Infosec bods can now sniff out the NSA's Quantum Insert hacks

Sneaky state-sponsored snoopery can be picked up by counting HTTP packets

Security researchers have developed a method for detecting NSA Quantum Insert-style hacks.

Fox-IT has published free open-source tools to detect duplicate sequence numbers of HTTP packets, with different data sizes, that are the hallmarks of Quantum Insert.

The utilities developed by Fox-IT are capable of exposing fiddling with HTTP packets but are no by no means perfect and might themselves be circumvented, as a blog post by Fox-IT explains.

Quantum Insert, a favoured signals intelligence hacking technique exposed by documents leaked by Edward Snowden, is an "HTML redirection" attack that works by injecting malicious content into a specific TCP session. A session is selected for injection based on various factors or selectors, such as a persistent tracking cookie that identifies a person of interest.

When an interesting target is observed while eavesdropping on network traffic, another device – the shooter – is prompted to send a spoofed TCP packet. In order to craft and spoof this packet into the existing session, information about this session must already have been obtained. For the attack to work, the packet injected by the shooter has to arrive at the target before the "real" response of the webserver. If this is done successfully, a cyberspy or hacker can impersonate a webserver before flinging malicious traffic in the direction of targets, as explained in a video put together by Fox-IT. All this takes advantage of inherent weaknesses in TCP.

Deep dive into QUANTUMINSERT

Anyone capable of monitoring a network and sending spoofed packets can perform Quantum-like attacks, although in practice it's easier for nation states to pull off this sort of subterfuge.

It's not only the NSA and the UK's GCHQ getting up to these shenanigans. China recently pulled off this type of attack, as research by CitizenLab on China’s Great Cannon illustrated.

"Detection is possible by looking for duplicate TCP packets but with different payloads, and other anomalies in TCP streams," explained Lennart Haagsma, a network security analyst at Fox-IT, adding that various counter-measures aside from its new detection tools are already available.

"The usage of HTTPS in combination with HSTS can reduce the effectiveness of QI [Quantum Insert]. Also using a content delivery network (CDN) that offers low latency can make it very difficult for the QI packet to win the race with the real server," he said.

The Snowden leaks include a slide from the Communications Security Establishment Canada describing how to detect Quantum Insert attacks, a useful pointer highlighted by Fox-IT that helped the Netherlands-based firm on its way towards developing Quantum Insert-sniffing tools. ®

Similar topics

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022