August 21st, 2016

Про сиськи и госдеп

Оригинал взят у scif_yar в Про сиськи и госдеп
BenignCertain's capabilities were tentatively revealed in this blog post from Thursday, and they were later confirmed to work on real-world PIX installations by three separate researchers. Before the confirmation came, Ars asked Cisco to investigate the exploit. The company declined, citing this policy for so-called end-of-life products. The exploit helps explain documents leaked by NSA contractor Edward Snowden and cited in a 2014 article that appeared in Der Spiegel. The article reported that the NSA had the ability to decrypt more than 1,000 VPN connections per hour.

"It shows that the NSA had the ability to remotely extract confidential keys from Cisco VPNs for over a decade," Mustafa Al-Bassam, a security researcher at payments processing firm Secure Trading, told Ars. "This explains how they were able to decrypt thousands of VPN connections per minute as shown in documents previously published by Der Spiegel."

The revelation is also concerning because data returned by the Shodan search engine indicate more than 15,000 networks around the world still use PIX, with the Russian Federation, the US, and Australia being the top three countries affected. Last weekend's release of BenignCertain and dozens of other NSA-connected attack tools means even relatively low-skilled hackers can now carry out the same advanced attack. Analysis of the exploit binary shows BenignCertain targeted PIX versions 5.3(9) through 6.3(4). The researchers, however, were able to make the key-extraction technique work against version 6.3(5) as well.

Мораль: ACL на входных интерфейсах VPN являются обязательными, даже если ты неуловимый Джо
Мораль2: использовать одну и ту же ASA для NAT/PAT и VPN - недопустимо. Кроме случаев неуловимых Джо, конечно.
Мораль3. S-terra конечно то еще говно. Но.

Жду комментов и главного по инфобезу.
Правда, он вроде как предпочитает продукцию на D.. но он вроде что-то слышал про деда посередине! Еще тут могла бы быть шутка про UDP, но боюсь она может не дойти.

Ролик про континент постить можно.