Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain's GCHQ, to hack into high-value, hard-to-reach systems and implant malware.
Quantum Insert is useful for getting at machines that can't be reached through phishing attacks. It works by hijacking a browser as it's trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target's machine from the rogue web page.
But now security researchers with Fox-IT in the Netherlands, who helped investigate that hack against Belgacom, have found a way to detect Quantum Insert attacks using common intrusion detection tools such as Snort, Bro and Suricata.
Quantum Insert requires the NSA and GCHQ to have fast-acting servers relatively near a target's machine that are capable of intercepting browser traffic swiftly in order to deliver a malicious web page to the target's machine before the legitimate web page can arrive.
To achieve this, the spy agencies use rogue systems the NSA has codenamed FoxAcid servers, as well as special high-speed servers known as "shooters," placed at key points around the internet.
The agencies then used packet-capturing tools that sniffed or sifted through internet traffic—which can occur with the cooperation of telecoms or without it—to spot footprints or other markers that identified the online traffic of these targets. Sometimes the fingerprints involved spotting persistent tracking cookies that web sites assigned to the user.
But when the NSA or another attacker launches a Quantum Insert attack, the victim's machine receives duplicate TCP packets with the same sequence number but with a different payload. "The first TCP packet will be the 'inserted' one while the other is from the real server, but will be ignored by the [browser]," the researchers note in their blog post. "Of course it could also be the other way around; if the QI failed because it lost the race with the real server response."
https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/