Embed Size (px)
Citation preview
I Want To Be A Ninja Stealth Cyberterrorist
Simple NomadCanSecWest 2002
About Me/This Talk
NMRC
BindView
Skills Needed
NMRC
BindView
Skills Needed
NMRC
BindView
Skills Needed
Why This Topic?
How would terrorists do this if they had "skillz"?
How would us non-terrorists use this if suddenly accused of terrorism?
How you can prevent at least some of this traffic.
What the Media Says
“Terror groups hide behind Web” by Jack Kelley, USA TODAY 2/5/2001
WASHINGTON - Hidden in the X-rated pictures on several pornographic Web sites and the posted comments on sports chat rooms may lie the encrypted blueprints of the next terrorist attack against the United States or its allies. It sounds farfetched, but U.S. officials and experts say it's the latest method of communication being used by Osama bin Laden and his associates to outfox law enforcement.
http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm
What the Media Says
“Secret Messages Come in .Wavs” by Declan McCullagh Gary Gordon, vice president of cyber-forensics technology at WetStone Technologies, based in Freeville, New York, said that his firm has made progress in creating a tool to detect steganography. "The goal is to develop a blind steganography detection prototype," Gordon said. "What we've done is gone out, using Web spiders, and downloaded pictures from the Web and run the tool against them." Steganography, Gordon said, primarily turns up on hacker sites. But he and his associates also found instances of steganography on heavily traveled commercial sites such as Amazon and eBay.
http://www.wired.com/news/print/0,1294,41861,00.html
Sobering Facts
From “Scanning USENET for Steganography” by Niels Provos and Peter Honeyman: Gary Gordon, vice president of cyber-forensics technology at WetStone Technologies,
based in Freeville, New York, said Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS.However, we have not found a single hidden message.
http://www.citi.umich.edu/u/provos/stego/usenet.php
Sobering Facts
Digital watermarking generates false positives
Encrypted material inside images would be encrypted
The Problem:Packeteering Satan's Network
(Programming Satan's Computer - Ross Anderson and Roger Needham 1995)
Types of Monitoring
Invasive - Monitoring nodes are obvious. Traffic speed impacted. Usually easy to avoid.
Types of Monitoring
Non-invasive - Monitoring nodes are obvious. Little to no traffic impact. Usually easy to avoid.
Types of Monitoring
Stealth - Monitoring nodes are not obvious. No traffic impact. Hard to avoid.
Types of Communication
Point to point - Sender/Receiver known. Plaintext or encrypted messages.
Example: Email.Advantages/Disadvantages: Little skills required, but sender/receiver known. If encrypted, message is hidden. Communication obvious.
Types of Communication
Point to point - Sender/Receiver known. Plaintext or encrypted messages.
Example: USENET.Advantages/Disadvantages: Little skills required, sender known. If encrypted, message is hidden. Communication obvious unless obscured.
Types of Communication
Anonymous sender – Receiver known.
Example: Remailer.
Advantages/Disadvantages: Little skills required, receiver known. If encrypted, message is hidden. Communication usually obvious.
Types of Communication
Traffic pattern masking – Sender and receiver not known.
Example: Loki.
Advantages/Disadvantages: Fairly advanced skills required. Potentially sender and/or receiver known if traffic discovered. Usually simple obfuscation as far as covert channel goes.
To Avoid Stealth Monitoring, Stealth Communications Are Needed
Stealth Communications - Sender/receiver unknown. Message encrypted. Communication not obvious, difficult to discern from regular traffic.
What Can Satan Sniff?
During the question and answer session, an interesting discussion ensued. Here is a quote from conference attendee Viktor Mayer-Schoenberger:
"Both presenters explicitly acknowledged that a number of anonymous remailers in the US are run by government agencies scanning traffic. Marlow said that the government runs at least a dozen remailers and that the most popular remailers in France and Germany are run by the respective government agencies in these countries. In addition they mentioned that the NSA has successfully developed systems to break encrypted messages below 1000 bit of key length and strongly suggested to use at least 1024 bit keys. They said that they themselves use 1024 bit keys."
"Anonymous Re-mailers as Risk-Free International Infoterrorists" presented by Paul Strassmann, National Defense University and William Marlow, Science Applications International Corporation. Presented at the "Information, National Policies, and International Infrastructure" conference at Harvard Law School, Cambridge, Massachusetts, January 30, 1996.
http://www.strassmann.com/pubs/anon-remail.htmlhttp://ksgwww.harvard.edu/iip/GIIconf/gii2age.htmlhttp://catless.ncl.ac.uk/Risks/17.87.html#subj6
What Can Satan Sniff?
"Disclosing the method of attacking PGP would involve disclosing classified cryptographic analysis methods (I was taught by the government), and such a disclosure to uncleared persons would be seriously illegal (in wartime such a disclosure carries the death penalty).
Seriously though, I would love to lay out the holes in several crypto systems, and would love to disclose the methods for breaking PGP, DES, and a number of other civilian crypto system I have studied (inmultiple NSA crypto schools); but will not disclose information and/or methods I know to be classified."and"The fact that various world governments can perform a PGP decrypt is old news, and not classified, however; the exact method used for the decrypt is what is classified."
From private email with a former spook:
What Can Satan Sniff?
Other informal sources
Digital Drop Box
Stegonagraphy
Covert Channels
Scenario #1
Stealth Digital Drop Box using Holepunch
Scenario #2
Broadcast Communications using Porn
Scenario #3
Stealth Traffic Pattern Masking using Masquerade
Fin
Questions?All questions must be in the form of an answer
See you in Las Vegas at Black Hat and DefconGraphics from DeadDreamer.Com
