Delivery-Date: Wed, 22 Apr 2015 14:41:21 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id CA9DB1E02E5
	for <archiver@seul.org>; Wed, 22 Apr 2015 14:41:19 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E520E350D0;
	Wed, 22 Apr 2015 18:41:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id B6658350C1;
 Wed, 22 Apr 2015 18:41:11 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nGMx1D3Uibmi; Wed, 22 Apr 2015 18:41:11 +0000 (UTC)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com
 [IPv6:2a00:1450:4010:c03::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 548DC350B8;
 Wed, 22 Apr 2015 18:41:11 +0000 (UTC)
Received: by layy10 with SMTP id y10so181806506lay.0;
 Wed, 22 Apr 2015 11:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=n83bPTkCHyHS5omCL15ktdXxGWnFk1BddM2JZrSCfpI=;
 b=DMRKHtKaheOiS3/GGtqQ2H8UpzC5AL6UoTkCb2/1OVy6eMQDkVWmU5LutWwAlPbsnU
 /n2tjMyVcfZfJZv5ax+R23VI1IEalRPymuOR+lSvjyJ/qh5DZyCaHSTPNNiKldq1AUDU
 r6Oare/lqMrhG506H0URruFzJk7u72Os0hsWZ02U20mHr5a+5/++mh9mzLUHFdCqBuHP
 jbUJc4jQ+1Kt7tkMblhPbFs6uC9ZA9DQRUh9znMxUSwhia6ENRWgOaaCKy0BSzDAYU+x
 PBkrq8g+FNMroWtGLj+fi/Ho+/cs7EX2BqcQxnxJ+IFb7u0AVl6sCE2p0gODi0aYEIeU
 01Gg==
MIME-Version: 1.0
X-Received: by 10.112.142.232 with SMTP id rz8mr24960187lbb.74.1429728068059; 
 Wed, 22 Apr 2015 11:41:08 -0700 (PDT)
Received: by 10.25.160.196 with HTTP; Wed, 22 Apr 2015 11:41:07 -0700 (PDT)
Date: Wed, 22 Apr 2015 18:41:07 +0000
Message-ID: <CAFN1edqPWLSm-Ru6ZcQwa741YPqXtDOQBZxBnYVmruRhN4NxuA@mail.gmail.com>
From: David Stainton <dstainton415@gmail.com>
To: tor-relays@lists.torproject.org, tor-talk@lists.torproject.org, 
 cpunks <cypherpunks@cpunks.org>, 
 NoiseBridge Discuss <noisebridge-discuss@lists.noisebridge.net>
Subject: [tor-talk] Quantum Insert detection for everyone
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Greetings,

Did you all see this Wired article about Quantum Insert detection?

https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks

These TCP injection attacks are used by various entities around the
world (not just NSA!) to target individuals for surveillance or
perhaps to add their computers to a botnet for other purposes.

If you do not use a VPN or Tor you can run "Quantum Insert" detection
on your computer and detect when you receive an attack attempt.
However be advised that proper sandboxing is important here because
intrusion detection and protocol anylsis tools are notoriously
insecure and get pwned all the time.

If you are a Tor exit relay operator you have the options of running
detection software; However you should not publish the results
publicly without mixing in some noise or your published data might
make it possible for some adversaries to deanonymize Tor users. If
your country has strict telecommunications laws then it might only be
legal for you to perform this type of detection if you do not perform
logging.

For the past several months... in my free time I've been slowly
developing a very comprehensive TCP injection attack detection tool
called HoneyBadger:

https://github.com/david415/HoneyBadger

Quantum Insert is a NSA codeword for "TCP injection attack", however
either of these terms are too vague. During my research I was able to
classify 4 different types of TCP injection attack. When I say that
HoneytBadger is comprehensive what I mean is that Honeybadger can
detect ALL of these types of TCP injection attack types... I describe
them briefly here:

https://honeybadger.readthedocs.org/en/latest/

Here's the Fox-IT blog post about their Quantum Insert detection software:
http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

I am going to work on writing a much more comprehensive blog post; it
will be filled with gory technical details AND it will include
information on how to use HoneyBadger. HoneyBadger has optional (off
by default) full-take logging which could enable you to capture a
zero-day payload from a TCP attack; you should then responsibly
disclose to the software vendor or contact a malware analyst to help
out!


Sincerely,

David Stainton
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

