Android IMSI Catcher detection

[coderman]

On Wed, Dec 11, 2013 at 7:17 AM, coderman <coderman at gmail.com> wrote:
> ...
> thus CNE in this case is cell MitM/WiFi pwn with a USRP rogue tower to
> get identifiers for TAO.  and TAO is where they get dirty with "remote
> exploitation" of the device itself and other targets ...


see also this section on the OPEC hacks:

http://arstechnica.com/information-technology/2013/11/quantum-of-pwnness-how-nsa-and-gchq-hacked-opec-and-others/
"""
Here’s how the NSA and GCHQ go after an organization like OPEC step by
step, based on an analysis of the NSA and GCHQ documents exposed by
Snowden:

Step 1: Identify. Using the NSA-built packet capture and inspection
system called TURMOIL, the agencies filter through Internet traffic at
a network choke point looking for specific "fingerprints" in traffic
that identify users with the organization being targeted. Data from
TURMOIL gets pulled into a number of traffic analysis tools, such as
XKeyscore and TRAFFICTHIEF, which do different sorts of packet
analysis.

XKeyscore is the NSA's distributed search engine, catching a large
chunk of international Internet traffic for analysis. It helps find
things deep in the clutter of the Internet that analysts might miss by
allowing them to use search terms to find things in both live and
cached Internet traffic.

TRAFFICTHIEF, on the other hand, is much more focused. It filters for
very "strong" indicators, like known sets of IP addresses, addresses
within e-mail traffic, or user names in logins to social networks or
other services. It provides less depth of analysis than XKeyscore, but
it can handle much larger loads of data because it is more selective
about what it processes.

Together, the tools can be used to identify the systems used by an
individual or organization, including ranges of addresses that they
may use from work or home.

Step 2: Target. Using the profiles built using the surveillance tools,
the agencies can then identify potential points of attack. XKeyscore,
for example, can be used to search for patterns that identify known
security vulnerabilities within a range of addresses. Web visit
histories, e-mail traffic, and other data are analyzed looking for the
most likely (and least detectable) approach to gain access, and a
specific attack plan is crafted, including the identification of where
to launch the attack from.

At the NSA, this sort of thing is the work of Tailored Access
Operations. In the case of OPEC, the targeting process apparently went
on for several years as the NSA sought openings for an attack.

Step 3: Attack. Depending on who the target is, the NSA and GCHQ have
a variety of options. The least costly is to use access provided by
one of the intelligence agencies' telecommunications "partners" who
own network equipment at an exchange or other choke point that the
target's Internet traffic passes through. The agency running the
attack can use that access to introduce changes to Internet routing
tables that detour the targeted individual's traffic. But in some
cases, the NSA and GCHQ may have to perform "unilateral" taps on
network backbones to gain that level of access—targeting a piece of
network hardware to take over or splicing directly into the target's
own connection to the Internet.

It's not clear which attack the NSA used to gain access to OPEC's
systems, though the GCHQ used a Quantum attack two years later to gain
its own very special access to the cartel's network. In the case of
the Belgacom hack, the GCHQ used a Quantum insert attack—routing the
Web requests for LinkedIn and Slashdot from the engineer being
targeted to a server posing as those sites. The NSA has used the same
approach to intercept traffic to sites such as Google.

The man-in-the-middle server can present content from the actual sites
the target intended to visit, but it can also add content to the
traffic, using what's called packet injection—modifying the contents
of the data as it passes through—and intercept the user's credentials.
And by using a forged certificate, the NSA can intercept encrypted
traffic intended for the destination site.

Once the user has connected to the fake server, the intelligence
agencies can use the connection to launch attacks against the target's
Web browser to install monitoring software or other malware, using
similar techniques to those used by hackers. They can also use
credentials exposed via the man-in-the-middle attack to gain access to
other accounts owned by the target and to troll through connections in
those services that might be potential targets.

Step 4: Exploit. Once the target's computer has been successfully
attacked, the effort begins to look much like that of the Chinese
cyber warriors' attack of the New York Times or what cyber criminals
typically do when they score access to high-value targets. The
agencies' hackers work to stealthily expand their level of access,
using customized remote administration tools to grab user privileges
and gain access to other network resources—mail servers, file servers,
and other network systems. They then start to "exfiltrate" data from
these systems and deliver them to analysts.
"""