Entries Tagged "Edward Snowden"

Page 5 of 15

Detecting QUANTUMINSERT

Fox-IT has a blog post (and has published Snort rules) on how to detect man-on-the-side Internet attacks like the NSA’s QUANTUMINSERT.

From a Wired article:

But hidden within another document leaked by Snowden was a slide that provided a few hints about detecting Quantum Insert attacks, which prompted the Fox-IT researchers to test a method that ultimately proved to be successful. They set up a controlled environment and launched a number of Quantum Insert attacks against their own machines to analyze the packets and devise a detection method.

According to the Snowden document, the secret lies in analyzing the first content-carrying packets that come back to a browser in response to its GET request. One of the packets will contain content for the rogue page; the other will be content for the legitimate site sent from a legitimate server. Both packets, however, will have the same sequence number. That, it turns out, is a dead giveaway.

Here’s why: When your browser sends a GET request to pull up a web page, it sends out a packet containing a variety of information, including the source and destination IP address of the browser as well as so-called sequence and acknowledge numbers, or ACK numbers. The responding server sends back a response in the form of a series of packets, each with the same ACK number as well as a sequential number so that the series of packets can be reconstructed by the browser as each packet arrives to render the web page.

But when the NSA or another attacker launches a Quantum Insert attack, the victim’s machine receives duplicate TCP packets with the same sequence number but with a different payload. “The first TCP packet will be the ‘inserted’ one while the other is from the real server, but will be ignored by the [browser],” the researchers note in their blog post. “Of course it could also be the other way around; if the QI failed because it lost the race with the real server response.”

Although it’s possible that in some cases a browser will receive two packets with the same sequence number from a legitimate server, they will still contain the same general content; a Quantum Insert packet, however, will have content with significant differences.

It’s important we develop defenses against these attacks, because everyone is using them.

EDITED TO ADD (5/14): Detection for QI was recently released for Bro, Snort and Suricata.

Posted on May 4, 2015 at 6:17 AMView Comments

Counting the US Intelligence Community Leakers

It’s getting hard to keep track of the US intelligence community leakers without a scorecard. So here’s my attempt:

  • Leaker #1: Chelsea Manning.
  • Leaker #2: Edward Snowden.
  • Leaker #3: The person who leaked secret documents to Jake Appelbaum, Laura Poitras, and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. This might be the “high-ranking NSA employee in Germany” from this story—or maybe that’s someone else entirely.
  • Leaker #4: “A source in the intelligence community,” according to the Intercept, who leaked information about the Terrorist Screening Database, the “second leaker” from the movie Citizen Four. Greenwald promises a lot from him: “Snowden, at a meeting with Greenwald in Moscow, expresses surprise at the level of information apparently coming from this new source. Greenwald, fearing he will be overheard, writes the details on scraps of paper.” We have seen nothing since, though. This is probably the leaker the FBI identified, although we have heard nothing further about that, either.
  • Leaker #5: Someone who is leaking CIA documents.
  • Leaker #6: The person who leaked secret information about WTO spying to the Intercept and the New Zealand Herald. This isn’t Snowden; the Intercept is very careful to identify him as the source when it writes about the documents he provided. Neither publication give any indication of how it was obtained. This might be Leaker #3, since it contains X-KEYSCORE rules.
  • Leaker #7: The person who just leaked secret information about the US drone program to the Intercept and Der Spiegel. This also might be Leaker #3, since there is a Germany connection. According to the Intercept: “The slides were provided by a source with knowledge of the U.S. government’s drone program who declined to be identified because of fears of retribution.” That implies someone new.

Am I missing anyone?

Harvard Law School professor Yochai Benkler has written an excellent law review article on the need for a whistleblower defense. And there’s this excellent article by David Pozen on why government leaks are, in general, a good thing. I wrote about the value of whistleblowers in Data and Goliath.

Way back in June 2013, Glenn Greenwald said that “courage is contagious.” He seems to be correct.

This post was originally published on the Lawfare blog.

EDITED TO ADD (4/22): News article.

In retrospect, I shouldn’t have included Manning in this list. I wanted it to be a list of active leaks, not historical leaks. And while Snowden is no longer leaking information, the reporters who received his documents are still releasing bits and pieces.

Posted on April 20, 2015 at 11:18 AMView Comments

Survey of Americans' Privacy Habits Post-Snowden

Pew Research has a new survey on Americans’ privacy habits in a post-Snowden world.

The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies:

34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. For instance, 17% changed their privacy settings on social media; 15% use social media less often; 15% have avoided certain apps and 13% have uninstalled apps; 14% say they speak more in person instead of communicating online or on the phone; and 13% have avoided using certain terms in online communications.

[…]

25% of those who are aware of the surveillance programs (22% of all adults) say they have changed the patterns of their own use of various technological platforms “a great deal” or “somewhat” since the Snowden revelations. For instance, 18% say they have changed the way they use email “a great deal” or “somewhat”; 17% have changed the way they use search engines; 15% say they have changed the way they use social media sites such as Twitter and Facebook; and 15% have changed the way they use their cell phones.

Also interesting are the people who have not changed their behavior because they’re afraid that it would lead to more surveillance. From pages 22-23 of the report:

Still, others said they avoid taking more advanced privacy measures because they believe that taking such measures could make them appear suspicious:

“There’s no point in inviting scrutiny if it’s not necessary.”

“I didn’t significantly change anything. It’s more like trying to avoid anything questionable, so as not to be scrutinized unnecessarily.

“[I] don’t want them misunderstanding something and investigating me.”

There’s also data about how Americans feel about government surveillance:

This survey asked the 87% of respondents who had heard about the surveillance programs: “As you have watched the developments in news stories about government monitoring programs over recent months, would you say that you have become more confident or less confident that the programs are serving the public interest?” Some 61% of them say they have become less confident the surveillance efforts are serving the public interest after they have watched news and other developments in recent months and 37% say they have become more confident the programs serve the public interest. Republicans and those leaning Republican are more likely than Democrats and those leaning Democratic to say they are losing confidence (70% vs. 55%).

Moreover, there is a striking divide among citizens over whether the courts are doing a good job balancing the needs of law enforcement and intelligence agencies with citizens’ right to privacy: 48% say courts and judges are balancing those interests, while 49% say they are not.

At the same time, the public generally believes it is acceptable for the government to monitor many others, including foreign citizens, foreign leaders, and American leaders:

  • 82% say it is acceptable to monitor communications of suspected terrorists
  • 60% believe it is acceptable to monitor the communications of American leaders.
  • 60% think it is okay to monitor the communications of foreign leaders
  • 54% say it is acceptable to monitor communications from foreign citizens

Yet, 57% say it is unacceptable for the government to monitor the communications of U.S. citizens. At the same time, majorities support monitoring of those particular individuals who use words like “explosives” and “automatic weapons” in their search engine queries (65% say that) and those who visit anti-American websites (67% say that).

[…]

Overall, 52% describe themselves as “very concerned” or “somewhat concerned” about government surveillance of Americans’ data and electronic communications, compared with 46% who describe themselves as “not very concerned” or “not at all concerned” about the surveillance.

It’s worth reading these results in detail. Overall, these numbers are consistent with a worldwide survey from December. The press is spinning this as “Most Americans’ behavior unchanged after Snowden revelations, study finds,” but I see something very different. I see a sizable percentage of Americans not only concerned about government surveillance, but actively doing something about it. “Third of Americans shield data from government.” Edward Snowden’s goal was to start a national dialog about government surveillance, and these surveys show that he has succeeded in doing exactly that.

More news.

Posted on March 31, 2015 at 2:49 PMView Comments

New Zealand's XKEYSCORE Use

The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I’m not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It’s interesting to see how primitive the keyword targeting is, and how broadly it collects e-mails.

The second really important point is that Edward Snowden’s name is mentioned nowhere in the stories. Given how scrupulous the Intercept is about identifying him as the source of his NSA documents, I have to conclude that this is from another leaker. For a while, I have believed that there are at least three leakers inside the Five Eyes intelligence community, plus another CIA leaker. What I have called Leaker #2 has previously revealed XKEYSCORE rules. Whether this new disclosure is from Leaker #2 or a new Leaker #5, I have no idea. I hope someone is keeping a list.

Posted on March 26, 2015 at 9:46 AMView Comments

New Paper on Digital Intelligence

David Omand—GCHQ director from 1996-1997, and the UK’s security and intelligence coordinator from 2000-2005—has just published a new paper: “Understanding Digital Intelligence and the Norms That Might Govern It.”

Executive Summary: This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency (NSA) contractor Edward Snowden. Digital intelligence is presented as enabled by the opportunities of global communications and private sector innovation and as growing in response to changing demands from government and law enforcement, in part mediated through legal, parliamentary and executive regulation. A common set of organizational and ethical norms based on human rights considerations are suggested to govern such modern intelligence activity (both domestic and external) using a three-layer model of security activity on the Internet: securing the use of the Internet for everyday economic and social life; the activity of law enforcement—both nationally and through international agreements—attempting to manage criminal threats exploiting the Internet; and the work of secret intelligence and security agencies using the Internet to gain information on their targets, including in support of law enforcement.

I don’t agree with a lot of it, but it’s worth reading.

My favorite Omand quote is this, defending the close partnership between the NSA and GCHQ in 2013: “We have the brains. They have the money. It’s a collaboration that’s worked very well.”

Posted on March 20, 2015 at 1:51 PMView Comments

NSA/GCHQ Hacks SIM Card Database and Steals Billions of Keys

The Intercept has an extraordinary story: the NSA and/or GCHQ hacked into the Dutch SIM card manufacturer Gemalto, stealing the encryption keys for billions of cell phones. People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards.

Me in The Register: “We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can.”

I think this is one of the most important Snowden stories we’ve read.

More news stories. Slashdot thread. Hacker News thread.

Posted on February 20, 2015 at 7:51 AMView Comments

1 3 4 5 6 7 15

Sidebar photo of Bruce Schneier by Joe MacInnis.