dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
692

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle

Premium Member

[Info] Detection and Removal of TAO handywork

Anyone work for companies suspicious of this clever handwork?

I haven't read the book by that guy yet anyone? Implant a hardware mod or software?

Detectable via some traffic analyzer?

»arstechnica.com/tech-pol ··· implant/
Expand your moderator at work
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Bigzizzzle

MVM

to Bigzizzzle

Re: [Info] Detection and Removal of TAO handywork

To some extent, I mentioned this back in this thread

Beyond "implant a beacon," there's precisely SFA information beyond that, so you could speculate till
the sun goes nova and get nowhere.

My 00000010bits

Regards

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle

Premium Member

Guess Folks are too scared to go over this one.

Odd Coincidence my HDD on the computer I wrote this Died the next day.

Conspiracy.... Booo

Feel free to lock it if you want Forum Admin god or NSA Analyst looking my porn share.
aryoba
MVM
join:2002-08-22

aryoba to Bigzizzzle

MVM

to Bigzizzzle
said by Bigzizzzle:

Detectable via some traffic analyzer?

»arstechnica.com/tech-pol ··· implant/

It seemed that they injected some codes into ROMMON-related firmware. I suspect this code then send some packets out to some external IP address.

If it were the case, then simple security monitoring (IDS/IPS) and traffic analyzer ought be able to detect. Any destination (and source) IP address that is considered questionable ought to be logged and then denied access as necessary.
aryoba

aryoba to Bigzizzzle

MVM

to Bigzizzzle
said by Bigzizzzle:

Implant a hardware mod or software?

»arstechnica.com/tech-pol ··· implant/

If there is additional hardware module, then visual inspection should reveal. You can raise TAC case to see if your hardware is per Cisco specification or else.
markysharkey
Premium Member
join:2012-12-20
united kingd

1 recommendation

markysharkey to Bigzizzzle

Premium Member

to Bigzizzzle
Or a simpler explanation is may be that Big Zizzle isn't yet finished with his downer on Cisco...
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to aryoba

Premium Member

to aryoba
A lot of Cisco's hardware has read-only ROMMON, with an upgrade area. They'd have to open the case to change the read-only section, and that's soldered to the board these days.

Monitoring won't catch anything if the device is the edge of your network. How many people have T1 or T3 sniffers? (very few, and they never get left in a single spot.)

A hardware alteration would go unnoticed in 99.9% of cases, as few people open the device when it arrives. Do you crack the case of every router and switch going through your multi-national corporation?
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by cramer:

A lot of Cisco's hardware has read-only ROMMON, with an upgrade area. They'd have to open the case to change the read-only section, and that's soldered to the board these days.

As I recalled, there was priv ROMMON command that will let you enter the privilege (R/W) mode. Though Cisco website does not have anything details of what privilege ROMMON mode can do, I'm sure hackers with assembly language background can figure things out
said by cramer:

Monitoring won't catch anything if the device is the edge of your network. How many people have T1 or T3 sniffers? (very few, and they never get left in a single spot.)

Due to this NSA hack incident, perhaps people should start to monitor their edge devices
said by cramer:

A hardware alteration would go unnoticed in 99.9% of cases, as few people open the device when it arrives. Do you crack the case of every router and switch going through your multi-national corporation?

I personally have habits to crack open any new hardware coming in, especially those I have never dealt with; just to see what it is that is under the hood. Perhaps this habit has to start as procedure due to this hack incident

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle to markysharkey

Premium Member

to markysharkey
said by markysharkey:

Or a simpler explanation is may be that Big Zizzle isn't yet finished with his downer on Cisco...

You know me all too well...