Transcript I Want To Be A Ninja Stealth Cyberterrorist

I Want To Be A Ninja Stealth
Cyberterrorist
Simple Nomad
CanSecWest 2002
About Me/This Talk
NMRC
BindView
Skills Needed
Why This Topic?
How would terrorists do this if they had "skillz"?
How would us non-terrorists use this if suddenly
accused of terrorism?
How you can prevent at least some of this traffic.
What the Media Says
http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm
“Terror groups hide behind Web” by Jack Kelley, USA TODAY 2/5/2001
WASHINGTON - Hidden in the X-rated pictures on several pornographic
Web sites and the posted comments on sports chat rooms may lie the
encrypted blueprints of the next terrorist attack against the United States
or its allies. It sounds farfetched, but U.S. officials and experts say it's the
latest method of communication being used by Osama bin Laden and his
associates to outfox law enforcement.
What the Media Says
http://www.wired.com/news/print/0,1294,41861,00.html
“Secret Messages Come in .Wavs” by Declan McCullagh
Gary Gordon, vice president of cyber-forensics technology at WetStone Technologies,
based in Freeville, New York, said that his firm has made progress in creating a tool to
detect steganography. "The goal is to develop a blind steganography detection prototype,"
Gordon said. "What we've done is gone out, using Web spiders, and downloaded pictures
from the Web and run the tool against them." Steganography, Gordon said, primarily turns
up on hacker sites. But he and his associates also found instances of steganography on
heavily traveled commercial sites such as Amazon and eBay.
Sobering Facts
http://www.citi.umich.edu/u/provos/stego/usenet.php
From “Scanning USENET for Steganography” by Niels Provos and Peter Honeyman:
Gary Gordon, vice president of cyber-forensics technology at WetStone Technologies,
based in Freeville, New York, said Processing the one million images with stegdetect
results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg
and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases.
The disconcert cluster used to distribute the dictionary attack has a peak performance of
roughly 87 GFLOPS.However, we have not found a single hidden message.
Sobering Facts
Digital watermarking generates false positives
Encrypted material inside images would be
encrypted
The Problem:
Packeteering Satan's Network
(Programming Satan's Computer - Ross Anderson and Roger Needham 1995)
Types of Monitoring
Invasive - Monitoring nodes are obvious. Traffic speed
impacted. Usually easy to avoid.
Types of Monitoring
Non-invasive - Monitoring nodes are obvious. Little to
no traffic impact. Usually easy to avoid.
Types of Monitoring
Stealth - Monitoring nodes are not obvious. No
traffic impact. Hard to avoid.
Types of Communication
Point to point - Sender/Receiver
known. Plaintext or encrypted
messages.
Example: Email.
Advantages/Disadvantages: Little skills
required, but sender/receiver known. If
encrypted, message is hidden. Communication
obvious.
Types of Communication
Point to point - Sender/Receiver
known. Plaintext or encrypted
messages.
Example: USENET.
Advantages/Disadvantages: Little skills
required, sender known. If encrypted,
message is hidden. Communication obvious
unless obscured.
Types of Communication
Anonymous sender – Receiver
known.
Example: Remailer.
Advantages/Disadvantages: Little skills
required, receiver known. If encrypted,
message is hidden. Communication
usually obvious.
Types of Communication
Traffic pattern masking – Sender
and receiver not known.
Example: Loki.
Advantages/Disadvantages: Fairly advanced
skills required. Potentially sender and/or
receiver known if traffic discovered. Usually
simple obfuscation as far as covert channel
goes.
To Avoid Stealth Monitoring,
Stealth Communications Are
Needed
Stealth Communications - Sender/receiver
unknown. Message encrypted.
Communication not obvious, difficult to
discern from regular traffic.
What Can Satan Sniff?
"Anonymous Re-mailers as Risk-Free International Infoterrorists" presented by Paul Strassmann,
National Defense University and William Marlow, Science Applications International Corporation.
Presented at the "Information, National Policies, and International Infrastructure" conference at Harvard
Law School, Cambridge, Massachusetts, January 30, 1996.
http://www.strassmann.com/pubs/anon-remail.html
http://ksgwww.harvard.edu/iip/GIIconf/gii2age.html
http://catless.ncl.ac.uk/Risks/17.87.html#subj6
During the question and answer session, an interesting discussion ensued. Here is a quote from
conference attendee Viktor Mayer-Schoenberger:
"Both presenters explicitly acknowledged that a number of anonymous remailers in the US are run by
government agencies scanning traffic. Marlow said that the government runs at least a dozen remailers
and that the most popular remailers in France and Germany are run by the respective government
agencies in these countries. In addition they mentioned that the NSA has successfully developed systems
to break encrypted messages below 1000 bit of key length and strongly suggested to use at least 1024 bit
keys. They said that they themselves use 1024 bit keys."
What Can Satan Sniff?
From private email with a former spook:
"Disclosing the method of attacking PGP would involve disclosing classified cryptographic analysis
methods (I was taught by the government), and such a disclosure to uncleared persons would be seriously
illegal (in wartime such a disclosure carries the death penalty).
Seriously though, I would love to lay out the holes in several crypto systems, and would love to disclose
the methods for breaking PGP, DES, and a number of other civilian crypto system I have studied (in
multiple NSA crypto schools); but will not disclose information and/or methods I know to be classified."
and
"The fact that various world governments can perform a PGP decrypt is old news, and not classified,
however; the exact method used for the decrypt is what is classified."
What Can Satan Sniff?
Other informal sources
Digital Drop Box
Stegonagraphy
Covert Channels
Scenario #1
Stealth Digital Drop Box using Holepunch
Scenario #2
Broadcast Communications using Porn
Scenario #3
Stealth Traffic Pattern Masking using Masquerade
Fin
Questions?
All questions must be in the form of an answer
See you in Las Vegas at Black Hat and Defcon
Graphics from DeadDreamer.Com