Discussion:
If you think your router is secure, the NSA will prove otherwise
(too old to reply)
Thad Floryan
2014-01-15 23:46:38 UTC
Permalink
I've written about Bruce Schneier here many times before:

http://en.wikipedia.org/wiki/Bruce_Schneier

His "CRYPTO-GRAM" newsletter is mailed on the 15th of every month since
1998, and today's is an eye-opener and a jaw-dropper and a l-o-n-g one
that took awhile to read (including all the references).

You can subscribe to the CRYPTO-GRAM here:

http://www.schneier.com/crypto-gram.html

Today's edition is available here -- it's a MUST READ:

https://www.schneier.com/crypto-gram-1401.html

One tidbit from today's CRYPTO-GRAM is that embedded Linux devices are
inherently insecure. Cisco's PIX security firewall routers are child's
play to break into, and other vendors' are even easier to penetrate.

If you don't have time to read the entire CRYPTO-GRAM, read this
portion entitled "Security Risks of Embedded Systems" here:

https://www.schneier.com/crypto-gram-1401.html#5

Thad
Igor Sviridov
2014-01-16 00:44:06 UTC
Permalink
Post by Thad Floryan
One tidbit from today's CRYPTO-GRAM is that embedded Linux devices are
inherently insecure. Cisco's PIX security firewall routers are child's
play to break into, and other vendors' are even easier to penetrate.
I don't think it's Linux fault per se, it's just what most of embedded platforms run;
and updating firmware is complicated because of embedded specifics.

But yeah, i do prefer pfSense or plain *BSD based firewalls.

With recent hardware advances you've multiple platform choices which
can run unmodified *BSD without consuming more than 10-20W.

Also, in many cases NSA exploits assume initial access to the device
to install exploit; at least this appears to be true for Cisco/Juniper/etc.;
i agree that may consumer router vendors ship extremely insecure products.
Post by Thad Floryan
If you don't have time to read the entire CRYPTO-GRAM, read this
https://www.schneier.com/crypto-gram-1401.html#5
Thad
--igor
Thad Floryan
2014-01-16 01:51:53 UTC
Permalink
Post by Igor Sviridov
Post by Thad Floryan
One tidbit from today's CRYPTO-GRAM is that embedded Linux devices are
inherently insecure. Cisco's PIX security firewall routers are child's
play to break into, and other vendors' are even easier to penetrate.
I don't think it's Linux fault per se, it's just what most of embedded platforms run;
and updating firmware is complicated because of embedded specifics.
But yeah, i do prefer pfSense or plain *BSD based firewalls.
Hi Igor,

My preference tends towards *BSD also.
Post by Igor Sviridov
With recent hardware advances you've multiple platform choices which
can run unmodified *BSD without consuming more than 10-20W.
Can be less than half that. My SheevaPlugs run 4W to 5W measured using
a Kill-A-Watt and they are full servers on my LAN 24/7/365 but they have
only one GiGE port. Another similar device from the same company is the
OpenRD client using about 5 to 6 Watts and it has two GiGE ports and more
and it's about the size of a small book whereas a SheevePlug is about the
size of my coffee cup:

Loading Image...
Loading Image...
Loading Image...
Loading Image...

http://www.globalscaletechnologies.com/t-openrdcdetails.aspx
Loading Image...
Loading Image...
Loading Image...
Loading Image...
http://www.globalscaletechnologies.com/p-35-openrd-ultimate.aspx
Post by Igor Sviridov
Also, in many cases NSA exploits assume initial access to the device
to install exploit; at least this appears to be true for Cisco/Juniper/etc.;
i agree that may consumer router vendors ship extremely insecure products.
The contents of the NSA ANT catalog reveal devices that insinuate themselves
remotely using a variety of electromagnetic techniques -- that's scary. I
recall once some spies were caught in a van behind Tymshare tech division on
Bubb Road in Cupertino where I worked; the spies had receivers in their van
in the parking lot that were capturing the images on CRTs located inside the
building (e.g., from my and others' desks) -- apparently they could detect
the CRT's -V scanning and reconstruct whatever was being displayed on the
CRTs inside the building -- note this was in 1971.
Post by Igor Sviridov
Post by Thad Floryan
If you don't have time to read the entire CRYPTO-GRAM, read this
https://www.schneier.com/crypto-gram-1401.html#5
Here's an interesting tidbit from today's CRYPTO-GRAM:

Acoustic cryptanalysis "can extract full 4096-bit RSA decryption keys
from laptop computers (of various models), within an hour, using the
sound generated by the computer during the decryption of some chosen
ciphertexts." http://www.cs.tau.ac.il/~tromer/acoustic/

In other recent NSA-related news, air-gapped computers can no longer be
considered safe. "Air gap" means no Ethernet or other network attached
supposedly rendering the computer secure -- not any more thanks to the
NSA. :-)

Thad

Loading...