How to Guides

How to Avoid and Detect sneaky NSA ‘Quantum Insert’ attacks

Detect sneaky NSA ‘Quantum Insert’ attacks
Written by Shpat Ibrani

It’s been well over two years since the infamous whistleblower known as Edward Snowden killed mass surveillance, rendering NSA’s information-gathering tools completely public. Among the effective techniques deployed by the NSA is a rather simple-yet-efficient tool known as a Quantum Insert.

Apparently, this tool is useful in places where phishing attacks are not; as it works by corrupting the internet browser while its accessing a page, but rather forcing it to access another page that leads to downloading vicious malware. But in order to detect sneaky NSA ‘Quantum Insert’ attacks, one has to understand the way this technique works.

How sneaky NSA ‘Quantum Insert’ attacks work

There have been a few publications regarding Quantum Insert attacks by various international blogs and newspapers, but let’s go into further detail. Both the NSA and GCHQ as ‘partners in crime’ so to speak, require fast-acting servers that are placed near the target’s machine in order to intercept the browser’s request before it accesses the requested page, and in turn sending a redirect order to access another web-page that would lead to downloading harmful malware.

In order to achieve this, the servers would have to be placed strategically throughout the internet, also known as ‘shooters’,  so that they cover larger areas or specific areas that are aimed to be intercepted.

The normal flow for visiting a web page goes like this:

  • Browser sends GET request to server with the following information
    • Source and Destination IP address of the browser
    • Sequence and Acknowledge or ACK numbers
  • Server responds with the same ACK numbers and adds sequential numbers to the TCP packets
  • Using the TCP packets in sequential order, the browser constructs the web page properly

In case of the QI attack:

  • The Quantum Insert is shot by the ‘shooter’ server to arrive before the real GET request
  • The QI then fakes the same sequence of the TCP packets but with a different payload
  • The fake TCP packets are read by the browser first while ignoring the real one
  • The fake TCP packets construct the fake web page that downloads the intended malware content

This method was used in the Belgacom hack by identifying profiles of employees working for the Belgian telecom and creating identical copies of their profiles, such as ones in LinkedIn.

In this way, when the profile of the employee is visited, the fast-acting servers a.k.a ‘shooters’ would shoot the same signal just before the legitimate signal to access the malware downloading page and install malware on the victim’s machine.

This method, however, highly depends on the race between the actual browser’s access speed or ‘GET request’, and the time it takes the ‘shooter’ to place the fake request just before the real GET request, hence the placement of servers at strategic points of the internet.

How to detect sneaky NSA ‘Quantum Insert’ attacks

Due to limited knowledge about Quantum Insert attacks, the methods of detecting it aren’t fully developed. The Fox-IT researchers have replicated the attack on their own servers in order to develop research data into further protecting yourself from a QI attack as well as learning how to detect it. The following information can be gathered thanks to their contribution.

  • Payload Inconsistency
    Analyzing the first TCP packet’s payload data is the first step you can take in detecting a QI. However, this isn’t a guaranteed method as the first TCP packet may also be the real one as the QI might insert the fake TCP anytime during the TCP session.
  • TTL anomaly
    The Time To Live values can also be different between packets and in case of the QI attack, the packet tends to have a longer TTL since it may be deployed later than the actual packet.
  • Intrusion Detection Systems
    Although there isn’t enough data to properly tackle detecting a Quantum Insert attack, the Fox-IT researchers have come up with a method of using Intrusion Detection Systems or IDS to detect a QI attack. In the case of the IDS, the detection system analyzes network data that is being transmitted and compares it against a database of packet capturers developed by the Fox-IT team during their QI attack experiment. More information on the specific packets can be found here: https://github.com/fox-it/quantuminsert/tree/master/pcaps

How to avoid sneaky NSA ‘Quantum Insert’ attacks

Avoiding the attacks requires basic knowledge in online tracking and staying anonymous online.
QI attacks may be avoided through the following techniques:

  • Encrypting Data
  • Awareness of popular web services
  • VPN services
  • TOR browsing
  • Disabling Web Tracking
  • Antimalware

We will not be covering the methods in this article but below you may find a list of suggested techniques as well as a helpful link to understanding the techniques and how to deploy them. In order to better understand how to stay anonymous while browsing the internet or avoid online tracking, you may visit our guide on “Tips and tools to protect yourself from the NSA PRISM”.

Feature Image By EFF Photos via Flickr

About the author

Shpat Ibrani

Shpat is currently undergoing his Undergraduate studies with majors in IT and Management. As an experienced content writer Shpat uses his time by freelancing and managing social media writing. His former job experience in cross-cultural communication and social media marketing contributes a great deal to his online publications. Shpat aims to specialize in project management while on his free time he plays sports and writes articles.

25 Comments

  • Hi, Neat post. There is an issue along with your website
    in web explorer, could test this? IE still is the marketplace
    leader and a good component to other people will leave out your excellent writing due to this problem.

  • I’m really impressed along with your writing abilities as smartly as with the format on your weblog.
    Is that this a paid subject or did you customize it your self?
    Either way keep up the excellent quality writing, it’s uncommon to look a great blog like this one today..

  • After looking over a handful of the blog posts on your website, I truly appreciate your technique of blogging.
    I added it to my bookmark webpage list and will be checking back in the near future.
    Take a look at my website too and tell me your opinion.

  • Hmm it looks like your site ate my first comment (it was super long) so
    I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying
    your blog. I as well am an aspiring blog writer but I’m still new to the
    whole thing. Do you have any points for first-time blog writers?
    I’d really appreciate it.

  • I do consider all the ideas you have offered on your post.
    They’re very convincing and can definitely work. Still, the posts are very short for starters.
    May you please prolong them a little from subsequent
    time? Thanks for the post.

  • I think this is one of the most significant info for me.

    And i’m glad reading your article. But wanna remark on few general things, The website style is great, the articles is really nice
    : D. Good job, cheers

  • Howdy! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My site looks weird when browsing from my iphone 4.
    I’m trying to find a theme or plugin that might
    be able to fix this problem. If you have any suggestions,
    please share. Thank you!

  • Hi there! I know this is somewhat off topic but I was wondering which blog platform are you using
    for this site? I’m getting tired of WordPress because I’ve had problems with hackers and
    I’m looking at alternatives for another platform.
    I would be fantastic if you could point me in the direction of a good platform.

  • Excellent beat ! I would like to apprentice while you amend your site, how could
    i subscribe for a blog website? The account helped me a acceptable deal.
    I were a little bit familiar of this your
    broadcast provided brilliant clear concept

  • I’ve been browsing on-line greater than 3 hours nowadays, yet I by no means found any fascinating article like yours.
    It’s lovely worth sufficient for me. Personally, if all webmasters and bloggers made just right content material as you did, the net will probably be much more helpful than ever before.

  • It is the best time to make some plans for the future and it’s
    time to be happy. I’ve read this post and if I may I want
    to suggest you few attention-grabbing things or advice.
    Maybe you can write next articles referring to this article.
    I wish to learn even more issues approximately it!

  • Hmm is anyone else encountering problems with
    the images on this blog loading? I’m trying to
    find out if its a problem on my end or if it’s the blog.
    Any feedback would be greatly appreciated.

  • It’s in point of fact a nice and useful piece of info.
    I’m happy that you simply shared this helpful information with us.
    Please keep us up to date like this. Thanks for sharing.

  • I simply want to mention I am newbie to blogging and site-building and truly loved you’re blog site. Most likely I’m want to bookmark your blog post . You definitely have great articles and reviews. Thank you for revealing your blog site.

  • We absolutely love your blog and find nearly all of your post’s to be what precisely I’m looking for.
    Would you offer guest writers to write content for you personally?
    I wouldn’t mind writing a post or elaborating on many of the subjects you write
    in relation to here. Again, awesome weblog!

Leave a Comment