[tor-talk] Quantum Insert detection for everyone

Chris Dagdigian dag at sonsorol.org
Wed Apr 22 19:06:42 UTC 2015


I run a US-based exit node and would be interested in a way to run this 
software without compromising the users exiting my node. Looking forward 
to your additional writeups - especially anything geared towards exit 
nodes and quantum insert detection.

-Chris


> David Stainton <mailto:dstainton415 at gmail.com>
> April 22, 2015 at 2:41 PM
> Greetings,
>
> Did you all see this Wired article about Quantum Insert detection?
>
> https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks
>
> These TCP injection attacks are used by various entities around the
> world (not just NSA!) to target individuals for surveillance or
> perhaps to add their computers to a botnet for other purposes.
>
> If you do not use a VPN or Tor you can run "Quantum Insert" detection
> on your computer and detect when you receive an attack attempt.
> However be advised that proper sandboxing is important here because
> intrusion detection and protocol anylsis tools are notoriously
> insecure and get pwned all the time.
>
> If you are a Tor exit relay operator you have the options of running
> detection software; However you should not publish the results
> publicly without mixing in some noise or your published data might
> make it possible for some adversaries to deanonymize Tor users. If
> your country has strict telecommunications laws then it might only be
> legal for you to perform this type of detection if you do not perform
> logging.
>
> For the past several months... in my free time I've been slowly
> developing a very comprehensive TCP injection attack detection tool
> called HoneyBadger:
>
> https://github.com/david415/HoneyBadger
>
> Quantum Insert is a NSA codeword for "TCP injection attack", however
> either of these terms are too vague. During my research I was able to
> classify 4 different types of TCP injection attack. When I say that
> HoneytBadger is comprehensive what I mean is that Honeybadger can
> detect ALL of these types of TCP injection attack types... I describe
> them briefly here:
>
> https://honeybadger.readthedocs.org/en/latest/
>
> Here's the Fox-IT blog post about their Quantum Insert detection software:
> http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
>
> I am going to work on writing a much more comprehensive blog post; it
> will be filled with gory technical details AND it will include
> information on how to use HoneyBadger. HoneyBadger has optional (off
> by default) full-take logging which could enable you to capture a
> zero-day payload from a TCP attack; you should then responsibly
> disclose to the software vendor or contact a malware analyst to help
> out!
>
>
> Sincerely,
>
> David Stainton


More information about the tor-talk mailing list