flak

rss

random

on the detection of quantum insert

The NSA has a secret project that can redirect web browsers to sites containing more sophisticated exploits called QUANTUM INSERT. (Do I still need to say allegedly?) It works by injecting packets into the TCP stream, though overwriting the stream may be a more accurate description. Refer to Deep dive into QUANTUM INSERT for more details. At the end of that post, there’s links to some code that can help one detect QI attacks in the wild. As noted by Wired and Bruce Schneier, among dozens of others, now we can defend ourselves against this attack (well, at least detect it).

experiment

I was curious if anybody would actually bother trying to detect QI. And so I set out to build a QI detector detector. The easiest way to do that seemed to be building and deploying a QI like system and seeing how many people noticed. For the sake of clarity, I decided to call my packet front running system VAMPIRE SQUID.

VS works by modifying HTTP responses, but in order not to interfere with normal browsing activity, it simply rewrites “200 OK” responses to say “200 ok”. Browsers don’t care about this difference, but a QI detector will notice that two overlapping packets from the same TCP stream have different content. In order to maximize the chances of detection, both packets were sent to every visitor. The order of OK and ok varied. (The NSA apparently claimed a 50% success rate with QI.) An arc4randomly selected subset of visitors received a more interesting payload, but you’re unlikely to have been affected.

Alas, I didn’t have time to go full verge and install a few megabytes of tracking javascript. Maybe next time. The best I can say after some basic log analysis is that about 50000 people were affected, at least some of whom also visit sites where topics like thwarting the NSA are regularly discussed.

In two months of wanton insertion, there were zero reports of anybody detecting anything anomalous.

analysis

One possible conclusion is that people are more interested in complaining about the NSA than actually doing anything about it. That would be too cynical.

Maybe nobody cares about their browser being redirected to exploit sites. Maybe they use a vuln free browser. Maybe they haven’t done anything wrong and aren’t a target.

It’s also possible I failed to attract the right visitors. This is only a one man show, and I can only churn out so much linkbait, even for the sake of science.

Perhaps you’re all a bunch of sneaky bastards who noticed what I was up to and chose to remain silent. Joke’s on me.

Some people browse the web through transparent proxies, in which case the QI attack would be against the proxy and not detectable by the end user. Such users would be susceptible to attacks by the proxy, however. And while mundane, such NEWTONIAN INSERT attacks are no less devastating.

QI should work through most NATs, firewalls, traffic shapers, etc. The “duplicate” packet is in the window, and most routers aren’t in the habit of keeping full stream data to compare contents. They just pass along the packet. (Possibly some interesting IDS tomfoolery potential here.)

Posted 06 Aug 2015 02:24 by tedu Updated: 06 Aug 2015 02:24