Nicholas Weaver has a great essay explaining how the NSA’s QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against any government or criminal use of these sorts of techniques.
Winter • November 18, 2013 9:54 AM
@mt
“Just curious, how do you see the situation now?”
To me, it looks like the intelligence community has decided to start their own cyber war against the the general public for lack of other enemies.
NobodySpecial • November 18, 2013 10:27 AM
This isn’t cyber-warfare, they are mostly targeting their own citizens. It’s more cyber-dictatorship
Brian M. • November 18, 2013 10:30 AM
“Cyber war” as “war” is hype. What isn’t hype are the billions of dollars/yen/euros that are sucked out of businesses and average people by criminals. That part is the real cyber-war.
After a quick perusal through the article, I can definitely say that this is all stuff I’ve seen “in the wild” about eight years ago. The only thing that’s significant is that the NSA has put their equipment on the backbone to facilitate this stuff. Other than that, the technology was being deployed to screw with people at coffee shops.
Lévesque • November 18, 2013 10:36 AM
For some “conspiracy theorists” the Iraq war was just training for urban warfare and this cyber war against the public is just an aspect of a future military state.
Lévesque • November 18, 2013 10:38 AM
…an aspect of a future military state where the “enemy” is an already chosen subgroup of the population, I might add.
Muddy Road • November 18, 2013 11:15 AM
To prevent Quantum Attacks (and many others):
Encrypt Everything (with software that has not been corrupted).
OK, I’m waiting, who will be the first to offer such a miracle?
Muddy Road • November 18, 2013 11:17 AM
To prevent Quantum Attacks, and many others:
Encrypt Everything (with software that has not been corrupted).
Who will be the first to offer such a miracle cure?
I’m waiting…..
Anura • November 18, 2013 11:36 AM
@Muddy Road
Encrypt everything is not so much a cure, as it is a matter of “Make everything significantly more difficult.”
You are always going to have a weak link; if you have every IP Addeess’s key exchange certificate signed with the ISPs intermediate certificate, then you are secure up to the point where the NSA obtains that intermediate certificate (either through theft, intimidation, court order, or just plain asking). However, instead of passively listening into traffic or injecting packets (especially difficult if you employ a scheme with perfect forward secrecy), you would need to actually perform a man in the middle attack, which is costly.
It’s something we need to do, but it’s by no means a cure-all. There are so many steps we need to take on top of encrypting everything: open hardware, open firmware, open software, open standards and open government, as well as standards and practicies at each level to minimize the possibility of subversion. I would argue we should also have regulations for protecting privacy as well as securing the storing of personal informaiton. Of course, this still isn’t a cure for violations of privacy any more than a wall is a cure for illegal immigraiton, it just makes it somewhat more difficult.
BP • November 18, 2013 11:40 AM
I’ve had a number of hard drives fail in the exact same way, with bad blocks being written to certain sectors of the drive causing it to not be able to be partitioned properly, getting a read/write error when attempting to write the table with all the inodes, etc properly. The drive often will put a file system in place, but the partition table was not written on it and a certain part of the drive seems to have been manipulated to make it unwriteable. I often wonder who is doing this, and why are they doing it? I know I have a cracker who visits often and harasses often, although so far it appears that Fedora is keeping the person out. A month or so ago I was writing about this person, which he or she did not take kindly at all and kept trying to stop me from writing about what he’s done. Even an email to my wife who sits right beside me all day -although we occasionally exchange emails regardless. You may remember the font change problem that I demonstrated by leaving the odd font change he caused while typing out a comment about him while commenting on this site.
Western Digital can’t be happy about drives being ruined and returned because of this kind of evil hack.
Nick P • November 18, 2013 11:41 AM
Repost of my previous reply to that essay:
“Excellent article and good analysis of their capabilities. The only thing I’d dispute is the conclusion you reached about encryption being the solution. The actual problem is that the protocols/libraries/standards that power most of the Internet are vulnerable to TLA’s on multiple angles. Add to that the centralization in protocols like DNS and the CA’s. Changing the situation will require dealing with all of that.
However, I’ve always advocated removing the low hanging fruit for attackers across the board as the first step to more secure computers. Better encryption and authentication of existing protocols can certainly help. Cookies are another problem that should be replaced, damage limited, or phased out. All native code executables interpreting web activity should be armored against code injection at a minimum (e.g. Native Client SFI) and at a maximum be designed for isolation of different domains/components (e.g. OP-style browsers). Application-level security in-page a la NoScript. Finally, the platforms themselves should have both a trustworthy boot process and be able to use it for recovery media in event of suspected compromise.
These are the most minimal requirements for safe[r] online activity. Not a single existing option meets all of them far as I know. Yet, without addressing their major areas of attack, all the crypto in the world won’t save you when they rootkit the computer via unsafe protocols or code in the system. “
Wael • November 18, 2013 11:53 AM
@BP,
I often wonder who is doing this, and why are they doing it?
Who is General Failure and why is he reading my hard disk? — Steven Wright
martinr • November 18, 2013 12:20 PM
The essay claims: “The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.”
I believe that authentication is much more important than encryption here.
Nick P • November 18, 2013 12:52 PM
@ Martinr
“I believe that authentication is much more important than encryption here.”
I agree. Weaver worries about confidentiality a whole lot much like the Orange Book era people did in their systems. Many of them later said it was a mistake and systems integrity was more important.
I’ll also add that the reason I have such a focus on endpoints is we’ve already seen a version of Weaver’s encryption recommendation happen. And NSA subverted them to varying degrees. They were called SSL and IPSec.
Jacob • November 18, 2013 12:54 PM
Look at the bright side: with so much effort being placed by the TLA to be a man-in-the-middle, man-on-the -side, cookie stealing, malicious injections etc., does it mean that they don’t really own the Network cards/stacks and the OS?
I mean, if you do backdoor the comm devices, firewalls and OS, no need to go through all the effort as they evidently go through now…
BP • November 18, 2013 1:12 PM
Wael, if about 75% of Western Digital drives fail in the first 1 to 2000 (total approximate 8 drives) hours of use, then General Failure is who I’m looking for. If not, then I’m looking for someone else.
Muddy Road • November 18, 2013 1:22 PM
@Anura
Certainly we need to make it more difficult for our military and corporate spymasters. I would say absent perfect encryption we should all take incremental steps that are proven effective to thwart tracking.
For example, does deleting cookies help? If so what is the best method? How often? And, there should be educational programs launched to make it work.
Etc.
You mentioned key exchange and certificates. Is it not possible to issue my own certificate? Is there a law that says I can’t? I if generate it and, for example, store it offline I would think that’s pretty safe.
I think there is absolutely no chance our government or any of the five eyes will offer the citizenry any aid whatsoever. We are adversaries. They gain budget increases, profits and power over us by casting the net wider.
Personally I think the military-corporate alliance is running the USA now and likely many other countries. They have managed to make politicians work for them or irrelevant.
I would guess they arrogantly view themselves as benign tyrants. My view is less congratulatory.
Robert • November 18, 2013 1:26 PM
“…against any government or criminal use…”
You’re repeating yourself there.
Carl 'SAI' Mitchell • November 18, 2013 1:42 PM
The “cyberterrorism” phrase is fearmongering. The NSA is doing more than any other organization to change that, by making cyberterroism a reality. These practices go a long way to enabling the very things they claim they are trying to prevent.
Nicholas Weaver • November 18, 2013 2:00 PM
This is intended for a lay audience to a large degree, so “encryption” serves as a shorthand for “cryptographic authentication”: It is a poor cryptosystem that provides confidentiality without data integrity and authenticity.
In particular, DNSSEC (which I’ve grown to strongly believe in) provides no confidentiality, but does provide cryptographic data integrity. And it has a potential as a building block for even more interesting protocols, as the use of multiple names allow one to assert a value validated by multiple paths of trust.
Anura • November 18, 2013 2:01 PM
@Muddy Road
You mentioned key exchange and certificates. Is it not possible to issue my own certificate? Is there a law that says I can’t? I if generate it and, for example, store it offline I would think that’s pretty safe.
No, I have my own CA for stuff in my internal network. The pronblem is in communicating with random machines on the internet. At some point you need to have an authrotiy that you trust. If I’m connecting to http://www.giveusyourmoney.com, and there isn’t a trusted third party that says “Yep, this is them” then how do know you are really connected to them and not some attacker who’s impersonating them?
This said, with the entire CA model we have right now, there is no reason to trust them. The authority who issues a certificate should be an authority over what they are issuing the certificate for, not completely disconnected like we have now.
I think we need to have two levels: DNS and IP; IANA could issue a root certificate to sign certificates for blocks issues to regional authorities, those certificates would be used to sign certificates for blocks issued to ISPs, ISPs would issue certificates for blocks assigned to their customer’s, customer’s issue certificates for blocks assigned to devices which are then used to sign a certificate for every IP leased. A similar system could piggy back off of DNSSEC to sign domain certificates.
jackson • November 18, 2013 2:24 PM
This does not defeat the use of private keys, so who cares if they’re in the middle watching everything going back and forth. What’s different about this and classic reroute attack? I will tell you what is different, it implies the CA has been subverted. No matter how good a block cipher is and how strong private keys are, if you can’t safely use key exchange all bets are off. So, you have to find another method, or a unique channel. Besides physical conveyance, I only know one other way.
jackson • November 18, 2013 2:32 PM
Don’t waste your time generating your own public keys. Fixating on computationally-bound attackers is old school. Do you want to fix this problem or just screw around?
Alex • November 18, 2013 2:33 PM
The message which really needs to be driven home is that if the US gov’t can use these methods and backdoors, enemies of the US can also use such techniques, and possibly the very same backdoors the NSA has pushed for.
A computer doesn’t know nor care about the nationality of who operates it or where the code comes from, it’ll just do what it’s told to do.
PRAYUUP • November 18, 2013 2:54 PM
@Muddy Road “Personally I think the military-corporate alliance is running the USA now and likely many other countries. They have managed to make politicians work for them or irrelevant.”
Accurate, but don’t overlook the religion industry, an important part of the so-called “military industrial complex”.
Religions of all types have an interest in making common cause against the truth.
Which serves the intelligence community just fine, because they want a monopoly on the truth.
And there’s another tie-in: a church establishment is needed to produce Christian militants.
holden • November 18, 2013 4:57 PM
It’s interesting that they’re using HTTP “302” redirects. I wouldn’t expect that to be very stealthy, but apparently it can bypass Firefox’s redirection warning.
Bauke Jan Douma • November 18, 2013 5:36 PM
Did not YET read article.
But…
In the last sentence, is the emphasis on the word ‘any’?
Nicholas Weaver • November 18, 2013 5:51 PM
Yes, “Any”. The amount of privileged positioning needed to pull off QUANTUM style attacks is available to a huge number of governmental and non-governmental actors.
Large states with off-country wiretaps can do it NSA style (France, Russia, China). Small countries can still draw traffic to them.
Wael • November 18, 2013 6:24 PM
@ Nicholas Weaver
Don’t you see the browser itself as a weak link? The browser became an execution engine. It’s almost like an OS. And that presents a weakenss that you mentioned has been exploited. If you have your social media applications such as the linkedin example you gave that runs outside the browser (an application) and you don’t use browsers for emails. Plus using a lobotomized browser that only has one tab, accepts no cookies, etc… Something very primitive. Would that reduce the attack surface?
As to encryption:
Then, who maintains the encryption keys and manages them. Who is to be trused with them? Can’t TLEs force ISP, etc to release keys? I read the article but have a feeling I missed something.
Lévesque • November 18, 2013 6:39 PM
@PRAYUUP
And there’s another tie-in: a church establishment is needed to produce Christian militants.
Churches have historically been useful for dictatorial governments. We can see already in Nazi Germany how that government there got the churches to fly the swastika-flag. Not to mention how high church officials often dined with high-level Nazis and had nothing against supporting proper protocol such as the nazi salutes.
These sort of things helped to communicate to the general populace that those churches were 0wn3d by Der Fuhrer. So no point in trying use churches to organize against the government.
And then of course both Allied and Axis had their army chaplains, giving the blessings to Catholics/Protestants/Name-That-Faith on their way to kill Catholics/Protestants/Name-That-Faith on the other side.
Anura • November 18, 2013 6:47 PM
@Wael
Sure, software is always going to be a weak link, but if you do it right, you can have perfect forward secrecy, meaning that even if you recover private keys it at most means you can impersonate the server via a MITM attack. Take the following scheme:
Client has a certificate for an IP address containing a diffie-hellman public key
Server has a certificate for an IP address and domain name each containing a different diffie-hellman public key
Client sends the server its IP certificate chain and an ephemeral public key, generated at the point it opens the connection from a high quality (pusedo)random source
Server sends the client its IP certificate chain and an ephemeral public key, generated at the point it opens the connection from a high quality (pusedo)random source
Client and server hash their respective static private keys with the other parties ephemeral public keys, and their ephemeral private keys with the other parties static public key. They then hash these together with a key derivation function to generate a master key. They use key confirmation to verify that they have the right keys.
Over an encrypted connection, the client then requests the domain name, and over an encrypted connection the server sends the certificate chain for the requested domain. The server then sends the appropriate domain certificate chain over the encrypted connection, possibly along with additional certificates like an EV certificate if we build on DNSSEC to allow for signing domain certs (because we have to keep existing CAs in business). The encrypted data then gets signed with the certificates to verify authenticity of the domain.
Now, the ephemeral keys guarantee that you can’t eavesdrop, even if you know or later recover the static private keys, unless you perform a MITM using forged/stolen certificates for both the domain and the IP. By encrypting the domain certificates, then signing the encrypted data, the holder of the IP certificate claims that server holds the domain certificate, and by signing the encrypted data, the holder of the domain certificate claims they encrypted the data – if both of these are true, you know you are communicating with the entity that holds both the domain and IP certificates. OCSP stapling would probably be necessary to efficiently verify the validity of certificates.
Anura • November 18, 2013 6:50 PM
“Client and server hash their respective static private keys with the other parties ephemeral public keys, and their ephemeral private keys with the other parties static public key. They then hash these together with a key derivation function to generate a master key. They use key confirmation to verify that they have the right keys.”
Err… That should say “generate a shared secret with” not hash…
Tarzan • November 18, 2013 6:58 PM
This seems to be new, although according to the article it is not known whether Linus agreed to the request or not (it just says that it would be “difficult” on an open source project but I am sure NSA already knew it is an open source project).
NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux
http://falkvinge.net/2013/11/17/nsa-asked-linus-torvalds-to-install-backdoors-into-gnulinux/
From the article…
The NSA has asked Linus Torvalds to inject covert backdoors into the free and open operating system GNU/Linux. This was revealed in this week’s hearing on mass surveillance in the European Parliament. Chalk another one up of the United States NSA trying to make information technology less secure for everyone.
The father of Linus Torvalds, Nils Torvalds, is a Member of the European Parliament for Finland. This week, Nils Torvalds took part in the European Parliament’s hearing on the ongoing mass surveillance, and brought a revelation:
The United States security service NSA has contacted Linus Torvalds with a request to add backdoors into the free and open operating system GNU/Linux.
The entire inquiry is available here on YouTube (uploaded by Hax)…
Wael • November 18, 2013 7:08 PM
@ Anura,
you can have perfect forward secrecy
Is that the problem being solved?
Dirk Praet • November 18, 2013 7:12 PM
@ Anura
Client has a certificate for an IP address containing a diffie-hellman public key
How are you going to make that work with dynamic ip addresses, which is what most ordinary internet users have ?
@ Holden
I wouldn’t expect that to be very stealthy, but apparently it can bypass Firefox’s redirection warning.
Have you tried the NoRedirect add-on ?
@ Muddy Road
Personally I think the military-corporate alliance is running the USA now and likely many other countries. They have managed to make politicians work for them or irrelevant.
I assume you are not familiar with Frank Zappa’s famous quote “Politics is the entertainment branch of the military-industrial complex” ? If you’re not convinced, check out some Jon Stewart shows on YouTube.
@ Winter
To me, it looks like the intelligence community has decided to start their own cyber war against the the general public for lack of other enemies.
If cyberspace nowadays is considered a domain in its own right just like land, air and sea, then it could be argued that the NSA, as a military organisation, is prohibited from exercising any sort of powers that maintain law and order on non-federal property in the US, and as such is is in violation of Posse Comitatus when it conducts surveillance of individuals who have no plausible connection to al Qaeda or similar organisations.
Anura • November 18, 2013 7:17 PM
@Wael
Look at the attacks they have been doing:
1) Inject a packet to do a redirect to a malicious website
Fails with authenticated encryption
2) Read cookies to identify a browser/anything being sent over the wire
Fails with encryption
It doesn’t stop everything, but it stops a lot of what they are doing here, forcing them to do full-on MITM attacks, which get costly to do on a large scale. Either that or carpet bomb the internet with browser exploits instead of doing targeted attacks.
Anura • November 18, 2013 7:24 PM
@Dirk Praet
You can build it into the DHCP protocol.
Regional Authority signs certificate for each IP block assigned to an ISP
ISP signs a certificate generated on the end-user’s router for a /64, the router signs a certificate for the end user’s IP address.
Note, I’m not talking quick fixes, I’m talking about what we need to start planning for the future; all we can do now is quick fixes like BTNS IPSec and getting websites to default to HTTPS.
dumbo • November 18, 2013 7:29 PM
Can someone explain what is meant (the text as is is too dense for me to understand):
A packet injector can reveal these cookies by replying to an unnoticed web fetch (such as a small image) with a HTTP 302 redirect pointing to the target site (such as Hotmail). The browser now thinks “hey, should really go visit Hotmail and ask it for this image”. In connecting to Hotmail, it reveals all non-secure cookies to the wiretap. This both identifies the user to the wiretap, and also allows the wiretap to use these cookies
Wael • November 18, 2013 7:34 PM
@ Anura
There is a lot to go through. I am not convinced this scheme is either implementable in the near future nor do I believe its fool-proof. I’ll get back to that later, when I have the time. But for now, I see this as an HTTP / TCP/IP / protocol / browser / OS problem, and needs to be addressed at that level. Encryption schemes may add a barrier but do not address the root cause. More like a bandaid, in my opinion.
Dirk Praet • November 18, 2013 8:08 PM
@ Anura
You can build it into the DHCP protocol.
That could work, but also means that it’s going to be a long shot. If we look at things in this perspective I believe getting rid of CA’s alltogether has to be put on the same list, as are viable and more secure alternatives for DNS, a replacement for SMTP etc. etc.
In the short run, I tend to agree with @Wael that we need to address the problem in another way, and at the application level to start with. Ubiquitous HTTPS/PFS with trusted algorithms/ciphers is a step in the right direction. So is adding browser extensions such as AdBlock Plus, NoScript, NoRedirect, BetterPrivacy, Ghostery and the like, but we all know that it turns your browsing experience to sh*t because too many sites just don’t work properly without all the (exploitable) features these add-ons are blocking.
Anura • November 18, 2013 8:29 PM
@Dirk Praet
I just don’t think solving it on the browser level is realistic for a large scale, and that’s really the problem: what it takes to fix on a large scale (as I mentioned previously, open hardware, open firmware, open software, open government, open standards, a set of standards and practices for implementing said items, and regulations to protect us from the corporations) will take too long to implement, what it takes to fix it now is not something that you can actually make widespread. Most existing protocols don’t have security in mind, and most end users want more cloud and less locally installed software.
Chrome is the most popular browser, it’s (partially) closed source, IE is up there, it’s closed source, Firefox’s code is about 20 years worth of mess. The internet is moving in the direction of richer content, and there is no indication of that changing any time soon; this means browsers will get more complex.
Figureitout • November 18, 2013 9:31 PM
The internet is moving in the direction of richer content, and there is no indication of that changing any time soon; this means browsers will get more complex.
Anura
–Fck that fanboi sht. I don’t want that “rich” content w/ viruses and clogging up my computer. The only thing that gets me is youtube…probably a guilty pleasure I need to kill. Other than that, text boxes are more than plenty; I’d rather not go back in time to pure command line internet but in a police state w/ lone hackers just looking to f*ck someone all the time maybe it’s needed.
Figureitout • November 18, 2013 9:38 PM
Anura
–And reddit.com. Site makes me laugh everyday (actual laugh, not fake laugh); but I click on so many links and it’s a big clusterfack. The site usually makes my day though…
Vance • November 19, 2013 12:14 AM
@dumbo
Hope this helps.
The user opens a web page, which causes his browser to request multiple images embedded in the page. The attacker watches the user’s requests. When the attacker sees one that is likely to be for a small embedded image (named, say, “spacer.gif”), she quickly responds with a spoofed packet that appears to be from the web server.
If the real web server is slower to respond, then the browser will treat the spoofed packet as the reply to its request. Instead of including an image, the spoofed packet has a 302 redirect response which tells the browser to look elsewhere at a different URL. Normally, browsers will follow this without alerting the user. If the redirection goes to Hotmail, then along with its request for the URL it will include any cookies it is storing for the Hotmail domain.
Since the attacker can eavesdrop on the traffic, she can now see the user’s Hotmail cookies, which may directly or indirectly allow her to identify who the user is. Often, knowing the cookies allows one to impersonate the user.
I would expect that the redirection would point to some URL that doesn’t exist on the Hotmail domain. From the user’s perspective, instead of loading the spacer.gif image, the browser will display a “broken image” icon or similar, which doesn’t look all that suspicious.
This is very feasible for non-encrypted HTTP; to attack HTTPS in this way you would need to crack the encryption first.
dumbo • November 19, 2013 6:45 AM
@ Vance
Thanks, that clarifies the procedure considerably. From the sound of it, the hacker would preselect the cookie types (i.e., Google, Hotmail, whatever) that he/she wanted to intercept and then act accordingly. Seems to me that the hacker would have to be pretty alert, having templates ready at hand for the spoofed packets.
As for the use of HTTPS, from the sound of it the hacker would just revert to a man-in-the-middle attack on the certificate.
Anura • November 19, 2013 11:52 AM
@Figureitout
I figure that problem needs to be solved first at the OS level with much stronger process isolation. Processes themselves should be isolated from each other, and they should have restricted access to the filesystem. There’s so much that makes me nervous, even on Linux: any program has access to read and write to any files in the /tmp and /home directories (most could easily be limited to a program-specific subdirectory), and any program has access to read everything across most of the filesystem. Someone linked to something here before about the lack of isolation in X Server, allowing privilege escalation if you have a window running with elevated permissions. This needs to be our top priority in stopping malware.
Once the OS has the capability to restrict permissions on the process level, not just the user level, there should be a way to achieve further isolation for subroutines that have even less access, e.g. the code browsers use for rendering and processing scripts do not need direct filesystem access, or the ability to write to all of the application’s memory. You can’t change what people want, you have to work with it to design a system for better security. But, even if you do all of this, authenticated encryption of everything is still needed, along with reform in the public sector and private sector.
name.withheld.for.obvious.reasons • November 19, 2013 3:51 PM
On platfoms of performance (relative), availability, simplisity, and audit proven:
Here is my suggestion for a platform that could serve serveral purposes…
Language Support
a.) High level–bah–use masm, Ada, Pascal, Modulus II (history)
b.) Low level–masm at best
Scripting
a.) Rex, bourne, korn, maybe lisp–too heavy, forth
Figureitout • November 19, 2013 10:21 PM
There’s so much that makes me nervous
Anura
–I know how you feel…
What-IF?! • November 20, 2013 8:50 AM
Is there any evidence that they’re using a nondeterministic computer in a basement somewhere to use these techniques against HTTPS or other SSL connections as well? How long would it take to become known if they were?
Bruce Schneier • March 14, 2014 6:58 AM
“No offence Bruce, but I remember that a year or two ago you were quite strongly suggesting that cyberwarfare is a hype promoted by the defence industry, and not an actual real threat.
Just curious, how do you see the situation now? Missed the trend or was it a self-fulfilling prophecy? Or is it still your opinion?”
Cyberwar is definitely still hype. Lots of things that aren’t even remotely war are being called “cyberwar.” But the cyberwar arms race is very real, and very dangerous. QUANTUM is part of that.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
mt • November 18, 2013 9:14 AM
No offence Bruce, but I remember that a year or two ago you were quite strongly suggesting that cyberwarfare is a hype promoted by the defence industry, and not an actual real threat.
Just curious, how do you see the situation now? Missed the trend or was it a self-fulfilling prophecy? Or is it still your opinion?