On Nov 12, 2013, at 8:05 AM, Phillip Hallam-Baker <[email protected]> wrote:
> The biggest weakness in Internet protocols is relying on passwords for > authentication. What can we do to make the password mechanisms more secure > and to wean the Internet off passwords? > > I don't want to start an NSA rathole here, but I need evidence to support the > above assertion and until the GRU or MOSSAD or PLA or whatever have their > Snowden event, I am limited to using the NSA. > > 1) NSA using Password sniffing in Attack: > http://boingboing.net/2013/11/11/gchq-used-fake-slashdot-linke.html Thats false. They didn't use password sniffing in this attack. And overall reporting on that was pretty dismal. This was targeting information for a QUANTUMINSERT attack [1], aka packet injection/Man-on-the-Side for exploitation. And there was no fake slashdot page, just fake packets. I wish they were just password sniffing. The goal is victim browser exploitation, using one of the two following possibilities (i'd bet the former, but both mechanisms effectively do the same thing): a) The NSA identifies those individuals it wants to target (in this case, technical employees at telco/internet firms in allied countries.) b) The NSA's wiretap waits for a Slashdot or LinkedIn page [1] indicating that the intended victim is logged in by examining page contents. Once it has identified an intended victim, it now has the cookies for the victim. c) On the next fetch from the victim to the targeted site (ideally for some inconsequential element, but with some tricks you can do it for a main-page), "shoot" a packet injection attack to have some inconsequential element redirect the victim to an exploit server (NSA calls this FOXACID, we civilians can do the same thing with Metasploit's HTTP server). OR b) Look for DNS requests for Slashdot or Linkedin from possible victims, and packet inject a DNS reply to your proxy server... Packet injection in either case is used instead of a traditional MITM because its effectively as powerful for anything w/o cryptography, yet much safer to install and use, since failures don't result in communication cuts, if you can't keep up you don't disrupt the network, its easier to install both with and without consent (after all, its 'just' a wiretap), etc. The NSA has now created a world where any plaintext traffic isn't just an information leakage, but a potential vehicle for exploitation! And by attacking allies as well as enemies, using a mechanism that is available (albeit without quite as much targeting precision) to effectively any adversary with a tap (France, China, Russia, Brazil, Israel, pretty much anybody can play these games [3]), the network backbone just became an incredibly hostile place. If you are lucky, your adversary is any country your traffic passes through you other than your own. If you are lucky. [1] QUANTUM is the code-word/program for packet injection, and this is confirmed by Schneier's analysis of Snowden documents. In Schneier's analysis he specifically linked to public speculation I made months earlier. [2] ANY cleartext site which identifies logged in users will do, as long as the NSA has a sufficient parser to map page reply to user identification. [3] Please contact your local Gamma International, hackingteam.it, and Vulpen sales representatives for details. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
