[cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets

grarpamp grarpamp at gmail.com
Sat Mar 15 18:25:08 EDT 2014


On Thu, Mar 13, 2014 at 11:13 AM, Jason Iannone <jason.iannone at gmail.com> wrote:
> And remain undetected?  That's a nontrivial task and one that I would
> suspect generates interesting CPU or other resource utilization anomalies.
> It's a pretty high risk activity.  The best we can hope for is someone
> discovering the exploit and publicly dissecting it.

See, the standard defense for all this is to lock down the cert fingerprints of
your real destination to prevent cert games. Then add in DNSSEC [1] and even
IPSEC [1] to make sure things all match up. That does make things much harder.
Problem still lies where your adversary has stolen or co-op'd the PK
of your dest
cert, and rigged the routing path to route-map your applicable src/dest/port IP
tuples to residing off their private port in the local (to you or your
dest) DC. Right???
>From which they proceed to bugger you through their transparent proxy
to the real
dest. It's not a bulk tool as that might tip off some non-moled-out-cert-group
network groupie at the dest site that a lot of users come from some IP. And it's
definitely for 'high value only' given the work/risk. But still...
PKI-WOT bidirectional
security between you and your dest of global bgp advert/nexthop routing
infrastructure anyone? Everyone seems to trust the network to route... and
even then [1].
[1] Similarly stolen/co-op'd as need be.


> pg
> This is relatively easy for home routers, since the self-signed certs they're
> configured with are frequently CA certs.  In other words they ship from the
> factory in a MITM-ready state.
>
>
> On Thu, Mar 13, 2014 at 8:50 AM, Greg Rose <ggr at seer-grog.net> wrote:
>>
>> You get the routers to create valid-looking certificates for the
>> endpoints, to mount man-in-the-middle attacks.
>>
>> On Mar 13, 2014, at 6:28 , Jason Iannone <jason.iannone at gmail.com> wrote:
>>
>> > The First Look article is light on details so I don't know how one gets
>> > from "infect[ing] large-scale network routers" to "perform[ing]
>> > “exploitation attacks” against data that is sent through a Virtual Private
>> > Network."  I'd like to better understand that.
>> >
>> >
>> > On Thu, Mar 13, 2014 at 7:22 AM, Jeffrey Walton <noloader at gmail.com>
>> > wrote:
>> > On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone <jason.iannone at gmail.com>
>> > wrote:
>> > > Are there details regarding Hammerstein?  Are they actually breaking
>> > > routers?
>> > Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound
>> > for pound, there's probably more exploits for Cisco gear than Linux
>> > and Windows combined.
>> >
>> > Jeff
>> >
>> > > On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton <noloader at gmail.com>
>> > > wrote:
>> > >>
>> > >> On Thu, Mar 13, 2014 at 1:57 AM, coderman <coderman at gmail.com> wrote:
>> > >> >
>> > >> >
>> > >> > https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf
>> > >> >
>> > >> > "TAO implants were deployed via QUANTUMINSERT to targets that were
>> > >> > un-exploitable by _any_ other means."
>> > >> >
>> > >> And Schneier's Guardian article on the Quantum and FoxAcid systems:
>> > >>
>> > >>
>> > >> http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.


More information about the cryptography mailing list