"JETPLOW is a persistent implant of EPICBANANA. Digitally signed Cisco software is signed using secure asymmetrical (public-key) cryptography in newer platforms prevents these types of attacks. The purpose of digitally signed Cisco software is to increase the security posture of Cisco ASA devices by ensuring that the software running on the system has not been tampered with and originated from a trusted source as claimed."
They claim that the implant is digitally signed, then they say that it shouldn't work because Cisco software is digitally signed also, and it's verified by the Cisco Secure Boot.
Isn't that a bit contradictory? sure they might have had flaws in their verification process (we've seen signature verifications that were nothing more than "is this a signed message" before) but since Cisco verifies the signature properly (as you haven't been able to binary patch Cisco boot images for 5+ years) doesn't this implies that the NSA got a hold of the signing keys used by Cisco or an authorized 3rd party?
It suggests to me that the previous signature style was a symmetric type, whereas now it's asymmetric.
Where do they claim that? Both occurrences of the words "digitally signed" in the quoted section refer to the new Cisco software and not to the JETPLOW payload.
If you have SNMP listening on a public ipv4/ipv6 interface of a firewall (I don't care if it's an EOL/EOS PIX or not), you have done something fundamentally wrong from the start. As a network engineer seeing something like this in a business customer's equipment would cause me to seriously reconsider all other decisions/security configurations made by a predecessor or third party contractor.
Having a port listening on the internet means you've exposed (usually) tens or hundreds of thousands of lines of code to anyone with an internet connection. One vulnerable line of code or mis-configuration could be an entry point into your network for an attacker.
The key then, is deciding what absolutely needs to be exposed. If you run a website, you're going to need to expose your web server to the internet. Need access for remote workers? You'll open up a VPN. There are a bunch of things that generally have no place being exposed to the internet: SNMP, SMB, afp, RDP, Telnet, Any admin console, etc.
A former employee who tells someone else your SNMP communities...
A current employee who in a moment of laziness, inadvertently leaves your SNMP community in a public pastebin or Github Gist...
So on and so forth.
The SNMP supported on old PIX is SNMPv1/SNMPv2 which sends the community string in plaintext, and the reply is similarly unencrypted, so its basically the same security level as telnet or regular http (none).
Im so damn tired of companies underfunding IT and then roasting some director or other alive when the technical debt inevitably bites them in the ass.
http://www.compliancebuilding.com/2009/08/03/compliance-van-...
The way compartments work, they are supposed to be isolated not just from lower level (secret vs top secret) but also among each other. So things would have instructions like "handle via EPICBANANA channels only". So if you are not read into EPICBANANA you don't get access to it, even though you might have TS clearance.
So programs / capabilities are referred by those names. Instead of say "Oh that Cisco ASA blah model VPN MitM thing we have".
That also means that just because you have TS clearance doesn't mean you get to pick up and walk away with all the TS information you want ... oh wait, that did happen already, didn't it... oops.
