Greetings,
Did you all see this Wired article about Quantum Insert detection?
https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-...
These TCP injection attacks are used by various entities around the world (not just NSA!) to target individuals for surveillance or perhaps to add their computers to a botnet for other purposes.
If you do not use a VPN or Tor you can run "Quantum Insert" detection on your computer and detect when you receive an attack attempt. However be advised that proper sandboxing is important here because intrusion detection and protocol anylsis tools are notoriously insecure and get pwned all the time.
If you are a Tor exit relay operator you have the options of running detection software; However you should not publish the results publicly without mixing in some noise or your published data might make it possible for some adversaries to deanonymize Tor users. If your country has strict telecommunications laws then it might only be legal for you to perform this type of detection if you do not perform logging.
For the past several months... in my free time I've been slowly developing a very comprehensive TCP injection attack detection tool called HoneyBadger:
https://github.com/david415/HoneyBadger
Quantum Insert is a NSA codeword for "TCP injection attack", however either of these terms are too vague. During my research I was able to classify 4 different types of TCP injection attack. When I say that HoneytBadger is comprehensive what I mean is that Honeybadger can detect ALL of these types of TCP injection attack types... I describe them briefly here:
https://honeybadger.readthedocs.org/en/latest/
Here's the Fox-IT blog post about their Quantum Insert detection software: http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
I am going to work on writing a much more comprehensive blog post; it will be filled with gory technical details AND it will include information on how to use HoneyBadger. HoneyBadger has optional (off by default) full-take logging which could enable you to capture a zero-day payload from a TCP attack; you should then responsibly disclose to the software vendor or contact a malware analyst to help out!
Sincerely,
David Stainton
hi,
Am 22.04.2015 um 20:41 schrieb David Stainton:
Did you all see this Wired article about Quantum Insert detection?
https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-...
proof me wrong but wouldn't the use of a HTTPS/OnionAddress render this attack usesless?
Whats up with the title "researchers uncover method"? Like this would be anything new? Basically it's the concept of a MITM attack which is a serious threat[1] as old as telecommunication itself. The only working solution is end to end encrypted communication. So why use inefficient and vulnerable "detection tools" to spy on tor users?
humble opinion of a barely frightened tor user.
[1]: Remark: There are sufficient opportunities for MITM attacks. (There are still guys out there surfing the web via GSM -broken crypto- on their mobiles.)
Yes and no. HTTPS/Onion services prevents successful TCP injection attacks when the attacker doesn't know the key material... therefore to make this claim about HTTPS in general seems rather sketchy given that many CA's have been pwn'ed (and subpoena'ed?) in the past.
TCP injection attacks are not the same as man-in-the-middle attacks... but rather are categorized as man-on-the-side. The difference is important because MoS is *much* cheaper for these various (not just NSA) entities to execute. MoS means you do not have to pwn a route endpoint at the site of your TCP injections... you can inject from almost anywhere as long as you can win the race.
I will discuss this point in my write up... and I will write a section specifically for Tor exit relay operators who are interested in using HoneyBadger.
On Wed, Apr 22, 2015 at 10:16 PM, janulrich andi@michlaustderaffe.de wrote:
hi,
Am 22.04.2015 um 20:41 schrieb David Stainton:
Did you all see this Wired article about Quantum Insert detection?
https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-...
proof me wrong but wouldn't the use of a HTTPS/OnionAddress render this attack usesless?
Whats up with the title "researchers uncover method"? Like this would be anything new? Basically it's the concept of a MITM attack which is a serious threat[1] as old as telecommunication itself. The only working solution is end to end encrypted communication. So why use inefficient and vulnerable "detection tools" to spy on tor users?
humble opinion of a barely frightened tor user.
[1]: Remark: There are sufficient opportunities for MITM attacks. (There are still guys out there surfing the web via GSM -broken crypto- on their mobiles.) _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thanks for your reply
David Stainton wrote:
Yes and no. HTTPS/Onion services prevents successful TCP injection attacks when the attacker doesn't know the key material... therefore to make this claim about HTTPS in general seems rather sketchy given that many CA's have been pwn'ed (and subpoena'ed?) in the past.
Haha, you're right! HTTPS key exchange is broke. Always a good laugh, though.
TCP injection attacks are not the same as man-in-the-middle attacks... but rather are categorized as man-on-the-side. The difference is important because MoS is *much* cheaper for these various (not just NSA) entities to execute. MoS means you do not have to pwn a route endpoint at the site of your TCP injections... you can inject from almost anywhere as long as you can win the race.
I will discuss this point in my write up... and I will write a section specifically for Tor exit relay operators who are interested in using HoneyBadger.
What about the approach of detecting/preventing those attacks at the user endpoint. Like enforcing HTTPS-connection (HTTPS-Everywhere) and prohibiting/announcing redirects.
TCP injection attacks are not the same as man-in-the-middle attacks... but rather are categorized as man-on-the-side. The difference is important because MoS is *much* cheaper for these various (not just NSA) entities to execute. MoS means you do not have to pwn a route endpoint at the site of your TCP injections... you can inject from almost anywhere as long as you can win the race.
I will discuss this point in my write up... and I will write a section specifically for Tor exit relay operators who are interested in using HoneyBadger.
What about the approach of detecting/preventing those attacks at the user endpoint. Like enforcing HTTPS-connection (HTTPS-Everywhere) and prohibiting/announcing redirects.
Tor users will not be able to detect these attacks on their infrastructure; hence my message to Tor exit relay operators.
It is possible to add a "prevention" mechanism to HoneyBadger; an event based firewall ruleset generator made to block TCP injection attacks as they are happening... yes. This is possible. I could write that if there was interest from enough people.
Yes... users of the Internet should give up using plain-text protocols to stay safer. HTTPS-Everywhere and the various other related efforts by the EFF are all a great help towards keeping people safer.
tor-relays@lists.torproject.org
-
David Stainton -
janulrich