmail.com> wrote:

...

Are there details regarding Hammerstein? Are they actually breaking routers? Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound for pound, there's probably more exploits for Cisco gear than Linux and Windows combined.

Jeff

...

On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton <noloader@gmail.com> wrote:

...

On Thu, Mar 13, 2014 at 1:57 AM, coderman <coderman@gmail.com> wrote:

...

https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-mor...

"TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by _any_ other means."

And Schneier's Guardian article on the Quantum and FoxAcid systems:

http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-an....