How to Make Your Own NSA Bulk Surveillance System | Wired

How to Make Your Own NSA Bulk Surveillance System; ; In Wired; 2016-01-27 (two years ago).

Mentions

  • National Security Agency (NSA)
  • XKEYSCORE
  • Nicholas Weaver, staff, International Computer Science Institute (ICSI), University of California, Berkeley (UCB)

Projects

  • Bro
  • Hadoop
  • OpenFlow
  • Vortex
    • Lockheed-Martin

Codewords

  • XKEYSCORE
  • QUANTUM

Argot

  • Intrusion Detection System (IDS)
  • Load Balancer

Referenced

In order of appearance

Mobile Ad Networks as DDoS Vectors: A Case Study | Cloudflare

Mobile Ad Networks as DDoS Vectors: A Case Study; Marek Majkowski (Cloudflare); In Their Blog; 2015-09-25.

tl;dr → Ad code uses XHR to shoot requests at the target.

Mentions

  • The JavaScript codefrag
    if(!+[1,])
    can be used to detect Internet Explorer 9 and older.
  • JavaScript
    • new Image()
    • setInterval(callback, delay)

Previously

Referenced

Cookies Lack Integrity: Real-World Implications | Zheng, Jiang, Liang, Duan, Chen, Wan, Weaver

Zheng, et al.; Cookies Lack Integrity: Real-World Implications; In Proceedings of the 25th USENIX Security Symposium; 2015-08-13; landing.

Authors

  • Xiaofeng Zheng, Tsinghua University and Tsinghua National Laboratory for Information Science and Technology
  • Jian Jiang, University of California, Berkeley
  • Jinjin Liang, Tsinghua University and Tsinghua National Laboratory for Information Science and Technology
  • Haixin Duan, Tsinghua University, Tsinghua National Laboratory for Information Science and Technology, and International Computer Science Institute
  • Shuo Chen, Microsoft Research Redmond
  • Tao Wan, Huawei Canada
  • Nicholas Weaver, International Computer Science Institute and University of California, Berkeley

Revisions

Abstract

A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections. Similar attacks can also be launched by a web attacker from a related domain. Although an acknowledged threat, it has not yet been studied thoroughly. This paper aims to fill this gap with an in-depth empirical assessment of cookie injection attacks. We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari). Our successful attacks have included privacy violation, online victimization, and even financial loss and account hijacking. We also discuss mitigation strategies such as HSTS, possible browser changes, and present a proof-of-concept browser extension to provide better cookie isolation between HTTP and HTTPS, and between related domains.

Promotions

Practical Comprehensive Bounds on Surreptitious Communication over DNS | Paxson, Christodorescu, Javed, Rao, Sailer, Schales, Stoecklin, Venema, Weaver

Practical Comprehensive Bounds on Surreptitious Communication over DNS

  • Vern Paxson, University of California, Berkeley, and International Computer Science Institute
  • Mihai Christodorescu, Qualcomm Research
  • Mobin Javed, University of California, Berkeley
  • Josyula Rao, Reiner Sailer, Douglas Lee Schales, and Marc Ph. Stoecklin, IBM Research
  • Kurt Thomas, University of California, Berkeley
  • Wietse Venema, IBM Research
  • Nicholas Weaver, International Computer Science Institute and University of California, San Diego

DNS queries represent one of the most common forms of network traffic, and likely the least blocked by sites. As such, DNS provides a highly attractive channel for attackers who wish to communicate surreptitiously across a network perimeter, and indeed a variety of tunneling toolkits exist. We develop a novel measurement procedure that fundamentally limits the amount of information that a domain can receive surreptitiously through DNS queries to an upper bound specified by a site’s security policy, with the exact setting representing a tradeoff between the scope of potential leakage versus the quantity of possible detections that a site’s analysts must investigate.

Rooted in lossless compression, our measurement procedure is free from false negatives. For example, we address conventional tunnels that embed the payload in the query names, tunnels that repeatedly query a fixed alphabet of domain names or varying query types, tunnels that embed information in query timing, and communication that employs combinations of these. In an analysis of 230 billion lookups from real production networks, our procedure detected 59 confirmed tunnels. For the enterprise datasets with lookups by individual clients, detecting surreptitious communication that exceeds 4 kB/day imposes an average analyst burden of 1–2 investigations/week.