NS&AT&T

Wed May 17 21:35:10 PDT 2006

On 5/17/06, Tyler Durden <camera_lumina at hotmail.com> wrote:
> ...
> Well, how out of band? Do you mean the management VPN (or whatever) doesn't
> travel with the actual grabbed traffic? (Frankly, this would be my first
> candidate.)

i was thinking three scenarios:
1. backhaul is a dedicated link (SONET?*) with encryption at this
layer and control/management out of band.

2. backhaul and control/mgmt on the dedicated link (SONET?*) with
encryption at this layer, no IPsec.

3. backhaul and control/mgmt on the dedicated link using IPsec for
both. (least likely perhaps)

the nature of SONET would make encryption at this layer tricky i think
(L2/L3?) although the NSA is fond of authentication and privacy at the
link layer.  if a desire to leverage commercial solutions (narus,
cisco, juniper, etc) won out would a strongly keyed IPsec be
sufficient?  no ISAKMP/IKE here, heh.

> Of course, they could do it via SONET overhead bytes, thus
> avoiding the flakiness and vunerability that routers and switches still seem
> to have.

covert channels for backhaul?  nah, that would still be too visible.
especially if/when a customer puts link testing equipment on the line
and sees something funny. SONET doesn't give you a lot of play room.

> One wonders too if they do anything with SS7.

not for this.  capturing SS7 would be useful and is surely performed though...

> Of course, they could have a dedicated fiber for their management LAN, but
> due to latency issues &c I would suspect that can't be a LAN all the way
> across the country...

why not?  most of these SONET/[D]WDM links are long haul anyway.  it's
not a single repeated fiber, but hops along backbone peering points
like everything else.

also casts an interesting light on the new super NSA warehouse planned
for Denver, CO doesn't it.  nice place to position tap aggregation...

> Anyone know what telecom vendor NSA uses?

AT&T, Verizon and Sprint for sure.  probably lease fiber (through some
obfuscated shell company / other agency configuration?) from all of
them to some degree, including the transoceanic cable oligopolies.

one way to find out:
- perform your own non-interruptive tap on the fibers exiting $telco
via infiltration of outside plant conduit.  (so easy, lol)
- using test equipment see what SONET link(s) are full of blackened
traffic. you could use AS no's or BGP/SS7 characteristics to identify
legitimate circuits and highlight the blackened ones via elimination.
- ask Sean Gorman or GeoTEL MetroFiber which provider sold out that
particular circuit/fiber/route.

something tells me this is beyond the means of your average hacker.
FOIA requests it is then...  *grin*

for the record: i'm not advocating illegal intrusions; this is a
mental exercise. :)

[ i'm not too paranoid about visits from MIB's but mapping critical
information infrastructure is definitely one way to attract attention.
 maybe i'll talk more about that later... ]