NSA decrypts VPN traffic for a decade — Cisco PIX Firewall

[Overkill 4]

Was AirVPN affected by this kind of attack?

 

http://arstechnica.com/security/2016/08/cisco-firewall-exploit-shows-how-nsa-decrypted-vpn-traffic/

 

 

Regards.

[zhang888 1065]

There is no support for Cisco VPN here, only OpenVPN.

No OpenVPN exploits were published in that archive - which will be a harder case to exploit than a Cisco box from 2006.

[serenacat 83]

Just been reading this rather detailed Reuters commentary by a "connected" author for Foreign Policy magazine about current dramas in cyberspace:

http://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P

Some backdoors/0day exploits were sloppy C or C++ programming, but now being part of a software development team could then attract entrapment/intimidation/??? by all sorts of agents to do covert implants, or source code copies, or ???.

Now retired from systems programming and system admin contracting in the 70s-90s, thankfully. So just fascinating from a distance. Be careful what you regret.

[Overkill 4]

There is no support for Cisco VPN here, only OpenVPN.

No OpenVPN exploits were published in that archive - which will be a harder case to exploit than a Cisco box from 2006.

 

I thought it was a software/hardware issue, like if some provider was using Cisco firewalls. Thanks for clarifying. 

[itguy2017 25]

It's for that specific VPN. VPN's have been decrypted by companies for a long time. DPI, but requires a ROOTCA to be installed on the specific system. This rootCA is self-issued by the person/entity attempting to decrypt traffic. I recommend doing a Root Certificate Scan periodically on systems to ensure you don't have any rogue RCA's. There are more sophisticated tools like Quantum Injection Engine the NSA uses but they don't have the horsepower to do it on major backbones from what we can tell. Common non-RCA methods of traffic inspection involve using things like SNI to see what domain someone is going to as it's an unencrypted header on a SSL session. Then the block can be done with that data for example they can't see what you do at pornhub, but they can see the SNI and block porn hub as a destination without decrypting your traffic. Similar to DNS blocking without decrypting traffic.

 

As for UTM/NGFW appliances like Untangle, Fortinet, etc.. They can all decrypt on the fly if necessary but do require a RCA in order to avoid errors. It would become 'obvious' to any observant person someone is tampering with traffic due to page load issues. Sometimes requiring a reload of pages, etc. Common indicators someone is fussing with your traffic. So most use SNI or DNS identification of blocking or observing without knowing actual content.

 

As for UTM's, MOST are backdoored by the CIA/NSA/DISA, etc. Some are outright owned by the CIA/NSA/DISA.. Some examples;

 

Cisco, commonly backdoored, modification stations setup by the spooks in partnership with UPS to delay delivery by just a few hours to install hardware level backdoors. Cisco also has a backdoor method to break any of their UTM's as long as you have PHYSICAL access to the device.

 

Fortinet, backdoored for decades by the NSA with a hardcoded superadmin password which was FGTAbc11*xy+Qqz27, they claim they patched it once security researchers discovered it. Don't bet on it. That also is likely to mean Fortinet VPN's are all compromised. Don't trust them. 

 

Juniper, we all know they are in the tank with the spooks.

 

Fireeye, co-funded by the CIA.. Nuff said.

 

Watchguard, backdoored for over a decade.

 

Unless you use an OpenSource UTM (PfSense, OPNsense, Untangle, Smoothwall, etc) then you are playing with fire. Also I would generally avoid anything produced by US-Based corporations as they can be compelled in a dozen different ways to cooperate. Untangle is a recent victim.. They were recently bought out by CIA/NSA linked PQE, a private equity firm with strong intelligence ties. Right on the heals of the purchase they started installing Spook-Friendly guys at Untangle. The new executive director is a former spook, the new CEO is a well known friend of spooks. He happened to 'brag' in an old interview about how 'inside' he is with the NSA, CIA and FBI. So the latest casualty of war appears to be Untangle. If you are currently running Untangle then VERSION FREEZE to 12.1, turn off remote access/support, disable logging and disable firewall backups in the cloud. But realize you are probably only a few months to a year away from that product being changed to closed-source, new privacy policy, you know, the other things that go along with this.