Infosec bods can now sniff out the NSA's Quantum Insert hacks

Sneaky state-sponsored snoopery can be picked up by counting HTTP packets

Security researchers have developed a method for detecting NSA Quantum Insert-style hacks.

Fox-IT has published free open-source tools to detect duplicate sequence numbers of HTTP packets, with different data sizes, that are the hallmarks of Quantum Insert.

The utilities developed by Fox-IT are capable of exposing fiddling with HTTP packets but are no by no means perfect and might themselves be circumvented, as a blog post by Fox-IT explains.

Quantum Insert, a favoured signals intelligence hacking technique exposed by documents leaked by Edward Snowden, is an "HTML redirection" attack that works by injecting malicious content into a specific TCP session. A session is selected for injection based on various factors or selectors, such as a persistent tracking cookie that identifies a person of interest.

When an interesting target is observed while eavesdropping on network traffic, another device – the shooter – is prompted to send a spoofed TCP packet. In order to craft and spoof this packet into the existing session, information about this session must already have been obtained. For the attack to work, the packet injected by the shooter has to arrive at the target before the "real" response of the webserver. If this is done successfully, a cyberspy or hacker can impersonate a webserver before flinging malicious traffic in the direction of targets, as explained in a video put together by Fox-IT. All this takes advantage of inherent weaknesses in TCP.

Deep dive into QUANTUMINSERT

Anyone capable of monitoring a network and sending spoofed packets can perform Quantum-like attacks, although in practice it's easier for nation states to pull off this sort of subterfuge.

It's not only the NSA and the UK's GCHQ getting up to these shenanigans. China recently pulled off this type of attack, as research by CitizenLab on China’s Great Cannon illustrated.

"Detection is possible by looking for duplicate TCP packets but with different payloads, and other anomalies in TCP streams," explained Lennart Haagsma, a network security analyst at Fox-IT, adding that various counter-measures aside from its new detection tools are already available.

"The usage of HTTPS in combination with HSTS can reduce the effectiveness of QI [Quantum Insert]. Also using a content delivery network (CDN) that offers low latency can make it very difficult for the QI packet to win the race with the real server," he said.

The Snowden leaks include a slide from the Communications Security Establishment Canada describing how to detect Quantum Insert attacks, a useful pointer highlighted by Fox-IT that helped the Netherlands-based firm on its way towards developing Quantum Insert-sniffing tools. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017