Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nsa and vpn

1,644 views

Published on

A review of the recent revelations about NSA's ability to exploit VPN services. Provided for Rochester 2600

Published in: Technology
  • Be the first to comment

Nsa and vpn

  1. 1. NSA and VPN
  2. 2. NSA and VPNs A recent article on [Der Spiegel] show lots of new attacks SSL/TLS PPTP IPSEC SSH http://www.spiegel.de/international/world/nsa-documents-attacks-on- vpn-ssl-tls-ssh-tor-a-1010525.html
  3. 3. The Program Falls under the "Office of Target Pursuit" (OTP) Named OTP VPN Exploitation Team Now called OTTERCREAK TOYGRIPPE: repository of VPN metadata of systems of interest • includes machine fingerprint and the VPN service connected to (e.g. PIA) BLEAKINQUIRY: repository of potentially exploitable VPNs • unclear if this means list of VPNs on the internet, or common configurations XKEYSCORE: common source of VPNs to exploit but includes random people like you and I • don't use it as a primary attack source unless necessary due to legal hoops they have to go through
  4. 4. The Workflow Analyst targets someone (e.g. me) and find that it's using a VPN Analyst must come up with a way to collect inbound and outbound traffic of the target Calls up OTP VPN Exploit Team They look at the metadata (traffic fingerprinting), define the attacks, and search through collection sources • TOYGRIPPE: has a list of all the VPN metadata • PINWALE: long term collection of “SIGINT” • XKEYSCORE: raw packet captures from everyone • VULCANDEATHGRIP: raw packet captures for VPNs • FOURSCORE: repo for PPTP • CORALREEF: database of PSKs for VPNs Decrypt traffic and return the results (passive or active)
  5. 5. TOYGRIPPE Lets an analyst search through tons of metadata from a variety of collection sources • MUSCULAR • UKJ-260D?? Focused on IPSec, PPTP, and ViPNet (Vodaphone)
  6. 6. Example of using TOYGRIPPE to find VPN metadata IR = IRAN S = source port 1037 Sites where the data was collected
  7. 7. IPSEC Review IPSEC VPNs are the most common in enterprise environments Uses a Pre Shared Key (PSK) or a Public Key cert (PK) ISAKMP/IKE packets perform a handshake for a temporary key for your session ESP packets are the actual encrypted data
  8. 8. Example IPSEC: FTM 1 “Follow the Money” FTM target 1 Implanted keyloggers and other hardware but it didn’t work Called up TAO who owned them and recovered the configuration files of the VPN including PSKs • Can now “passively exploit” which should mean decrypt VPN traffic
  9. 9. Example IPSEC: FTM 2 TAO owns the router Network Security Products “implant” allows passive exploitation • This implies that it’s a way of collecting the temporary keys (IKE/ISAKMP) values • Maybe making them predictable or fucking up their handshake Results in ESP packets being decrypted raw
  10. 10. PPTP Review Microsoft Point To Point Tunneling Protocol Owned years ago by Moxie and others Outdated but still used Control channel operates on 1723 Data channel is sometimes port 47 (GRE-Next Protol)
  11. 11. Example PPTP: Airlines, Telcos, Governments The slides just list all of these sites that have been owned, implying that they have a protocol level exploit Iran Air Royal Jordanian Air Transaero Airlines Mexican Embassy Pakistani General Intelligence Turkish Embassy Afghanistan Government (apparently the whole thing)
  12. 12. More Example PPTP Zaad Financial bank Kabul lBank BNI Banking Indonesia And so on…
  13. 13. TL;DL These files are from at around 4-2011 and some of them are older Most of the exploitations are not VPN destroying, just concerning The team seems mainly to implement attacks using other people’s exploits • Decrypt TLS when TAO collects the private keys • Decrypt IPSEC when the PSK is discovered • Decrypt SSH when the private keys are found They (probably) can’t… • Own all VPNs with a single click • Own your personal VPN • Own SSH and TLS automatically
  14. 14. TL;DL: They Can…probably See that you are on a VPN, which VPN, and if that VPN has an exploit Own you completely via PPTP Capture your VPN traffic and try to decrypt it later Call up TAO or NSP to implant something on your network that would make your VPN owned Decrypt SSH tunnels with the help of TAO or NSP Decrypt SSL/TLS tunnels with the help of TAO or NSP Lookup your router and see if there is an exploit for it Pay attention to large VPN providers to exploit them including your traffic
  15. 15. Defense 1. Run your own private VPN on VPS • Good for increasing the effort to exploit you • Bad because it’s cloud • Bad because all your traffic is directly attributed to you 2. Use a VPN service like PIA • Good because it’s cheap and difficult (>0) to tell which is your traffic and which is someone else’s • Good because it doesn’t allow your ISP to see your traffic • Bad because the bigger the target the more likely you will “tasked” 3. Tor • Good because anonymity • Bad because un-realistically slow

×