Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, 04 Feb 2010 15:04:22 PST, andrew.wallace said: On Thu, Feb 4, 2010 at 8:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Ciscoâs architecture for lawful intercept Gadi Evron has absolutely no connection to this research whatsoever. For the benefit of those who just fell out of a tree - anytime a conference paper abstract says review, it's pretty certain that the presentation won't be cutting 0-day technical stuff, but a *review* of stuff that half of us already know, for the benefit of getting the other half up to speed. Also - note that the skillset needed to be a cutting-edge researcher is *very* different from the one needed to actually present a good review talk and have the information retained by the audience. (I've done overview presentations. It's definitely not easy to make the points You should be doing X, Y, and Z, and here's why you should invest the time and effort to do so). He is famous in the security community for piggybacking off other peoples research. You apparently fail to understand that making other people's research well known in the community is an important role. Would we be more secure, or less secure, if somebody did the research, but then nobody told the owners of all that Cisco gear about it? (Hint: pwned router is never a good day for the network provider) Or would we as a community be more safe, or less safe, if trollbait SANS didn't do security traning courses /trollbait? Andrew Security consultant Is that what you're calling yourself these days? pgppEFSwWAgcm.pgp Description: PGP signature
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Mon, Feb 8, 2010 at 6:37 PM, valdis.kletni...@vt.edu wrote: You apparently fail to understand that making other people's research well known in the community is an important role. Would we be more secure, or less secure, if somebody did the research, but then nobody told the owners of all that Cisco gear about it? (Hint: pwned router is never a good day for the network provider) Or would we as a community be more safe, or less safe, if trollbait SANS didn't do security traning courses /trollbait? Andrew Security consultant Is that what you're calling yourself these days? They cater for mostly the public sector, doing a SANS course does not make you *SAFE* it just means you have an understanding of current trends and be able to take mitigation. It is not a sure-shot way to be secure, you need to have years of hands-on experience in security. You can't walk out of SANS courses and be a security professional, you need to have a lot more than that. I started Cyber Security from my basement back in 1999 as an 18 year old, I am now 29 years old and am doing independent security consultancy work here in the UK for multiple global vendors. I have various titles and skills, security researcher, ethical hacker, security consultant, any of them can be used as those are the qualifications i've achieved over the years. It's not unusual in the security community for one person to fall into more than one category or be qualified to undertake more than one role. Kind regards, Andrew Security Consultant
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
- Original Message From: Brian Keefer ch...@smtps.net To: NANOG list nanog@nanog.org Cc: a.harrow...@gmail.com; andrew.wallace andrew.wall...@rocketmail.com Sent: Fri, 5 February, 2010 1:55:58 Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations Andrew Security consultant CITATION NEEDED You can goto Full-disclosure mailing list http://www.grok.org.uk/full-disclosure/ ... Andrew Security consultant For clarity and transparency you were banned from that list for trolling under the persona n3td3v. -- bk n3td3v isn't a persona, its my username and the name of the security intelligence group I am the founder of. If you do think I am a troll I will happily discuss with you off-list what part of me you think is a troll because I have never trolled I am a deadly serious person. I will happily arrange a meeting with you so we can discuss this further, Andrew Security consultant
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, 4 Feb 2010 16:47:47 -0600 Jorge Amodio jmamo...@gmail.com wrote: I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ? I worked with an IPsec VPN product around 10 years ago that used SNMPv3 for automated provisioning of the tunnels. Regards
lawful intercept/IOS at BlackHat DC, bypassing and recommendations
That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. More here: http://blogs.iss.net/archive/blackhatlitalk.html Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 4, 2010 at 3:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them http://www.crypto.com/blog/calea_weaknesses/ Also, cisco publishes the fact that their intercept caps out at 15kpps per line card, so... just keep a steady 15kpps and roll on. -chris
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
(of course for any LEA that really cares they'll just order a phyiscal tap, and provision things properly)
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
Would you mind passing along a source/link on the 15kpps? I haven't seen that number yet. tv - Original Message - From: Christopher Morrow morrowc.li...@gmail.com To: Gadi Evron g...@linuxbox.org Cc: NANOG nanog@nanog.org Sent: Thursday, February 04, 2010 2:27 PM Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations On Thu, Feb 4, 2010 at 3:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them http://www.crypto.com/blog/calea_weaknesses/ Also, cisco publishes the fact that their intercept caps out at 15kpps per line card, so... just keep a steady 15kpps and roll on. -chris
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On 2/4/2010 at 12:27 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Feb 4, 2010 at 3:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them, ...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization. Of course, this has already happened, http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark crist.cl...@globalstar.com wrote: this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them, ...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization. Of course, this has already happened, right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device - mediation - lea not necessarily IPSEC'd from mediation - LEA, and udp-encapped from device - mediation server. http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular. -chris
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ? Regards
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote: On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark crist.cl...@globalstar.com wrote: this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them, ...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization. Of course, this has already happened, right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device - mediation - lea not necessarily IPSEC'd from mediation - LEA, and udp-encapped from device - mediation server. http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular. There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept. I recommend http://www.spectrum.ieee.org/jul07/5280 (linked to from the Wikipedia article) as a very good reference on what is and isn't known. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 4, 2010 at 8:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. More here: http://blogs.iss.net/archive/blackhatlitalk.html Gadi. For the sake of clarity and transparency, Gadi Evron has absolutely no connection to this research whatsoever. He is famous in the security community for piggybacking off other peoples research. We are frustrated with him as much as we are annoyed. Andrew Security consultant
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
-original message- Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations From: andrew.wallace andrew.wall...@rocketmail.com Date: 04/02/2010 11:09 pm On Thu, Feb 4, 2010 at 8:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. More here: http://blogs.iss.net/archive/blackhatlitalk.html Gadi. For the sake of clarity and transparency, Gadi Evron has absolutely no connection to this research whatsoever. He is famous in the security community for piggybacking off other peoples research. We are frustrated with him as much as we are annoyed. Andrew Security consultant CITATION NEEDED
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 4, 2010 at 11:25 PM, a.harrow...@gmail.com wrote: -original message- Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations From: andrew.wallace andrew.wall...@rocketmail.com Date: 04/02/2010 11:09 pm On Thu, Feb 4, 2010 at 8:19 PM, Gadi Evron g...@linuxbox.org wrote: That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. More here: http://blogs.iss.net/archive/blackhatlitalk.html Gadi. For the sake of clarity and transparency, Gadi Evron has absolutely no connection to this research whatsoever. He is famous in the security community for piggybacking off other peoples research. We are frustrated with him as much as we are annoyed. Andrew Security consultant CITATION NEEDED You can goto Full-disclosure mailing list http://www.grok.org.uk/full-disclosure/ and ask about Gadi Evron. There will be plenty folks there who will tell you he is involved in plagiarism. Andrew Security consultant
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On 04/02/10 15:58 -0800, andrew.wallace wrote: CITATION NEEDED You can goto Full-disclosure mailing list http://www.grok.org.uk/full-disclosure/ and ask about Gadi Evron. There will be plenty folks there who will tell you he is involved in plagiarism. Andrew Security consultant That's not a reference. And it reeks of security-consultant-gamesmanship. If you've had a look at Gadi's paper that he intends to present, then discuss with him where you feel he's infringing. -- Dan White
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
Andrew Security consultant CITATION NEEDED You can goto Full-disclosure mailing list http://www.grok.org.uk/full-disclosure/ ... Andrew Security consultant For clarity and transparency you were banned from that list for trolling under the persona n3td3v. -- bk
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 4, 2010 at 5:47 PM, Jorge Amodio jmamo...@gmail.com wrote: I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ? sadly, if you are present in the US and you do ip services (public ones) and you deployed a cisco device + calea capabilites, yes you do! :( -chris
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 4, 2010 at 5:49 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote: On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark crist.cl...@globalstar.com wrote: this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them, ...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization. Of course, this has already happened, right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device - mediation - lea not necessarily IPSEC'd from mediation - LEA, and udp-encapped from device - mediation server. http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular. There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept. hrm, I always equate 'calea' with 'ip intercept', because I (thankfully) never had to see a phone switch (dms type thingy). You are, I believe, correct in that CALEA was first 'telephone' intercept implemented in phone-switch-thingies in ~94?? and was later applied (may 2007ish?) to IP things as well. -Chris
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Feb 4, 2010, at 9:26 PM, Christopher Morrow wrote: On Thu, Feb 4, 2010 at 5:49 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote: On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark crist.cl...@globalstar.com wrote: this seems like much more work that matt blaze's work that said: Just send more than 10mbps toward what you want to sneak around... the LEA's pipe is saturated so nothing of use gets to them The Cross/XForce/IBM talk appears more to be about unauthorized access to communications via LI rather than evading them, ...there is a risk that [LI tools] could be hijacked by third parties and used to perform surveillance without authorization. Of course, this has already happened, right... plus the management (for cisco) is via snmp(v3), from (mostly) windows servers as the mediation devices (sad)... and the traffic is simply tunneled from device - mediation - lea not necessarily IPSEC'd from mediation - LEA, and udp-encapped from device - mediation server. http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 yea, good times... that's really just re-use of the normal LEA hooks in all telco phone switch gear though... not 'calea features' in particular. There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept. hrm, I always equate 'calea' with 'ip intercept', because I (thankfully) never had to see a phone switch (dms type thingy). You are, I believe, correct in that CALEA was first 'telephone' intercept implemented in phone-switch-thingies in ~94?? and was later applied (may 2007ish?) to IP things as well. I can make a very good case that CALEA was not just originally intended for voice, but was sold to Congress as something that didn't apply to data networks. The EFF has said it better than I could, though, so look at http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
On Thu, Feb 04, 2010 at 09:42:24PM -0500, Steven Bellovin wrote: I can make a very good case that CALEA was not just originally intended for voice, but was sold to Congress as something that didn't apply to data networks. The EFF has said it better than I could, though, so look at http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments. Corrected URL: http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments.php