[Infowarrior] - How to Detect Sneaky NSA ‘Quantum Insert’ Attacks

Richard Forno rforno at infowarrior.org
Wed Apr 22 17:04:40 CDT 2015 

How to Detect Sneaky NSA ‘Quantum Insert’ Attacks

	• Kim Zetter Security
	• 04.22.15
	• 12:40 pm

Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain’s GCHQ, to hack into high-value, hard-to-reach systems and implant malware.

Quantum Insert is useful for getting at machines that can’t be reached through phishing attacks. It works by hijacking a browser as it’s trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target’s machine from the rogue web page.

Quantum Insert has been used to hack the machines of terrorist suspects in the Middle East, but it was also used in a controversial GCHQ/NSA operation against employees of the Belgian telecom Belgacom and against workers at OPEC, the Organization of Petroleum Exporting Countries. The “highly successful” technique allowed the NSA to place 300 malicious implants on computers around the world in 2010, according to the spy agency’s own internal documents—all while remaining undetected.

But now security researchers with Fox-IT in the Netherlands, who helped investigate that hack against Belgacom, have found a way to detect Quantum Insert attacks using common intrusion detection tools such as Snort, Bro and Suricata.

The detection focuses on identifying anomalies in the data packets that get sent to a victim’s browser client when the browser attempts to access web pages. The researchers, who plan to discuss their findings at the RSA Conference in San Francisco today, have written a blog post describing the technical details and are releasing custom patches for Snort to help detect Quantum Insert attacks.

< - >

http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/

--
It's better to burn out than fade away.

More information about the Infowarrior mailing list