Mittwoch, 30. Oktober 2019

No, NSA's use of "traffic shaping" has nothing to do with "unrestrained spying on Americans"



[Update Nov 1: Added explanation "exfil out" vs "exfil in"]

OK, the story[1] I'm covering now is more than two years old. I somehow missed it back then. But please consider that covering the Snowden saga is just a pastime for me. I don't make any money with it, and I have family, friends and last but not least a job I have to put first.

I write now a post because I think it's still worth it. It's a perfect example of what happens when people who neither have a clue about intelligence nor the technical background write bombshell stories about Snowden documents. And the NSA document itself is quite interesting, and since internet routing is my daily job, quite easy for me to explain.

As so often while the Snowden reporting, the story[1] completely makes up what's actually in the document[2]. It is claimed the NSA had capabilities to reroute internet traffic, so they would be able to move traffic eg from American soil (where the NSA is legally very limited) to abroad (where it is legally a lot easier to intercept lines and collect traffic). But this is simply not true. The NSA document is about something completely different. It is not about rerouting internet traffic so it can be collected, it is about exfiltration of already collected data.

First, that it is not about rerouting of internet traffic, or better that this is no reasonable option, is explicitly stated in the document itself. See pages 40-42:





There are two possibilities for an attacker to reroute traffic: Either alter the routing tables or kill all the lines the traffic should not go. As you can see in the slides, the NSA author himself doesn't think these are reasonable options. To alter BGP routes "*could* work", as he said, but would most likely been detected by folks who observe internet BGP route changes (the Twitter account @bgpmon who reports strange BGP changes is an example) and the victim itself, and to kill all undesired links is even less reasonable.


What NSA's "Traffic Shaping" really is about

What you first need to understand is something about exfiltration. It is no surprise that one task of intelligence agencies is to compromise devices (computers, routers, firewalls, ...) in target networks and (ab)use them to gather data in that network. But the compromise is only one part of the job. The other -- often underestimated or even omited -- challenge is how to send the stolen data back home without being detected (many operators monitor their networks for anomalities; hard NSA targets most likely do). This is called exfiltration and this is what the document is about, as you can clearly see here:



An analyst has access in "Yemenet" (CNE = "Computer Network Exploitation") and now wants to see the collected data. And the purpose of this document is to explain that one possibility is to send this data over a link the NSA has access to (SSO = "Special Source Operations") and can passively collect.

So the basic concept is that the analyst just has to find a good destination IP address (routing decisions are almost always based on the destination IP address only) to send the exfil to, and it will be captured. This is indeed a clever idea, because the compromised device doesn't need a connection to outside, it can even spoof its source IP address, the likelihood being detected is much smaller.

That there is no connection needed, that the sent packets probably "die" somewhere, is explicitly stated here:



"Exfil out" vs. "Exfil in"

What immediately makes sense is "exfil out". You have access in Yemenet and want to bring your precious collection out undetected. But why bring something in? What is "exfil in" good for?

The answer probably (this is my explanation, it is not covered in the document itself) is that it is then an exfil from another country, not Yemen. Let's for example assume the NSA has access in France, but no access to any of the internet uplinks to France. And here comes "exfil in" into the game, they send it to a link to Yemenet where it can be captured. And this has another advantage: They have a good plausible deniability if their access in France is detected..


The "Infamous Collection Problem" -- no "Full Take"

An interesting side note ...

It is often claimed, that when the NSA intercepts internet lines, they take everything they can get. That this is not true, that they only collect what matches to specific selectors, is a fact you can see in this document too:




[1] https://www.zdnet.com/article/legal-loopholes-unrestrained-nsa-surveillance-on-americans/

[2] https://www.documentcloud.org/documents/3871807-Network-Shaping-NSA-document.html

Keine Kommentare:

Kommentar veröffentlichen