Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docx
The Surveillance Project is Real: Understanding Global Monitoring and 4 Key Ways Data is Collected
1. - 1 -
The Surveillance Project is Real
Researcher: Christos Beretas, MSc
Web: http://www.christosberetas.com
Every person who is involving in cyber security and information security arena has
been hearing about the various surveillance projects. Often in government
surveillance projects participating big companies, organizations, ISPs, etc.
Typically a surveillance project is divided by three stages data monitoring, data
collection and data analysis.
Data monitoring:
• IRC
• E-mail messages
• VOIP
• Every live online transaction
• Mobile phones live activities
Data Collection:
• Mobile phones metadata
• Keywords
• Public data
• Stored online data (cloud services)
• E-mail accounts and content
• Metadata
• Any file
• Online habits
2. - 2 -
Data Analysis:
• Who – Where – When
• Number of frequently
• Who with who
• Keyword analysis
• Special request
Surveillance projects are based on idea that the most online traffic is passing through
U.S networks, it is easy to monitor that traffic, but practically any country can monitor
the online communications. And secondly the most important role is the collaboration
between the government, companies and organizations globally. Let’s see the map
below to understand better the online traffic.
On the above map as we can see the data’s are passing through various continents, as I
said above they can be collected and analyzed by each country they are passing.
There mainly 4 surveillance ways in the picture below you can see the first option to
monitor every online communication by using the global backbone infrastructure.
3. - 3 -
As you can see on the above picture any country or collaboratively can monitor every
communication.
The second option that is easy to monitor any activity is to install special equipment
either software or hardware to Internet Service Providers (ISPs) with purpose to
collect “Special Traffic” based on specific “Keywords” ignoring the useless data, see
the picture below to understand better.
4. - 4 -
The third option is the companies who are participating in surveillance program,
usually selecting companies which they offering services to the public and they have
long customers list, for example free e-mail companies. This kind of surveillance
usually is legal because is base on “security and protection laws” and usually asking
from the company to provide non-stop information about its customers.
The forth option is something that will make you think again and again, it is called
“roving bug” this idea is not new, a part of code is embedded in smart phones (not
only in smart phones the experienced software developers they know about the
“Easter Eggs”) and is enabled when a specific action is happened, for example a
specific SMS is received, by MMS sending you a beautiful picture by “mistake” by
GPS and various other methods. The purpose is one and only one to listen what we
say and what we send. I will close here with a question, are you wondering why
people who care about privacy and security are they using NON smart phones or
customized smart phones?
Cryptography is the simple solution in surveillance threat but not the best. Some
scientists around the world they are saying “cryptography is dead”. I will disagree
with them, none service, none government in the world they know what someone else
have on his/her mind. No one can predict what the other person will design and
produce for it self or for a company. For example let’s think someone is making a
software application that is free, for companies, or private use and this application is
using the encryption algorithm AES and various other conversions, without specific
file association (For example TXT input TXT export) even the encryption keys are
embedded in the code and you just pressing one button for encryption and decryption,
or by creating a customized encryption tool and make that encryption tool part of the
encryption process by giving 200 characters key, do you believe the governments they
5. - 5 -
known what each of us think? Or they know that this file is encrypted by this custom
application? Of course NO. For example see the picture below.
It is a good simple practice to create a custom encrypted tool for personal
communication or for specific organization, hard coded keys are safe when the
application doesn’t create specific file name extensions (for example program name
and version) and is for individuals and companies for internal use to encrypt their
data.
6. - 6 -
Another one practice regarding cryptography and anti surveillance is to design your
own encryption algorithm for example Christos Beretas snapXE + algorithm to
encrypt sensitive data.
Bibliography
Nemati, Hamid. 2010. Security and Privacy Assurance in Advancing
Technologies: New Developments. IGI Global.