• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ip packet staining
 

Ip packet staining

on

  • 101 views

 

Statistics

Views

Total Views
101
Views on SlideShare
101
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ip packet staining Ip packet staining Document Transcript

    • Donate for the Cryptome archive of files from June 1996 to the present 5 October 2013 Packet Staining Related: NSA tracks Google ads to find Tor users: http://news.cnet.com/8301-1009_3-57606178-83/nsa-tracks-google-ads-to-find-tor-users/ GCHQ packet staining of Tor users: http://cryptome.org/2013/10/gchq-mullenize.pdf http://prezi.com/p5et9yawg2c6/ip-packet-staining/
    • http://tools.ietf.org/html/draft-macaulay-6man-packet-stain-00 Versions: 00 01 6man Working Group T. Macaulay Internet-Draft Bell Canada Intended status: Standards Track February 14, 2012 Expires: August 17, 2012 IPv6 packet staining
    • draft-macaulay-6man-packet- stain-00 Abstract This document specifies the application of security staining on an IPv6 datagrams and the minimum requirements for IPv6 nodes staining flows, IPv6 nodes forwarding stained packets and interpreting stains on flows. The usage of the packet staining destination option enables proactive delivery of security intelligence to IPv6 nodes such as firewalls and intrusion prevention systems, and end-points such servers, workstations, mobile and smart devices and an infinite array of as- yet-to-be-invented sensors and controllers. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 17, 2012. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Macaulay Expires August 17, 2012 [Page 1] Internet-Draft IPv6 Packet Staining February 2012
    • carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Packet Staining Benefits . . . . . . . . . . . . . . . . . 4 3.2. Implementation and support models . . . . . . . . . . . . 5 3.3. Use cases . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Requirements for staining IPv6 packets . . . . . . . . . . . . 6 5. Packet Stain Destination Option (PSDO) . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 9. Normative References . . . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 Macaulay Expires August 17, 2012 [Page 2] Internet-Draft IPv6 Packet Staining February 2012
    • 1. Introduction From the viewpoint of the network layer, a flow is a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination. From an upper layer viewpoint, a flow could consist of all packets in one direction of a specific transport connection or media stream. However, a flow is not necessarily 1:1 mapped to a transport connection. Traditionally, flow classifiers have been based on the 5-tuple of the source and destination addresses, ports, and the transport protocol type. However, as the growth of internetworked devices continues under IPv6, security issues associated with the reputation of the source of flows are becoming a critical criterion associated with the trust of the data payloads and the security of the destination end- points and the networks on which they reside. The usage of security reputational intelligence associated with the source address field and possibly the port and protocol [REF1] enables packet-by-packet IPv6 security classification, where the IPv6 header extensions in the form of Destination Options may be used to stain each packet with security reputation information such that the network routing is unaffected, but intermediate security nodes and endpoint devices can apply policy decisions about incoming information flows without the requirement to assemble and treat payloads at higher levels of the stack. IPv6 packet staining support consists of labeling datagrams with security reputation information through the addition of an IPv6 destination option in the packet header by packet manipulation devices (PMDs) in the carrier or enterprise network. This destination option may be read by in-line security nodes upstream from the packet destination, as well as by the destination nodes themselves. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
    • 3. Background Internet based threats in the form of both malicious software and the agents that control this software (organized crime, spys, hackitivits) have surpassed the abilities of signature-based security Macaulay Expires August 17, 2012 [Page 3] Internet-Draft IPv6 Packet Staining February 2012 systems; whether they be on the enterprise perimeter, within the corporate network, on the endpoint point or in-the-cloud (internet- based service). Additionally, the sensitivity of IP network continues to grow as new generation of smart devices is appearing on the networks in the form of broadband mobile devices, legacy industrial control devices, and very low-power sensors. This diverse collections of IP-based assets is coming to be known as the Internet of Things (IOT). In response to the accelerating threats, the security vendor community have integrated their products with proprietary forms of security reputation intelligence. This intelligence is about IP addresses and domains which have been observed engaged in attack- behaviours such as inappropriate messaging and traffic volumes, domain management, Botnet command-and-control channel exchanges and other indicators of either compromise or malicious intent. [REF 1] IP address may also end up on a security reputation list if they are identified as compromised through vendor-specific signature-based processes. Security reputation intelligence from vendors is typically made available to perimeter and end-point products through proprietary, internet-based queries to vendor information bases. This system of using proactive, security reputation intelligence has many benefits, but also several weakness and scaling challenges. Specifically, existing intelligence systems are: 1. subject to direct attack from the internet on distribution points, for instance 2. are proprietary to vendor devices 3. require fat-clients consuming both bandwidth and CPU, and 4. introduces flow latency while queries are sent, received and processed 5. introduces intelligence latency as reputation lists will be inevitably cached and only periodically refreshed given the number and range of vendor-specific processing elements 3.1. Packet Staining Benefits
    • In contrast to the challenges of current security reputation intelligence systems, packet staining has the following strengths 1. packet staining can occur transparently in the network, presenting no attack surface 2. packet staining uses standardized, public domain IPv6 capabilities 3. security rules can be easily applied in hardware or firmware 4. reading packet stains introduces little to no latency 5. near-real-time threat intelligence distribution systems can be implemented can be implemented out of band in PMDs using a standardized packet staining method allowing multiple Macaulay Expires August 17, 2012 [Page 4] Internet-Draft IPv6 Packet Staining February 2012 intelligence sources (vendor sources) to be aggregated and applied in an agnostic (cross-vendor) manner. 3.2. Implementation and support models Packet staining may be accomplished by different entities including carriers, enterprises and third-party value-added service providers. Carriers or service providers may elect to implement staining centres at strategic locations in the network to provide value-added services on a subscription basis. Under this model, subscribers to a security staining service would see their traffic directed through a staining centre where Destination Options are added to the IPv6 headers and IPv4 traffic is encapsulated within IPv6 tunnels, with stained headers. Carriers or service providers may elect to stain all IPv6 traffic entering their network, and allow subscribers to process the stains at their own discretion. If such upstream, network-based staining services are inappropriate or unavailable, Enterprise data centre managers / cloud computing service providers may elect to deploy IPv6 staining at the perimeter into the internal network, tunnelling all IPv4 traffic, and allow data centre/cloud service users to process stains at their discretion. Enterprise may wish to deploy IPv6 on internal networks, and stain all internal traffic whereby security nodes and end-points may apply corporate security policy related to reputation.
    • 3.3. Use cases The following are example use-cases for a security technique based upon a packet staining system. Organization Perimeter Use-case Traffic to a subscriber is routed through a PMD in the carrier network configured to stain (apply Destination Options extensions) all packets to the subscriber (TM)s IP-range, which have entries in the threat intelligence information base. The PMD accesses the information base from a locally cached file or other method not defined in this draft. Packets from sources not in the information base pass through the PDM unchanged. Packets from sources in the information base have a Destinations Option added to the datagram header. The Destination Options contains reputation from the information base. The format of the destination option is discussed later in this draft. IPv6 perimeter devices such as firewalls, web proxies or security routers on the perimeter of the Macaulay Expires August 17, 2012 [Page 5] Internet-Draft IPv6 Packet Staining February 2012 subscriber network look for Destination Options on incoming packets with reputation stains. If a stain is found, the perimeter device applies the organization policy associated with the reputation indicated by the stain. For instance, drop the packet, quarantine the packet, issue alarms, or pass the packets and associated flow to specially hardened extra-net authentication systems, or do nothing. IPv4 support Use-case" IPv4 header fields and options are not suitable for packet staining; however, there is a clear security benefit to supporting IPv4 flows. IPv4 traffic to a subscriber is routed through a PMD in the carrier network configured to encapsulate the IPv4 traffic in an IPv6 tunnel. The PMD applies a stain (Destination Options extension) to the IPv6 tunnel as per the Perimeter Use-case above. Subscriber perimeter devices such as firewalls, web proxies or security routers are configured to support both native IPv6 flows and IPv6 tunnels contain legacy IPv4 flows. Perimeter devices look for Destination Options on incoming IPv6 packets with reputation stains. If a stain is found, the perimeter device applies the organization policy associated with the reputation indicated by the stain to the IPv4 packet within the IPv6 tunnel. In this manner IPv4 support may be transparent to end-users and applications. IPv6 end-point use-case" IPv6 end-points may make use of reputation stains by processing Destination Options before engaging in any application level processing. In the case of certain classes of smart device, remote and mobile sensors, reputation stains may be a critical form of security when other mitigations such as signature bases and firewalls are too power and processor intensive to support.
    • URL-specific stains" it is a common occurrence to see large public content portals with millions of users sharing dozens of addresses. Frequently, malicious content will be loaded to such sites. This content represents a very small fraction of the otherwise legitimate content on the site, which may be under the direct control of entirely separate entities . Degrading the reputation of IP addresses used by these large portals based on a very small amount of content is problematic. For such sites, reputation stains should have the ability to include the URL of malicious content, such that the reputation of the only specific portions of these large portals is degraded according to threat evidence, rather than the entire IP address, CIDR block, ASN or domain name. 4. Requirements for staining IPv6 packets Macaulay Expires August 17, 2012 [Page 6] Internet-Draft IPv6 Packet Staining February 2012 1. The default behaviour of a security node MUST be to leave a packet unchanged (apply no stain). 2. Reputation stains may be inserted or overwritten by security nodes in the path. 3. Reputation stains may not be applied by the sender/source of the packet. 4. The reputation staining mechanism needs to be visible to all stain-aware nodes on the path. 5. The mechanism needs to be able to traverse nodes that do not understand the reputation stains. This is required to ensure that packet-staining can be incrementally deployed over the Internet. 6. The presence of the reputation staining mechanism should not significantly alter the processing of the packet by nodes, unless policy is explicitly configured. This is required to ensure that stained packets do not face any undue delays or drops due to a badly chosen mechanism. 7. A PMD should be able to distinguish a trusted stain from an untrusted stain, through mechanism such as digital signatures or intrinsic trust among network elements. 8. A staining node MAY apply more specific and selective staining services according to subscriptions. Staining nodes SHOULD support different reputation taxonomies to support different subscribers and/or interoperability with other staining entities,
    • and have the ability to stain flows to different subscriber sources according to different semantics. 5. Packet Stain Destination Option (PSDO) The Packet Stain Destination Option (PSDO) is a destination option that can be included in IPv6 datagrams that are inserted by PMDs in order to inform packet staining aware nodes on the path, or endpoints, that the PSDO has an alignment requirement of (none). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Type | Option Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S|U| Stain Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Packet Stain Destination Option Layout Macaulay Expires August 17, 2012 [Page 7] Internet-Draft IPv6 Packet Staining February 2012 Option Type 8-bit identifier of the type of option. The option identifier for the reputation stain option will be allocated by the IANA. Option Length 8-bit unsigned integer. The length of the option (excluding the Option Type and Option Length fields). S Bit When this bit is set, the reputation stain option has been signed. U Bit When this bit is set, the reputation stain option contains a malicious URL.
    • Stain Data Contains the staining data. 6. Acknowledgements The author wishes to achknowledge the guidance and support of Suresh Krishnan from Ericsson's Montreal lab. The author also wishes to credit Chris Mac-Stoker from NIKSUN for his substantial contributions to the early stages of the packet staining concept. 7. Security Considerations Some implementation may elect to no apply digital signature to reputation stains in the Destination Option, in which case the stain is not protected in any way, even if IPsec authentication [RFC4302] is in use. Therefore an unsigned reputation stain can be forged by an on-path attacker. Implementers are advised that any en-route change to an unsigned security reputation stain value is undetectable. Therefore packet staining use the Destination Options extension without digital signatures requires intrinsic trust among the network elements and the PMD, and the destination node or intervening security nodes such as firewalls or IDS services. For this reason, receiving nodes MAY need to take account of the network from which the stained packet was received. For instance, a multi- homed organization may have some service providers with staining Macaulay Expires August 17, 2012 [Page 8] Internet-Draft IPv6 Packet Staining February 2012 services and others that do not. A receiving node SHOULD be able to distinguish which source from which stains are expected. A receiving node SHOULD by default ignore any reputation stains from sources (networks or devices) that have not been specifically configured as trusted. The reputation intelligence of IP source addresses, ASNs, CIDR blocks and domains is fundamental to the application of reputation stains within packet headers. Such reputation information can be seeded
    • from a variety of open and closed sources. Poorly managed or compromised intelligence information bases can result in denial of service against legitimate IP addresses, and allow malicious entities to appear trustworthy. Intelligence information bases themselves may be compromised in a variety of ways; for instance the raw information feeds may be corrupted with erroneous information, alternately the intelligence reputation algorithms could be flawed in design or corrupted such that they generate false reputation scores. Therefore seed intelligence SHOULD be sourced and monitored with demonstratable diligence. Similarly, reputation algorithms should be protected from unauthorized change with multi-layered access controls. The value of reputation stains will be directly proportional to the trustworthiness, reliability and reputation of the intelligence source itself. Operators of security nodes SHOULD have defined and auditable methods upon which they select and manage the source of reputation intelligence and the packet staining infrastructure itself. 8. IANA Considerations This document defines a new IPv6 destination option for carrying security reputation packet stains. IANA is requested to assign a new destination option type (TBA1) in the Destination Options registry maintained at http://www.iana.org/assignments/ipv6-parameters 1) Signed Security Reputation Option, 2) Unsigned Security Reputation Option 3) Signed Security Reputation Option with malicious URL 4) Unsigned Security Reputation Option with malicious URL The act bits for this option need to be 10 and the chg bit needs to be 0. 9. Normative References [REF1] Macaulay, T., "Upstream Intelligence: anatomy, architecture, case studies and use-cases.", Information Assurance Newsletter, DOD , Aug to Feburary 2010 to 2011. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Macaulay Expires August 17, 2012 [Page 9] Internet-Draft IPv6 Packet Staining February 2012
    • Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. Author's Address Tyson Macaulay Bell Canada 160 Elgin Floor 5 Ottawa, Ontario Canada Email: tyson.macaulay@bell.ca Macaulay Expires August 17, 2012 [Page 10] Html markup produced by rfcmarkup 1.104, available from http://tools.ietf.org/tools/rfcmarkup/ Related previous work: INFORMATIONAL Network Working Group S. Bellovin Request for Comments: 3514 AT&T Labs Research Category: Informational 1 April 2003 The Security Flag in the IPv4 Header Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract
    • Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases. 1. Introduction Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1. 1.1. Terminology The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in [RFC2119]. 2. Syntax The high-order bit of the IP fragment offset field is the only unused bit in the IP header. Accordingly, the selection of the bit position is not left to IANA. Bellovin Informational [Page 1] RFC 3514 The Security Flag in the IPv4 Header 1 April 2003 The bit field is laid out as follows: 0
    • +-+ |E| +-+ Currently-assigned values are defined as follows: 0x0 If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note that this part of the spec is already implemented by many common desktop operating systems.) 0x1 If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc. 3. Setting the Evil Bit There are a number of ways in which the evil bit may be set. Attack applications may use a suitable API to request that it be set. Systems that do not have other mechanisms MUST provide such an API; attack programs MUST use it. Multi-level insecure operating systems may have special levels for attack programs; the evil bit MUST be set by default on packets emanating from programs running at such levels. However, the system MAY provide an API to allow it to be cleared for non-malicious activity by users who normally engage in attack behavior. Fragments that by themselves are dangerous MUST have the evil bit set. If a packet with the evil bit set is fragmented by an intermediate router and the fragments themselves are not dangerous, the evil bit MUST be cleared in the fragments, and MUST be turned back on in the reassembled packet. Intermediate systems are sometimes used to launder attack connections. Packets to such systems that are intended to be relayed to a target SHOULD have the evil bit set. Some applications hand-craft their own packets. If these packets are part of an attack, the application MUST set the evil bit by itself. In networks protected by firewalls, it is axiomatic that all attackers are on the outside of the firewall. Therefore, hosts inside the firewall MUST NOT set the evil bit on any packets. Bellovin Informational [Page 2] RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
    • Because NAT [RFC3022] boxes modify packets, they SHOULD set the evil bit on such packets. "Transparent" http and email proxies SHOULD set the evil bit on their reply packets to the innocent client host. Some hosts scan other hosts in a fashion that can alert intrusion detection systems. If the scanning is part of a benign research project, the evil bit MUST NOT be set. If the scanning per se is innocent, but the ultimate intent is evil and the destination site has such an intrusion detection system, the evil bit SHOULD be set. 4. Processing of the Evil Bit Devices such as firewalls MUST drop all inbound packets that have the evil bit set. Packets with the evil bit off MUST NOT be dropped. Dropped packets SHOULD be noted in the appropriate MIB variable. Intrusion detection systems (IDSs) have a harder problem. Because of their known propensity for false negatives and false positives, IDSs MUST apply a probabilistic correction factor when evaluating the evil bit. If the evil bit is set, a suitable random number generator [RFC1750] must be consulted to determine if the attempt should be logged. Similarly, if the bit is off, another random number generator must be consulted to determine if it should be logged despite the setting. The default probabilities for these tests depends on the type of IDS. Thus, a signature-based IDS would have a low false positive value but a high false negative value. A suitable administrative interface MUST be provided to permit operators to reset these values. Routers that are not intended as as security devices SHOULD NOT examine this bit. This will allow them to pass packets at higher speeds. As outlined earlier, host processing of evil packets is operating- system dependent; however, all hosts MUST react appropriately according to their nature. 5. Related Work Although this document only defines the IPv4 evil bit, there are complementary mechanisms for other forms of evil. We sketch some of those here.
    • For IPv6 [RFC2460], evilness is conveyed by two options. The first, a hop-by-hop option, is used for packets that damage the network, such as DDoS packets. The second, an end-to-end option, is for packets intended to damage destination hosts. In either case, the Bellovin Informational [Page 3] RFC 3514 The Security Flag in the IPv4 Header 1 April 2003 option contains a 128-bit strength indicator, which says how evil the packet is, and a 128-bit type code that describes the particular type of attack intended. Some link layers, notably those based on optical switching, may bypass routers (and hence firewalls) entirely. Accordingly, some link-layer scheme MUST be used to denote evil. This may involve evil lambdas, evil polarizations, etc. DDoS attack packets are denoted by a special diffserv code point. An application/evil MIME type is defined for Web- or email-carried mischief. Other MIME types can be embedded inside of evil sections; this permit easy encoding of word processing documents with macro viruses, etc. 6. IANA Considerations This document defines the behavior of security elements for the 0x0 and 0x1 values of this bit. Behavior for other values of the bit may be defined only by IETF consensus [RFC2434]. 7. Security Considerations Correct functioning of security mechanisms depend critically on the evil bit being set properly. If faulty components do not set the evil bit to 1 when appropriate, firewalls will not be able to do their jobs properly. Similarly, if the bit is set to 1 when it shouldn't be, a denial of service condition may occur. 8. References
    • [CBR03] W.R. Cheswick, S.M. Bellovin, and A.D. Rubin, "Firewalls and Internet Security: Repelling the Wily Hacker", Second Edition, Addison-Wesley, 2003. [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. [RFC1750] Eastlake, D., 3rd, Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. Bellovin Informational [Page 4] RFC 3514 The Security Flag in the IPv4 Header 1 April 2003 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001. 9. Author's Address Steven M. Bellovin AT&T Labs Research Shannon Laboratory 180 Park Avenue Florham Park, NJ 07932 Phone: +1 973-360-8656 EMail: bellovin@acm.org
    • Bellovin Informational [Page 5] RFC 3514 The Security Flag in the IPv4 Header 1 April 2003 10. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
    • This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Bellovin Informational [Page 6] Html markup produced by rfcmarkup 1.104, available from http://tools.ietf.org/tools/rfcmarkup/ See also: http://en.wikipedia.org/wiki/Evercookie http://cryptome.org/2013/10/packet-stain/packet-staining.htm  CNET  Security  NSA tracks Google ads to find Tor users NSA tracks Google ads to find Tor users The National Security Agency uses a bit of jiu-jitsu to turn the structure of Web ad networks against people who run Tor to remain anonymous.  by Seth Rosenblatt @sethr  October 4, 2013 5:39 PM PDT
    • The Tor Browser anonymizes your IP address, and has been the subject of intense scrutiny by the NSA. Tor Project Just because the National Security Agency hasn't cracked the anonymizing service Tor doesn't mean that people who use the service are free from surveillance. The NSA has been able to use ad networks like Google's, and The Onion Router's own entry and exit nodes on the Internet, to follow some Tor users, according to a new report based on documents leaked by whistleblower Edward Snowden and obtained by security researcher Bruce Schneier with the Guardian. Tor is primarily funded by the US State Department and the Department of Defense, home of the NSA. Related stories  NSA sought to unmask users of Net-privacy tool Tor, says report  NSA ran secret test on tracking Americans' cell phones  NSA maps some Americans' social connections, says report  Congress unveils bill to limit NSA's powers  Past as prologue? Vietnam-era spying by NSA comes to light  NSA offers details on 'LOVEINT' (that's spying on lovers, exes)
    •  NSA disguised itself as Google to spy, say reports Tor promotes itself as helping people "defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security." Robert Hansen, a browser specialist at the security firm White Hat Security, said that Tor access node tracking is not new. "A couple of years ago a hacking group published exactly 100 embassy passwords from Tor exit nodes. One hundred is too round of a number," he said. "Just logically there must be more. If you get enough exit nodes and entrance nodes, they can be correlated together." Director of National Intelligence James Clapper criticized reporters and denied that his office was doing anything illegal, citing the threat of "adversaries." The articles fail to mention that the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens. The system that the NSA uses to locate and identify Tor users begins, at least sometimes, with the buying of ads on networks like Google's AdSense. "Just because you're using Tor doesn't mean that your browser isn't storing cookies," said Jeremiah Grossman, a colleague of Hansen's who also specializes in browser vulnerabilities. As Grossman described the procedure to CNET, the NSA is aware of Tor's entry and exit nodes because of its Internet-wide surveillance. "The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other Web users," he wrote. The NSA buys ads from ad display companies like Google and seeds them around Tor's access points.
    • "The NSA then cookies that ad, so that every time you go to a site, the cookie identifies you. Even though your IP address changed [because of Tor], the cookies gave you away," he said. This is not some complicated or even an unusual trick, Grossman said. It's how tracking ads were intended to function. "That's the Web by design, not a hack," he said. The NSA, he said, is not spending much money on it since Internet ads are so cheap. Grossman speculated that an ad campaign would only cost around $1,000 to seed ads with the NSA's cookies around the Web. "$50,000 would be overkill," he said. Because the NSA is essentially using how the Web functions to spy on its users, tools like Tortilla that take the burden of Tor usage away from Firefox wouldn't prevent the NSA's tracking ads from finding people. It wouldn't be feasible for Google to block ad buys from the NSA, and if the company did, he said, "they could just buy through a proxy." Google did not respond to a request for comment. Both Tor itself and Schneier noted that the NSA has not been able to track every Tor user this way. "They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone," Schneier said. Grossman speculated that the NSA could be using spam e-mail campaigns as it's been using display ads, though he cautioned that he didn't have evidence that this was actually happening.
    • "On the off chance that [the spam recipient] renders the HTML or clicks a link, [the NSA] can connect your e-mail address to your browser," he explained, which the NSA would have already connected to an IP address. "Using Tor or any proxy wouldn't prevent it." Not all Tor installations are created equal, added Hansen, who has an unusual pedigree in the browser vulnerability field because he's also a veteran of the ValueClick ad network, which was later bought by DoubleClick, which subsequently was purchased by Google. "It depends on whether you're using Tor Button or Tor Browser," he said. "The Tor Button tends to be more secure because as you jump in and out of the Tor Browser, it tracks cache and cookies." However, since the Tor Project now includes a patched version of Firefox, it recommends not using the Tor Button and only using the standard Tor Browser Bundle instead. More secure than either, Hansen said, was to run Tor on a virtual machine so that cookies and cache are dumped when the machine is closed, and the kind of man-in-the-middle and man-on-the-side attacks described by Schneier are avoided. "If you don't take the critical steps to protect your privacy, you will be de- cloaked if you're doing something interesting," Hansen said. Tags: Security Tech Industry Featured Video Sci-Tech
    • Google Lunar Xprize: The next great race to the moon The Google Lunar Xprize is racing ahead as 18 teams across the world compete to become the first among them to land on the moon. The payoff: a $30 million prize and international glory. Here's a preview of our upcoming coverage. / Watch Video About the author Seth Rosenblatt  twitter  facebook  googleplus Senior writer Seth Rosenblatt covers Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available. See full bio You May Also Like Recommended by
    • Join the discussion 66 comments  Get Livefyre  FAQ Log in 5 people following + Follow conversation Share Post comment as... FAQs / Guidelines Newest | Oldest | Top Comments joco69 Oct 14, 2013 If only the government would use half of its efforts to spy on people to resolve the debt crisis the U.S. would be a great country to live in. FlagShare LikeReply sdbruns Nov 10, 2013 @joco69 There is NO debt crisis. The US government owes all of its debt in US dollars of which it is the sole source in the world. It doesn't need to borrow dollars in order to spend them, it only does so because the right people get rich(er) that way. FlagShare LikeReply Zorched Oct 14, 2013
    • The key phrase is "we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens." In other words, you're only "innocent" until they say so-- and there's no court oversight (warrants) when they do decide to pay attention to you-- or until another corporation buys your rights away from you without your knowledge or input. Right MPAA, RIAA? FlagShare LikeReply Been_there_Saw_it_before Oct 11, 2013 When will the NSA do something productive and useful? Shutoff Ann from Account Services, stop junk Faxes, and enforce the Do Not Call list. FlagShare 1LikeReply boomslang Oct 9, 2013 Most Torons spend great gorps of time hiding their activities to only compromise and sell their identity for a couple acts of convenience. Most Torons are immensly clever, but so was Coyote... FlagShare LikeReply cityguy_usa Oct 8, 2013 What we need is someone to hack the NSA and change all their collected data so that it's wrong. FlagShare 2LikeReply jrfoleyjr Oct 14, 2013 @cityguy_usa What we need is someone to hack NSA and encrypt all their stored data with a rotating 4096 bit algorhythm.
    • FlagShare LikeReply C-Source Oct 8, 2013 Disable cookies? FlagShare LikeReply C-Source Oct 8, 2013 A friend was telling me that the maker of McAffee or what ever was producing a device that would act like a firewall I guess, as in you plug it in between your pc and router or router and cloud, and that it's purpose is to prevent the NSA from being able to track you. Any truth to this? FlagShare LikeReply bobqat Oct 7, 2013 "Because the NSA is essentially using how the Web functions to spy on its users(...)" Hmmm. "Because a peeping tom is essentially using how a window functions to spy on his victims(...)" FlagShare 5LikeReply C-Source Oct 8, 2013 @bobqat Not everyone is a perverted freak, the one who was was too stupid to even use a proxy. FlagShare LikeReply
    • techdude1541 Oct 7, 2013 wait, so we have enough money to spend on ads to track people, which is against the constitution, but we don't have enough money to keep the budget going. 'Murica! FlagShare 1LikeReply MtVernonCannibisFarms Oct 7, 2013 steganographic email embedded in encrypted goatse pics , there's an app for that FlagShare 1LikeReply C-Source Oct 8, 2013 @MtVernonCannibisFarms secret message or something, I am sure they can pick it out, research Machine Learning. 0 0 111. The NSA also has ties with companies that work with cryptography software and those companies leave weakness open disclosed to the NSA. Apparently like 90% of their intel is aquired because of this alone. Last I heard 1024 bit encryption was a minimum but that was at least a couple years ago I think. Not sure if AES is still whats being used, but I shouldn't act like I know much about anything, hopefully someone can correct me. FlagShare LikeReply ShadowITninja Oct 7, 2013 "That's the Web by design, not a hack," he said. Actually, thatt's now how the web was designed. The original specification by the W3C (that's the web standards body) said that a cookie should only be sent back to the original site. This was intended to protect privacy. The web browser developers implemented it as only allowing a cookie to go back to the same
    • server, not the same site, because that was easier to do. Then ad providers started using distributed cluster computers so that one logical server could serve ads (as one component of a site) all over the internet. One web site, you see, can be loaded from multiple servers and a server can be composed of multiple machines. This is a hack. Even though it is how the web now works routinely it's still a hack. It's not how the web was originally intended to work. FlagShare 5LikeReply Maarek Stele Oct 7, 2013 Firefox and Chrome have privacy windows that do not store cookies, cache, or history of your browsing. Tie that into Tor, and the NSA will not have anything to track. DARPA stop their funding to TOR in 2006, sure this is only on paper, but if you tie in additional VPNs or server hops, it will be harder for someone to track you. If you want to start trouble, then watch your back, otherwise use your head. There are many options out there. FlagShare 2LikeReply eswinson Oct 6, 2013 Basically, google, yahoo, ms, et al... have been compromised. Reliance on them for any service they have offered to make your life easier also makes it easier for anyone (not just your own government) to spy on you. FlagShare 3LikeReply Tui Pohutukawa Oct 6, 2013 " Tor is primarily funded by the US State Department and the Department of Defense, home of the NSA." I did not know that, but it doesn't surprise me. I've been thinking for a while that many/most so-called privacy initiatives on the net are in fact fronts for various intelligence agencies. FlagShare 4LikeReply
    • peterthompson89 Oct 7, 2013 @Tui Pohutukawa Although its never been denied that they funded it. Apparently the reason they made TOR available to the public is because the more stuff being done on it, the more it can be used to cover the government's use of it. It wouldn't surprise me if it had been cracked though. FlagShare LikeReply Renegade Knight Oct 8, 2013 @Tui Pohutukawa TOR was funded by our government to allow citizens of countires like China to surf in freedom without fear of government retalition. I can't help but smirk at the irony as I type that. FlagShare 1LikeReply globalist_agenda Oct 5, 2013 Radio Free America. Wow, it's like we've got our own Iron Curtain right here! How cool is that. I'm going to fire up the old tube shortwave radio and get fresh unfiltered propaganda from the Polish broadcast of RFA. FlagShare 1LikeReply jds4191 Oct 5, 2013 Again no surprise. The govt can see what targeted users do on the web. How many stories can CNET write on the exact same topic before people like me start considering deleting this app? FlagShare 1LikeReply hutchike Oct 5, 2013
    • What about Google Analytics? Surely that's way more widespread than AdWords ads, and easier to sniff? FlagShare 1LikeReply gidgiddonihah Oct 5, 2013 Easy: Incognito (use CCleaner to clean out your cookies after every session just to be safe) -> Ad Blocker -> HTTPS Everywhere -> VPN (128 or 256 Bit Open VPN Encryption) -> Tor Network. Good Uncle Sam will never know what your doing. FlagShare 1LikeReply Tyil Jan 8, 2014 @gidgiddonihahIf you use CCleaner you're probably using Windows. No matter what you try, you're already compromised. FlagShare LikeReply sarai1313 Oct 5, 2013 you can buy a cheep android tab for 50 dollars use it to do your thing and toss it. they are the new burner phone. FlagShare 2LikeReply eswinson Oct 6, 2013 @sarai1313 Good luck getting wireless access without identification. I guess you can use free wifi where you can find it or use a foreign sim. FlagShare LikeReply
    • sarai1313 Oct 6, 2013 @eswinsonfree wifi is evey where FlagShare LikeReply C-Source Oct 8, 2013 @sarai1313 @eswinson also insecure unless your using an encrypted remote desktop or vpn. Wireshark, tcpdump etc... FlagShare LikeReply C-Source Oct 8, 2013 @sarai1313 @eswinson remote desktop or vnc to homebase kinda defeates the purpose unless its to a rooted machine. I have tried using tor in conjunction with other proxy services, works alright if your just after text based data and don't need all the web gadgets. tor to proxy or proxy then tor, add a layer to the layers. FlagShare LikeReply C-Source Oct 8, 2013 @sarai1313 @eswinson All anyone needs is a way to get the suspects machine to ping a remote network (ie the nsa's) without using the port assigned to tor or socks. FlagShare LikeReply Nadrakas Oct 5, 2013 And now Google wants to give everyone their own "Unique" web identity...thus making it easier to be tracked by anyone, whether it's the NSA or anyone else. Welcome to "1984" on Crack.
    • ~ M FlagShare 4LikeReply trajan2 Oct 7, 2013 @Nadrakas We wanted a simple internet search engine and what we ended getting is spied on and tracked. Google is evil now. Their whole business model is based on tracking people and knowing as much about you so that they can sell you out. Whatever you thought was good about Google can now be used by crooks to ruin your life. Google now uses Android in a way that should be illegal. You should never give up your privacy in any country cause its the buffer to protect you from totalitarianism. Now simply using the internet or using your Android phone is a privacy invasion. It should not be like that but companies like Google decided to jump in bed with the corrupt NSA. FlagShare 2LikeReply C-Source Oct 8, 2013 @trajan2 @Nadrakas A mass amount of people can use that to their disadvantage, ie create fake accounts as much as possible to eventually clog their servers with useless data, it also spreads out any info collected and it doesn't get tied to your name. IP would be the only common denom aside from mac (macchanger) but there are proxies all over to use. HMA and tor are good. I wonder if there are algorithms that can identify users based on their typing habits and styles? If so, one can change that like accents of the voice. Maybe try uing payphones to varify. Really though, if your not trying to take over the world my best defense and armor has always been the Constitution, even if they id you, you can stand
    • behind that 1st amendment all day long. 3rd and 4th also. 5th aswell. "Ya can keep on knockin' but ya can't come in." in the wise words of Cheech Marin. FlagShare 1LikeReply Renegade Knight Oct 8, 2013 @Nadrakas I have to agree with Google in some of the logic here. My email is at the mercy of my host. A lot of my internet ID is subject to being lost along with a lot of the IP and work that's been put into them. Were I to lose my emails for example, updaing my online accounts that use that would be a major PITA. Worse were I to lose my email, and lose my password keeper and had to reconstruct everthing it would be very time consuming and almost impossible. That said. I also agree with being able to have a presence outside the official one to speak freely and such. FlagShare LikeReply solitare_pax Oct 5, 2013 So, in brief, the NSA is merely using proven techniques developed and refined by Microsoft, Google, Amazon and others to keep track of customers. FlagShare 6LikeReply Alex_Lehmann Oct 5, 2013 Using Tor without additional measures against tracking is silly, so it amazes me that tracking ads it working so well. There are a few tools that allow limiting the mount of tracking that happens in the browser, Tor or not. Some of these tools break web site functionality, but improve the privacy and security issues.
    • For example if you take a look at this very site with RequestPolicy, you see more than 20 external domains that could be tracking the users (ranging from ads to twitter to this comment form) that could be undermined by the NSA. FlagShare 3LikeReply faceless128 Oct 4, 2013 why would people using Tor even have ads? one would think they would use an ad blocker... FlagShare 2LikeReply solitare_pax Oct 5, 2013 @faceless128 One would also think they would be paranoid enough to use different browsers or even different boxes to divide their time between 'secure' surfing and 'personal' surfing. My expert analysis: PEOPLE ARE LAZY. See also my reviews on people clinging to older operating systems... FlagShare 3LikeReply C-Source Oct 8, 2013 @solitare_pax @faceless128 What's wrong with NetBSD? Or any BSD for that matter. Are you one of those folks that think UNIX is a four letter word? FlagShare LikeReply
    • Diplomacy42 Oct 5, 2013 @faceless128 adblocker won't work anyway. you need a script killer. FlagShare 1LikeReply lloyd1981 Oct 6, 2013 @Diplomacy42 @faceless128 For ads, as well as for purely irritable crap, Adblocker Plus filters almost anything, but you have to be careful; some "internal" items are linked in such a way that if you block the entire script, you may end up blocking portions you wish to see. Adblocker can give you at least four levels of control, plus your own custom version. When I open CNET and compare what I see with my prime browser, that has excellent cookie and script information, with the same page in Safari on the Book, its like night and day. A quick MacScan for tracking cookies may show one or two with the desktop, but dozens after a few days using one "rest" partition on the Pro Book. FlagShare 2LikeReply man_in_la2000 Oct 4, 2013 Wtf is wrong with the paychopaths working at NSA FlagShare 6LikeReply solitare_pax Oct 5, 2013 @man_in_la2000 Well, for one thing the NSA is merely following orders originally devised by paranoid sociopathic Republicans and neocons who firmly believe that their narrow views are right and the rules of the world do not apply to them.
    • FlagShare 3LikeReply protagonistic Oct 5, 2013 @solitare_pax A typical response from someone who has no knowledge of history. If you did you would know that these programs know no political boundaries. But then an informed citizen is the worst nightmare of any politician. FlagShare 5LikeReply globalist_agenda Oct 5, 2013 @solitare_pax @man_in_la2000Actually all this evil stuff goes back to The OSS which became the CIA. Specifically, Operation Paperclip and others where we resettled evil Nazis in America. Their evil has infected us from that time forward. "The Butcher of Lyon"? Oh, we gave him a nice cushy job here. Apparently we thought that Nazis were preferable to Marxists. Nikolaus 'Klaus' Barbie (25 October 1913 – 25 September 1991) was an SS- Hauptsturmführer (rank equivalent to army captain) and Gestapo member. He was known as the "Butcher of Lyon" for having personally tortured prisoners of the Gestapo while stationed in Lyon, France. After the war, United States intelligence services employed him for their anti-Marxist efforts and also helped him escape to South America. FlagShare 4LikeReply NavyFlyer1325 Oct 7, 2013 @solitare_pax @man_in_la2000 You haven't even seen or THOUGHT of the abuse that will come from the Statist-Marxist-Alinskyist-Leftist Democrats by the employment of these tools. While your bogeyman ("Republicans and Neo-Cons") is thinking of the good of the Republic and We, The People, and ferreting out Al Libi and other criminals, Those People only think of Themselves, The Party Elite, and the Power of the State to maintain their grip on and the survival of The Party. You only need to review just a little of what the survivors of the Soviet Gulag
    • have written to get an idea of what Emperor Bamma-Lamma-Ding-Dong and the rest of his Chicago Cronies, and their ilk, like Hillary, have in mind. FlagShare 2LikeReply eletain Oct 7, 2013 @NavyFlyer1325 @solitare_pax @man_in_la2000 Congratulations, you are now the poster boy for the need of an unlike button on this site FlagShare LikeReply Gadget70 Oct 4, 2013 On the Mac, I use the program "Cookie" which constantly erases cookies and erases the cache FlagShare 3LikeReply protagonistic Oct 5, 2013 @Gadget70 Take a look at an extension called disconnect. It blocks all kinds of ads from loading at all. It definitely speeds up page loading. FlagShare 2LikeReply ShadowITninja Oct 7, 2013 @protagonistic I don't like extensions that block ads. The web needs advertising to work. It doesn't need tracking. Ad blocking sends the wrong message because it's no longer just about privacy when you do that. I recommend Noscript, Beef TACO, Better Privacy and similar extensions that address the privacy issues while still allowing fair advertising that doesn't track you and doesn't cause security problems by running scripts on your machine.
    • FlagShare 1LikeReply QMT Oct 7, 2013 @ShadowITninja @protagonistic If web advertising worked the same as any other advertising, adblock and clones wouldn't block it. Pay a website twenty bucks to place an A tag and a jpeg on several pages for a couple days. It's that easy. Paying a website half a cent per click to add in obfuscated javascript that loads more javascript that loads an iframe that loads more javascript that parses several cookies (and maybe even pop up a new tab/window) is why adblockers started appearing in the first place. FlagShare 2LikeReply Show More Comments Conversation powered by Livefyre http://www.cnet.com/news/nsa-tracks-google-ads-to-find-tor-users/