TIME IS POWER - QUANTUMINSERT 1 Learning Goals The Following - - PowerPoint PPT Presentation

time is power quantuminsert
SMART_READER_LITE
LIVE PREVIEW

TIME IS POWER - QUANTUMINSERT 1 Learning Goals The Following - - PowerPoint PPT Presentation

Jul 11, 2023 273 likes •618 views

create your own exercise Mario Silaci, Lucas Wolf TIME IS POWER - QUANTUMINSERT 1 Learning Goals The Following Learning Goals are Covered in the Lecture PreLab Lab What are requirements to perform the QUANTUM X X X INSERT (QI)? How does

slide-1
SLIDE 1

create your own exercise

TIME IS POWER - QUANTUMINSERT

Mario Silaci, Lucas Wolf

1

slide-2
SLIDE 2

Learning Goals

2

The Following Learning Goals are Covered in the Lecture PreLab Lab What are requirements to perform the QUANTUM INSERT (QI)? X X X How does the QI work in general? X X X Background: NSA, FISC and Snowden X X Which protocols are used in the QI? X X X Which tools are necessary for the QI? X X How do you forge correct packets? X X Related Work? X X

slide-3
SLIDE 3

Connection via Internet

3

slide-4
SLIDE 4

QUANTUMINSERT: Requirements

4

slide-5
SLIDE 5

QUANTUMINSERT: Requirements

5

Ability to monitor the traffic between the victim and the responding server

slide-6
SLIDE 6

QUANTUMINSERT: Requirements

6

Faster connection Slower connection Timing Attack

slide-7
SLIDE 7

QUANTUMINSERT: Victim Requests Website

7 GET

1

slide-8
SLIDE 8

QUANTUMINSERT: Shooter Gets Notified

8 GET GET

!

2

slide-9
SLIDE 9

QUANTUMINSERT: Shooter Injects Malicious Response

9 INJ

3

slide-10
SLIDE 10

QUANTUMINSERT: Server Sends Legitimate Response

10 INJ RES

4

slide-11
SLIDE 11

QUANTUMINSERT: Result

11

5 Attackvector Gets interpreted as the HTTP response Injection packet (INJ) Partial HTTP response (RES)

slide-12
SLIDE 12

QUANTUMINSERT: Result

12

5 Attackvector Gets interpreted as the HTTP response Injection packet (INJ) Partial HTTP response (RES) First fragments get dropped (Sequence number Duplicates)

slide-13
SLIDE 13

QUANTUMINSERT: Result

13

5 Attackvector Gets interpreted as the HTTP response Injection packet (INJ) Partial HTTP response (RES)

slide-14
SLIDE 14

The Responsibles: NSA and GCHQ

14

“The early bird catches the worm.”

agent victim

[1] [2]

slide-15
SLIDE 15

The Responsibles: Tailored Access Operations Division

15

NSA‘s hacker division Implemented several QUANTUM attacks Motto: "Your data is our data, your equipment is our equipment - anytime, any place, by any legal means.“

[3]

slide-16
SLIDE 16

The Advocates: Foreign Intelligence Surveillance Court(FISC)

16

  • secret court which makes

secret rulings with gag orders

  • Was empowered after the

Foreign Intelligence Surveillance Act (FISA) and has been called "almost a parallel Supreme Court.“ FISC denied 11 requests out of ~33.900 in 33 years, i.e. approved ~99,97%

[4]

slide-17
SLIDE 17

17

[5]

slide-18
SLIDE 18

Whistleblower: Edward Snowden

18

  • Former secret service system administrator

and agent

  • Worked as contractor for NSA and CIA
  • Is against mass surveillance in the internet
  • 2013: Leaked sensitive information(e.g. NSA‘s

surveillance techniques) in cooperation with Glenn Greenwald and Laura Poitras

[6]

slide-19
SLIDE 19

7 Layer ISO/OSI model

19

Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer

slide-20
SLIDE 20

QUANTUMINSERT: Relevant Protocols

20

Network Layer Data Link Layer Physical Layer Network Layer Data Link Layer Physical Layer TCP TCP

HTTP HTTP

slide-21
SLIDE 21

Reminder: Transmission Control Protocol(TCP) Handshake

21

slide-22
SLIDE 22

TCP Handshake with QUANTUMINSERT

2 1 3 4

22

slide-23
SLIDE 23

TCP Handshake with QUANTUMINSERT

2 1 3 4

23

Identical sequence and acknowledge numbers

slide-24
SLIDE 24

Hypertext Transfer Protocol (HTTP)

24

Client Server

slide-25
SLIDE 25

Hypertext Transfer Protocol (HTTP)

25

Request Response

Client Server

slide-26
SLIDE 26

Client Server

Hypertext Transfer Protocol (HTTP)

26

Statuscode: Defines the functionality of the response

slide-27
SLIDE 27

27

[7]

slide-28
SLIDE 28

Teaser Practical Part: Setup

28

slide-29
SLIDE 29

Teaser Practical Part: Intended Connection

29

slide-30
SLIDE 30

Teaser Practical Part: Redirection Injection

30

slide-31
SLIDE 31

Teaser Practical Part: Manipulated Connection

31

slide-32
SLIDE 32

Teaser Practical Part: Real Life Analogy

32

[8]

slide-33
SLIDE 33

Teaser Practical Part: Closer Look

33

Facebook headquarter NSA‘s server (Foxacid) Transatlantic wire endpoint (North America) Transatlantic wire endpoint (Europe) GCHQ‘s shooter You (probably unaware)

[8]

slide-34
SLIDE 34

34

THANKS!

Sources:

  • [1]: Seal of the United States National Security Agency,

https://commons.wikimedia.org/wiki/File:Seal_of_the_United_States_National_Security_Agency.svg

  • [2]: EFF NSA-Logo Parody

https://www.flickr.com/photos/electronicfrontierfoundation/12225935484

  • [3]: Question mark head

https://commons.wikimedia.org/wiki/File:No_image.JPG

  • [4]: How the NSA collects data

http://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet

  • [5]: Court house

https://upload.wikimedia.org/wikipedia/commons/b/b0/Garrett_Prettyman_district_court.jpg

  • [6]: Edward Snowden

https://upload.wikimedia.org/wikipedia/commons/6/60/Edward_Snowden-2.jpg

  • [7]: There is more than one way to QUANTUM

https://theintercept.com/document/2014/03/12/one-way-quantum/

  • [8]: World map

https://pixabay.com/de/weltkarte-global-geographie-1958134/

  • All other figures were made by ourselves