Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Saturday the New York Times reported that “senior American officials briefed on the investigation” confirmed a hack of the White House’s unclassified network last year. The breach "was far more intrusive and worrisome than has been publicly acknowledged,” officials said, telling the Times that the perpetrators were likely Russians with ties to the government, if not with direct backing from Russia.

The White House’s classified network, on which message traffic from President Obama’s Blackberry is kept, was not breached, but e-mails he sent to the unclassified network from that device (as well as e-mails sent from that network to him) were obtained.

The Times noted that many senior staffers have two computers in their offices: "one operating on a highly secure classified network and another connected to the outside world for unclassified communications.” The most highly secure material shared between "the White House, the State Department, the Pentagon, and intelligence communities" is kept on a system called Joint Worldwide Intelligence Communications System (JWICS), which was not breached. JWICS also gives access to the front-end for XKeyscore, a system that collects, manages, and processes the massive amounts of data collected by the NSA.

Read 5 remaining paragraphs | Comments

 

The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. HTML Redirection attack by injecting malicious content into a specific TCP session. A session is selected for injection based on selectors, such as a persistent tracking cookie that identifies a user for a longer period of time.

The attack can be done by sniffing an HTTP request then the attacker will spoofed a crafted HTTP response. In order to craft a spoofed HTTP response the attacker should know the following:

  • Source and Destination IP address
  • Source and Destination TCP port
  • Sequence and Acknowledgment Number

Once the packet is spoofed a race condition will occur, if the attacker win the race then he/she would response to the victim with malicious content instead of the legitimate one.

Performing Quantum Insert attack require that the attacker can monitor the traffic and have very fast infrastructure to win the race condition.

To detect Quantum Insert we should look for the following:

  1. Duplicate Sequence number with two different payloads, since the attacker will spoof the response ,the victim will have two packets with same sequence number but with different payload.
  2. TTL anomalies ,the spoofed packets would show a different time to live value than the real packets . TTL different might be legit due to the nature of internet traffic but since the attacker will be closer to the target to win the race condition that might give unusual different in the ttl between the legitimate packets and the spoofed one.

==========================================

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status