"That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco�s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I�ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment."
More here:
http://blogs.iss.net/archive/blackhatlitalk.html
Gadi.
this seems like much more work that matt blaze's work that said: "Just
send more than 10mbps toward what you want to sneak around... the
LEA's pipe is saturated so nothing of use gets to them"
<http://www.crypto.com/blog/calea_weaknesses/>
Also, cisco publishes the fact that their intercept caps out at 15kpps
per line card, so... just keep a steady 15kpps and roll on.
-chris
(of course for any LEA that really cares they'll just order a phyiscal
tap, and provision things properly)
Would you mind passing along a source/link on the 15kpps? I haven't seen that number yet.
tv
"That peer-review is the basic purpose of my Blackhat talk and the
associated
paper. I plan to review Cisco’s architecture for lawful intercept
and explain
the approach a bad guy would take to getting access without
authorization.
I’ll identify several aspects of the design and implementation of
the Lawful
Intercept (LI) and Simple Network Management Protocol Version 3
(SNMPv3)
protocols that can be exploited to gain access to the interface, and
provide
recommendations for mitigating those vulnerabilities in design,
implementation, and deployment."
this seems like much more work that matt blaze's work that said:
"Just
send more than 10mbps toward what you want to sneak around... the
LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized
access to communications via LI rather than evading them,
"...there is a risk that [LI tools] could be hijacked by third
parties and used to perform surveillance without authorization."
Of course, this has already happened,
Greek wiretapping case 2004–05 - Wikipedia
this seems like much more work that matt blaze's work that said:
"Just
send more than 10mbps toward what you want to sneak around... the
LEA's pipe is saturated so nothing of use gets to them"
The Cross/XForce/IBM talk appears more to be about unauthorized
access to communications via LI rather than evading them,
"...there is a risk that [LI tools] could be hijacked by third
parties and used to perform surveillance without authorization."
Of course, this has already happened,
right... plus the management (for cisco) is via snmp(v3), from
(mostly) windows servers as the mediation devices (sad)... and the
traffic is simply tunneled from device -> mediation -> lea .... not
necessarily IPSEC'd from mediation -> LEA, and udp-encapped from
device -> mediation server.
Greek wiretapping case 2004–05 - Wikipedia
yea, good times... that's really just re-use of the normal LEA hooks
in all telco phone switch gear though... not 'calea features' in
particular.
-chris
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ?
Regards
There's a difference? CALEA is just the US goverment profile of the generic international concept of lawful intercept.
I recommend http://www.spectrum.ieee.org/jul07/5280 (linked to from the Wikipedia article) as a very good reference on what is and isn't known.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
sadly, if you are present in the US and you do ip services (public
ones) and you deployed a cisco device + calea capabilites, yes you do!
-chris
hrm, I always equate 'calea' with 'ip intercept', because I
(thankfully) never had to see a phone switch (dms type thingy). You
are, I believe, correct in that CALEA was first 'telephone' intercept
implemented in phone-switch-thingies in ~94?? and was later applied
(may 2007ish?) to IP things as well.
-Chris
I can make a very good case that CALEA was not just originally intended for voice, but was sold to Congress as something that didn't apply to data networks. The EFF has said it better than I could, though, so look at http://w2.eff.org/Privacy/Surveillance/20040413_EFF_CALEA_comments.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
I'm totally ignorant (most of the time), is anybody actually using SNMPv3 ?
I worked with an IPsec VPN product around 10 years ago that used SNMPv3
for automated provisioning of the tunnels.
Big Brother is watching you! so last year!
True, but the lawfull intercept has been around for a while, active/passive flow tap monitoring, port mirroring , called ID spoofing .......i also saw an update on the IOS/Junos roadmpap not that long ago. the 7600 has been around for a while now and so the code that comes w/ that feature available .........
lets not generate more data traffic than this .......as in case of infringement all data is recorded, stored, used as evidence and brought to our attention by the home "team", so we know in advance .....
snmp v3 has been around for a gd while .......