Saturday, August 20, 2016

Internet God Mode

Need a Konami code for pwning the Internet? NSA has some. Well more technically everyone has some of them now that they've been leaked by Shadow Brokers.  Firewalls effectively segment your internal networks from the Internet and remote, unauthenticated exploits against them undermine the security models of most organizations.

I've noticed a lot of people on Twitter talking about how they don't care about three year old firewall exploits.  But let's be clear that many of these exploits are still not patched today.  Some pundits have noted that many products targeted by the exploits (e.g. PIX) are not very commonly uses today.  Point taken, but they were much more common three years ago when this tool cache was originally created.  How often do you change the private keys on your VPN? For compatibility reasons, did you roll your PIX private keys forward when you upgraded to an ASA?  If you aren't sure, I would recommend changing your private keys on your VPNs.  It's relatively easy in the scheme of things.

Internet God Mode for CNE operators
Need to pwn the Internet? Firewall exploits will help...
How should your defensive strategies change when you consider your firewalls to themselves be compromised? I'll cover that in depth in a later post.  But the firewall exploits released to every attacker on the Internet are seriously disturbing.  We should not downplay the significance - even if some products targeted are no longer supported.  Many organizations run unsupported hardware and software.

Two months ago at Rendition Infosec, I worked with a well meaning organization with 10 year old IOS on their routers and 25% of the environment still touting XP and Server 2003.  This is an extreme example, but most organizations have some percentage of unsupported software and hardware for a variety of reasons - usually involving budget.

Finally, it's worth noting that it's highly unlikely that NSA has stood still in its firewall exploit program since this tool cache was stolen in 2013.  In the last three years, it's likely that NSA has researched and acquired other firewall exploits that work against more modern platforms.  I've seen some very dense people (on Twitter and elsewhere) suggesting that if you want to be safe from NSA, just deploy Palo Alto.  They claim this is a good idea because there were no Palo Alto exploits in the dump.  This, like many other comments about the dump, are extremely myopic.  Who knows what NSA has today for firewall exploits and implants?  I certainly do not, but this release will certainly change the way I think about defense in depth.