A basic example: say you visit an Al Qaeda website. Monitoring major Internet backbones would allow the NSA to detect that visit. It begins with the browser requesting information and the server responding. Once the attacker (in this case, the NSA) sees that request go by, it forges a reply that includes an exploit kit.
In other words, virtually anyone using the Internet could be targeted by the NSA.
Nicholas Weaver, writing at Wired, describes some of the more interesting forms of attack.
collection of FOXACID servers, designed to exploit visitors. Conceptually similar to Metasploit’s WebServer browser autopwn mode, these FOXACID servers probe any visiting browser for weaknesses to exploit.
All it takes is a single request from a victim passing a wiretap for exploitation to occur. Once the QUANTUM wiretap identifies the victim, it simply packet injects a 302 redirect to a FOXACID server. Now the victim’s browser starts talking to the FOXACID server, which quickly takes over the victim’s computer. The NSA calls this QUANTUMINSERT.
The NSA and GCHQ used this technique not only to target Tor users who read Inspire (reported to be an Al-Qaeda propaganda magazine in the English language) but also to gain a foothold within the Belgium telecommunication firm Belgacom, as a prelude to wiretapping Belgium phones...
HTTP cache poisoning. Web browsers often cache critical scripts, such as the ubiquitous Google Analytics script ‘ga.js’. The packet injector can see a request for one of these scripts and instead respond with a malicious version, which will now run on numerous web pages. Since such scripts rarely change, the victim will continue to use the attacker’s script until either the server changes the original script or the browser clears its cache.
Zero-Exploit Exploitation. The FinFly “remote monitoring” hacking tool sold to governments includes exploit-free exploitation, where it modifies software downloads and updates to contain a copy of the FinFisher Spyware. Although Gamma International’s tool operates as a full man-in-the-middle, packet injection can reproduce the effect. The injector simply waits for the victim to attempt a file download, and replies with a 302 redirect to a new server. This new server fetches the original file, modifies it, and passes it on to the victim. When the victim runs the executable, they are now exploited — without the need for any actual exploits.
Mobile Phone Applications. Numerous Android and iOS applications fetch data through simple HTTP. In particular, the “Vulna” Android advertisement library was an easy target, simply waiting for a request from the library and responding with an attack that can effectively completely control the victim’s phone. Although Google removed applications using this particular library, other advertisement libraries and applications can present similar vulnerabilities.
DNS-Derived Man-in-the-Middle. Some attacks, such as intercepting HTTPS traffic with a forged certificate, require a full man in the middle rather than a simple eavesdropper. Since every communication starts with a DNS request, and it is only a rare DNS resolver that cryptographically validates the reply with DNSSEC, a packet injector can simply see the DNS request and inject its own reply. This represents a capability upgrade, turning a man-on-the-side into a man-in-the-middle.
One possible use is to intercept HTTPS connections if the attacker has a certificate that the victim will accept, by simply redirecting the victim to the attacker’s server. Now the attacker’s server can complete the HTTPS connection. Another potential use involves intercepting and modifying email. The attacker simply packet-injects replies for the MX (Mailserver) entries corresponding to the target’s email. Now the target’s email will first pass through the attacker’s email server. This server could do more than just read the target’s incoming mail, it could also modify it to contain exploits.
Amplifying Reach. Large countries don’t need to worry about seeing an individual victim: odds are that a victim’s traffic will pass one wiretap in a short period of time. But smaller countries that wish to utilize the QUANTUMINSERT technique need to force victims traffic past their wiretaps. It’s simply a matter of buying the traffic: Simply ensure that local companies (such as the national airline) both advertise heavily and utilize in-country servers for hosting their ads. Then when a desired target views the advertisement, use packet injection to redirect them to the exploit server; just observe which IP a potential victim arrived from before deciding whether to attack. It’s like a watering hole attack where the attacker doesn’t need to corrupt the watering hole.
Is someone providing oversight over the NSA's operation?
Is the Director of National Intelligence James Clapper going to be penalized for lying to Congress?
Is the NSA using the capability to attack the computers of U.S. citizens without warrants?
If we still lived in a Constitutional Republic -- and our leaders had any virtue whatsoever -- we'd have answers to these critical questions.
Hat tip: ZeroHedge.