Show Posts
1
General Discussion / Announcing: Quantum Insert detection for OPNsense via HoneyBadger
« on: February 23, 2016, 12:06:52 pm »
Dear Edward Snowden, OPNsense users, TCP abolitionists and Cypherpunks,
Comprehensive Quantum Insert detection is coming to OPNsense!
I'd like to let you all know about HoneyBadger a passive TCP protocol analyzer I wrote to detect TCP injection attacks.
These so called "Quantum Insert" attacks are used to deliver 0-day payloads so that various oppressive political entities world wide can use it for targeted surveillance of real people to violate their human rights.
https://github.com/david415/HoneyBadger
https://honeybadger.readthedocs.org/
There are some other tools that also detect *some* of these Quantum Insert attacks, but I think you might be interested
in using HoneyBadger instead of those other tools because :
- HoneyBadger is written in golang because langsec; language security is an important consideration and I'd like to point out
the IDS software written in C has had a long history of remote code execution vulnerability.
- HoneyBadger is comprehensive; I've classified TCP injection attacks into 5 categories:
1. handshake hijack
2. segment veto
3. sloppy injection
4. ordered coalesce
5. censorship injection (FIN/RST injection)
Soon I will be publishing a blog post about these attacks and detection. HoneyBadger can currently detect types 1 - 4; though we do have an experimental dev branch that can detect type 5 censorship injection.
Currently, HoneyBadger isn't super user-friendly; it's a tool for hackers and power-users, however I think there's lots of potential for developing a simple web UI for OPNsense users. Basically what I have in mind is two dynamic web pages:
1. a honeybadger configuration page
2. a logs and attack reporting page
Here's a funny blog post that was recently brought to my attention; it's written by someone who intentionally Quantum Inserted all his website visitors to see if anyone actually noticed :
http://www.tedunangst.com/flak/post/on-the-detection-of-quantum-insert
This begs the question;
Does anyone actually care to know if their Internet traffic has been attacked by Quantum Inserts?
Cheers from Berlin,
David Stainton
Comprehensive Quantum Insert detection is coming to OPNsense!
I'd like to let you all know about HoneyBadger a passive TCP protocol analyzer I wrote to detect TCP injection attacks.
These so called "Quantum Insert" attacks are used to deliver 0-day payloads so that various oppressive political entities world wide can use it for targeted surveillance of real people to violate their human rights.
https://github.com/david415/HoneyBadger
https://honeybadger.readthedocs.org/
There are some other tools that also detect *some* of these Quantum Insert attacks, but I think you might be interested
in using HoneyBadger instead of those other tools because :
- HoneyBadger is written in golang because langsec; language security is an important consideration and I'd like to point out
the IDS software written in C has had a long history of remote code execution vulnerability.
- HoneyBadger is comprehensive; I've classified TCP injection attacks into 5 categories:
1. handshake hijack
2. segment veto
3. sloppy injection
4. ordered coalesce
5. censorship injection (FIN/RST injection)
Soon I will be publishing a blog post about these attacks and detection. HoneyBadger can currently detect types 1 - 4; though we do have an experimental dev branch that can detect type 5 censorship injection.
Currently, HoneyBadger isn't super user-friendly; it's a tool for hackers and power-users, however I think there's lots of potential for developing a simple web UI for OPNsense users. Basically what I have in mind is two dynamic web pages:
1. a honeybadger configuration page
2. a logs and attack reporting page
Here's a funny blog post that was recently brought to my attention; it's written by someone who intentionally Quantum Inserted all his website visitors to see if anyone actually noticed :
http://www.tedunangst.com/flak/post/on-the-detection-of-quantum-insert
This begs the question;
Does anyone actually care to know if their Internet traffic has been attacked by Quantum Inserts?
Cheers from Berlin,
David Stainton