Redacted CSEC presentation with my comments. This document is technically complex and I tried to make it easier for everyone to understand its content.
Identity, Authentication, and Programmable Telecoms SessionAlan Quayle
Pierre Demarche, VP Product and Marketing, TeleSign
Session is divided into 3 parts, based on use cases:
Registration fraud. Identifying fake users, preventing bulk account creation, etc.
ATO (Account TakeOver). Preventing ATO fraud through phone hijacking attacks like SIM Swap, Porting attacks, call forwarding, etc.
IRSF (International Revenue Sharing Fraud) attacks on enterprises. Registration to SIP trunking.
Reduce Friction and Risk with Device AuthenticationTransUnion
To view the recorded presentation, click here: https://www.iovation.com/resources/webinars/reduce-friction-and-risk-with-device-authentication
Device-based authentication uses your customers’ own devices to verify their identity. This protects your business from identity and payment fraud schemes that lead to account takeover. It also works without adding customer friction, creating a better overall customer experience.
iovation’s authentication technology uses strong device recognition independent of cookies, across desktop and mobile devices. It can be applied at login or any point your customer interacts with your online business.
Laura Davis-Taylor, leader of BBDO and Proximity's ShopWork shopper marketing practice, examines the drivers and potential impact of the emerging technology known as Near Field Communication, or NFC. The case for...
How to know my ip address with iplogger.orgiploggers
The internet is a big phenomenon in today’s world and an IP address allows the computers to connect with other devices over the internet. Let us take an example to understand the phenomenon.
Identity, Authentication, and Programmable Telecoms SessionAlan Quayle
Pierre Demarche, VP Product and Marketing, TeleSign
Session is divided into 3 parts, based on use cases:
Registration fraud. Identifying fake users, preventing bulk account creation, etc.
ATO (Account TakeOver). Preventing ATO fraud through phone hijacking attacks like SIM Swap, Porting attacks, call forwarding, etc.
IRSF (International Revenue Sharing Fraud) attacks on enterprises. Registration to SIP trunking.
Reduce Friction and Risk with Device AuthenticationTransUnion
To view the recorded presentation, click here: https://www.iovation.com/resources/webinars/reduce-friction-and-risk-with-device-authentication
Device-based authentication uses your customers’ own devices to verify their identity. This protects your business from identity and payment fraud schemes that lead to account takeover. It also works without adding customer friction, creating a better overall customer experience.
iovation’s authentication technology uses strong device recognition independent of cookies, across desktop and mobile devices. It can be applied at login or any point your customer interacts with your online business.
Laura Davis-Taylor, leader of BBDO and Proximity's ShopWork shopper marketing practice, examines the drivers and potential impact of the emerging technology known as Near Field Communication, or NFC. The case for...
How to know my ip address with iplogger.orgiploggers
The internet is a big phenomenon in today’s world and an IP address allows the computers to connect with other devices over the internet. Let us take an example to understand the phenomenon.
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, they already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Customer Worthy 2012 Customer Experience ForecastClient X Client
Will you be customer worthy in 2012? Michael R Hoffman presentation to national customer management conference delivers insights, challenges and opportunities for 2012 customer experience management. Technology, strategy, reporting, from internet of things to occupy wall street, privacy and customer experience prediction algorithm
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.
Hands-On Security - Disrupting the Kill ChainSplunk
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Amazon Web Services
The rapid adoption of cloud services and application migration has brought several challenges to network admins and security professionals, and it has made real-time visibility of the network an even more crucial priority. In this session, learn how Cisco Stealthwatch Cloud helps you leverage data you inherently create with AWS and within your network to prevent compute theft and orphaned compute, secure weak or incomplete access control lists (ACL), and enforce security policies beyond the traditional firewall while maintaining regulatory compliance by extending visibility across your entire network. This presentation is brought to you by AWS partner, Cisco Systems, Inc.
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Codemotion
Looking at the modern threat landscape, it is clear that a comprehensive security infrastructure cannot rely only on traditional automatic systems such as intrusion detection, or anti-virus appliances. Considering also that more than 400K new malware are discovered every day, the need for advanced techniques to isolate and identify malware is even more evident. This talk will show an overview of modern techniques developed by security researchers and practitioners, the different perspectives and approaches they take and how they evolved to take into account malware evolution.
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Amazon Web Services
Rapid adoption of cloud services and application migration brings several challenges to network administrators and security professionals, making real-time visibility of the network even more of a priority. In this session, learn how Cisco Stealthwatch Cloud helps you leverage data that you inherently create with AWS within your network to prevent compute theft and orphaned compute, secure weak or incomplete access control lists (ACL), and enforce security policies beyond the traditional firewall while maintaining regulatory compliance by extending visibility across your entire network. This presentation is brought to you by AWS partner, Cisco Systems Inc.
Greed for Fame Benefits Large Scale Botnetsmark-smith
A criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated.
As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
Visibility is a must for detecting threats and compromises in the cloud, containers, and on-premises networks. In this session, we will explore how Stealthwatch Cloud uses VPC Flow logs and network telemetry combined with advanced analytics such as entity modeling and threat intelligence feeds like Cisco Talos to detect attacks, data exfiltration, unusual remote access, and traffic that is not compliant with your policies.
If last year’s presentation on the SANS 20 felt like more of a rant than a practical application of elite IT knowledge, Ian Trump’s technical track presentation is going to unleash GFI MAX as a security dashboard like nothing you have seen.
The Octopi team has leveraged network scanning and event log checks, and Ian takes the GFI MAX dashboard to a whole new level. MSP’s can take his code and research and immediately apply it to their practices to secure their customers from cyber threats. Dehydrated from the summer information security conferences, Ian will give you the threat intel you need to be on the lookout for in the months ahead.
Besides all the GFI MAX goodness, being part of a live demo to find APT, and seeing Ian link Human Rights, Market Research, Ice, Law, Iggy Azalea, War Ferrets, Christian Studies, Event Auditing, Security Tools, Taylor Swift and How we can all fix the cyber problem into one epic presentation – well, you don’t want to miss this.
हम आग्रह करते हैं कि जो भी सत्ता में आए, वह संविधान का पालन करे, उसकी रक्षा करे और उसे बनाए रखे।" प्रस्ताव में कुल तीन प्रमुख हस्तक्षेप और उनके तंत्र भी प्रस्तुत किए गए। पहला हस्तक्षेप स्वतंत्र मीडिया को प्रोत्साहित करके, वास्तविकता पर आधारित काउंटर नैरेटिव का निर्माण करके और सत्तारूढ़ सरकार द्वारा नियोजित मनोवैज्ञानिक हेरफेर की रणनीति का मुकाबला करके लोगों द्वारा निर्धारित कथा को बनाए रखना और उस पर कार्यकरना था।
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, they already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Customer Worthy 2012 Customer Experience ForecastClient X Client
Will you be customer worthy in 2012? Michael R Hoffman presentation to national customer management conference delivers insights, challenges and opportunities for 2012 customer experience management. Technology, strategy, reporting, from internet of things to occupy wall street, privacy and customer experience prediction algorithm
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.
Hands-On Security - Disrupting the Kill ChainSplunk
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Amazon Web Services
The rapid adoption of cloud services and application migration has brought several challenges to network admins and security professionals, and it has made real-time visibility of the network an even more crucial priority. In this session, learn how Cisco Stealthwatch Cloud helps you leverage data you inherently create with AWS and within your network to prevent compute theft and orphaned compute, secure weak or incomplete access control lists (ACL), and enforce security policies beyond the traditional firewall while maintaining regulatory compliance by extending visibility across your entire network. This presentation is brought to you by AWS partner, Cisco Systems, Inc.
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Codemotion
Looking at the modern threat landscape, it is clear that a comprehensive security infrastructure cannot rely only on traditional automatic systems such as intrusion detection, or anti-virus appliances. Considering also that more than 400K new malware are discovered every day, the need for advanced techniques to isolate and identify malware is even more evident. This talk will show an overview of modern techniques developed by security researchers and practitioners, the different perspectives and approaches they take and how they evolved to take into account malware evolution.
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Amazon Web Services
Rapid adoption of cloud services and application migration brings several challenges to network administrators and security professionals, making real-time visibility of the network even more of a priority. In this session, learn how Cisco Stealthwatch Cloud helps you leverage data that you inherently create with AWS within your network to prevent compute theft and orphaned compute, secure weak or incomplete access control lists (ACL), and enforce security policies beyond the traditional firewall while maintaining regulatory compliance by extending visibility across your entire network. This presentation is brought to you by AWS partner, Cisco Systems Inc.
Greed for Fame Benefits Large Scale Botnetsmark-smith
A criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated.
As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
Visibility is a must for detecting threats and compromises in the cloud, containers, and on-premises networks. In this session, we will explore how Stealthwatch Cloud uses VPC Flow logs and network telemetry combined with advanced analytics such as entity modeling and threat intelligence feeds like Cisco Talos to detect attacks, data exfiltration, unusual remote access, and traffic that is not compliant with your policies.
If last year’s presentation on the SANS 20 felt like more of a rant than a practical application of elite IT knowledge, Ian Trump’s technical track presentation is going to unleash GFI MAX as a security dashboard like nothing you have seen.
The Octopi team has leveraged network scanning and event log checks, and Ian takes the GFI MAX dashboard to a whole new level. MSP’s can take his code and research and immediately apply it to their practices to secure their customers from cyber threats. Dehydrated from the summer information security conferences, Ian will give you the threat intel you need to be on the lookout for in the months ahead.
Besides all the GFI MAX goodness, being part of a live demo to find APT, and seeing Ian link Human Rights, Market Research, Ice, Law, Iggy Azalea, War Ferrets, Christian Studies, Event Auditing, Security Tools, Taylor Swift and How we can all fix the cyber problem into one epic presentation – well, you don’t want to miss this.
हम आग्रह करते हैं कि जो भी सत्ता में आए, वह संविधान का पालन करे, उसकी रक्षा करे और उसे बनाए रखे।" प्रस्ताव में कुल तीन प्रमुख हस्तक्षेप और उनके तंत्र भी प्रस्तुत किए गए। पहला हस्तक्षेप स्वतंत्र मीडिया को प्रोत्साहित करके, वास्तविकता पर आधारित काउंटर नैरेटिव का निर्माण करके और सत्तारूढ़ सरकार द्वारा नियोजित मनोवैज्ञानिक हेरफेर की रणनीति का मुकाबला करके लोगों द्वारा निर्धारित कथा को बनाए रखना और उस पर कार्यकरना था।
31052024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
In a May 9, 2024 paper, Juri Opitz from the University of Zurich, along with Shira Wein and Nathan Schneider form Georgetown University, discussed the importance of linguistic expertise in natural language processing (NLP) in an era dominated by large language models (LLMs).
The authors explained that while machine translation (MT) previously relied heavily on linguists, the landscape has shifted. “Linguistics is no longer front and center in the way we build NLP systems,” they said. With the emergence of LLMs, which can generate fluent text without the need for specialized modules to handle grammar or semantic coherence, the need for linguistic expertise in NLP is being questioned.
03062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
An astonishing, first-of-its-kind, report by the NYT assessing damage in Ukraine. Even if the war ends tomorrow, in many places there will be nothing to go back to.
‘वोटर्स विल मस्ट प्रीवेल’ (मतदाताओं को जीतना होगा) अभियान द्वारा जारी हेल्पलाइन नंबर, 4 जून को सुबह 7 बजे से दोपहर 12 बजे तक मतगणना प्रक्रिया में कहीं भी किसी भी तरह के उल्लंघन की रिपोर्ट करने के लिए खुला रहेगा।
01062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
2024 is the point of certainty. Forecast of UIF experts
Airports redacted with_comments_from_tony_yustein
1. TOP SECRET
IP Profiling Analytics
& Mission Impacts
I will try to explain in simpler terms about what this
program tries to do. Even though I respect my friends
at CSEC and their efforts to keep our country safe, I think
the law which enables this to be done is simply wrong.
Spying on citizens is simply wrong. The ends do not justify
the means. I'm proud to be Canadian, I don't want my country
Tradecraft to turn in to others which we criticize all the time.
Developer
CSEC – Network Analysis Centre
May 10, 2012
nearly 2 years ago
imagine the things
happened since then
Tony Yustein
2. TOP SECRET
Example IP Profile Problem
Target appears on IP address, wish to understand
network context more fully
Example Quova look-up & response for
Lat. 60.00 Long: -95.00 (in frozen tundra W. of Hudson Bay)
City: unknown
Country: Canada,
Operator: Bell Canada, Sympatico
Issues with IP look-up data:
well known Internet problem
if this is fixed it will solve
accountability issues but
opaquewill be a problem where free
speech is not available
is it actually revealing, or is it
is the data even current, or is it out-of-date
was the data ever accurate in the first place
2
3. TOP SECRET
Objectives
Develop new analytics to provide richer contextual
data about a network address
Apply analytics against Tipping & Cueing objectives
Build upon artefact of techniques to develop new
needle-in-a-haystack analytic – contact chaining
across air-gaps
this looks innocent, for now...
3
4. TOP SECRET
Analytic Concept – Start with Travel Node
Begin with single seed Wi-Fi IP address of intl. airport
user IDs? sniffing user IDs
how? most of the services
like Gmail and Facebook
forces SSL connections.
Does this mean that they
can decrypt SSL easily?
Assemble set of user IDs seen on network address
over two weeks
4
5. TOP SECRET
Profiling Travel Nodes – Next Step
Follow IDs backward and forward in recent time
Earlier IP clusters of:
Later IP clusters of:
how? decrypting SSL or recording
- local hotels
- other intl. airports
MAC addresses in a huge database?
- domestic airports
- domestic airports
- local transportation hubs
- major intl. hotels
- local internet cafes
- etc.
- etc.
5
6. TOP SECRET
IP Hopping Forward in Time
Follow IDs forward in time to
next IP & note delta time
1 Hr.
Next IP sorted
by most popular:
…
2 Hr.
3 Hr.
4 Hr.
5 Hr.
Many clusters will resolve to other Airports!
Can then take seeds from these airports and
repeat to cover whole world
this means that there is a huge database
which records all the Internet activity
Ditto for going backward in time, can uncover
roaming infrastructure of host city: hotels,
conference centers, Wi-Fi hotspots etc.
6
Δ time
7. TOP SECRET
Data Reality
The analytic produced excellent profiles, but was more
complex than initial concept suggests
really? what a surprise!
Data had limited aperture – Canadian Special Source
major CDN ISPs team with US email majors, losing travel coverage
ah does this mean that they don't agree to use fake SSL certificates
to intercept user data to Gmail etc.?
Behaviour at airports
little lingering on arrival; arrivals using phones, not WiFi
still, some Wi-Fi use when waiting for connecting flight/baggage
different terminals: domestic/international; also private lounges
Very many airports and hotels served by large Boingo
private network
not seen in aperture; traffic seems to return via local Akamai node
this means that the mobile carriers are also in bed with this system
they provide the means to identify individuals based on IP but
this has to be done on the Internal network. they must be matching
local IPs to external IPs and activity. and they are doing this with
the fees you pay on your cell bill :)
7
8. TOP SECRET
Tradecraft Development Data Set
Have two weeks worth of ID-IP data from Canadian Special
Source –
Rogers, Bell, Telus???
Had program access to Quova dataset connecting into Atlas
database
So the name of this master database is Atlas
Had seed knowledge of a single Canadian Airport WiFi IP
address
8
9. TOP SECRET
Hop Geo Profile From CDN Airport Intl. Terminal
Long Longitude scale is non-linear
a
t
most far-flung sites are wireless gateways
with many other wireless gateways in set
where are they getting the Geo data? Some spy apps on phones?
Or mobile carriers sharing this data, which is most likely...
Profiled/seed IP location: Square = geographic location
Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location
Plot of where else IDs seen at seed IP have been seen in two weeks
Plot shows most hopped to IPs are nearby - confirming reported seed geo data
9
10. TOP SECRET
Effect of Invalid Geo Information
Long Longitude scale is non-linear
a
t
Geo incongruence:
displacement of seed location
from distribution center
strongly suggests data error
Profiled/seed IP location: Square = geographic location
Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location
this is because of the IP address Geo
location accuracy problem
Effect of invalid seed geo information readily apparent
10
11. TOP SECRET
Hop-Out Destinations Seen
Other domestic airports
Other terminals, lounges, transport hubs
Hotels in many cities
Mobile gateways in many cities
Etc.
obviously, travelers go to other airports and hotels...
11
12. TOP SECRET
“Discovered” Other CDN Airport IP
Domestic terminal
Closeness of majority of hopped-to IPs confirms geo data
But, domestic airport can also look like a busy hotel ...
yeah but it has to be an airport hotel right?
are they talking about the Hilton at Pearson Airport???
12
13. TOP SECRET
Each horizontal line shows presence pattern of one ID, sorted by order of appearance
IDs Presence Profile at “Discovered” Airport
Time/days →
Dominant pattern is each ID is seen briefly, just once – as expected
13
15. TOP SECRET
Profiles of Discovered Enterprise
Time/days →
Enterprises? Not fun for corporate secrets right?
Regular temporal presence (M-F) with local geographic span
Contrasts well against travel/roaming nodes
15
16. TOP SECRET
Discovered Coffee Shop, Library
Coffee shop
so latte or cappuccino is selling more?
Time/days →
Library
Time/days →
Similar patterns of mixed temporal & local geographic presence
17. TOP SECRET
Discovered Wireless Gateway
Wireless gateway not unlike a hotel, except ...
what do they mean about wireless gateways?
17
wifi access points of private homes?
Time/days →
18. TOP SECRET
Partial Range Profile of Wireless Gateway
500
Number of
IDs seen
on each IP
400
300
ID Total on IP
Common IDs
200
100
0
1
2
3
4
5
6
7
8
Individual IP number in range of 8
For wireless gateway, range behaviour is revealing
Most IDs seen on an IP are also scattered across entire range
ID totals & traffic across full range is very high
this means profiling with wireless gateways
18
are not efficient at this moment
19. TOP SECRET
Mission Impact of IP Profiling
Tipping and Cueing Task Force (TCTF)
a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of
events of interest
alert to: target country location changes, webmail logins with time-limited
cookies etc.
this means SSL is not secure anymore, for sure...
Targets/Enemies still target air travel and hotels
airlines: shoe/underwear/printer bombs …
hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai …
Analytic can hop-sweep through IP address space to identify
set of IP addresses for hotels and airports
detecting target presence within set will trigger an urgent alert
aim to productize analytics to reliably produce set of IPs for alerting
my personal opinion is that other methods of spying are
much more efficient for tracking down terrorists then this
so I think this is an excuse to have a system to track everyone
19
20. TOP SECRET
IP Profiling Summary
Different categories of IP ownership/use show distinct
characteristics
airports, hotels, coffee shops, enterprises, wireless gateways etc.
clear characteristics enable formal modeling developments
clear identification of hotels and airports enables critical Tipping & Cueing
tradecraft
obviously... people eat, sleep and travel...
Geo-hop profile can confirm/refute IP geo look-up
information
later could fold-in time deltas for enhanced modeling
Can “sweep” a region/city for roaming access points to IP
networks
leads to a new needle-in-a-haystack analytic ...
so another excuse to use more taxpayer money
to increase computing capacity...
20
21. TOP SECRET
Tradecraft Problem Statement
A kidnapper based in a rural area travels to an urban area to
make ransom calls
can’t risk bringing attention to low-population rural area
won’t use phone for any other comms (or uses payphones ...)
Assumption: He has another device that accesses IP
networks from public access points
having a device isn’t necessary, could use internet cafes, libraries etc.
he is also assumed to use IP access around the time of ransom calls
a lot of assumptions here...
Question: Knowing the time of the ransom calls can we
discover the kidnapper’s IP ID/device
“contact chain” across air-gap (not a correlation of selectors)
wow, somebody is watching a lot of James Bond movies!
this is very highly unlikely to happen...
21
22. TOP SECRET
Solution Outline
With earlier IP profiling analytics, we can “sweep” a
city/region to discover and determine public accesses
We can then select which IP network IDs are seen as active
in all times surrounding the known ransom calls
reduce set to a shortlist
Then we examine the reduced set of IP network IDs and
eliminate baseline heavy users in the area that fall into the
set intersection just because they are always active
that is, eliminate those that are highly active outside the times of the ransom
calls
hopefully leaves only the one needle from the haystack
so much money spent, so many civil rights breached
and now hopefully???
22
23. TOP SECRET
First Proof-of-Concept
Swept a modest size city and discovered two high traffic
public access ranges with >300,000 active IDs over 2 weeks
used for initial expediency due to computational intensity
Presumed that there were 3 ransom calls, each 50 hours
apart during daytime, looked for IDs within 1 Hr of calls
reduce large set to a shortlist of just 19 IP network IDs
Examined activity level of 19 IP network IDs – how many
presences each had in 1 Hr slots over two weeks
main worry as the computation was running: there would be a lot of IDs that
showed just a handful of appearances: e.g. 3, 4, 5 instances
ok, big brother is watching now...
23
24. TOP SECRET
ID Presence of Shortlist
Each horizontal line shows presence of ID over time/hour-slots
Time/hour-slots →
Postulated presence of kidnapper/target
again, lots of ifs here...
Happy result: least active ID had appearances in 40 hour-slots!
Thus could eliminate all, leaving just the kidnapper (if he was there)
24
25. TOP SECRET
Big-Data Computational Challenge
All the previous analytics, while successful experimentally,
ran much too slowly to allow for practical productization
CARE: Collaborative Analytics Research Environment
a big-data system being trialed at CSEC (with NSA launch assist)
simple distributed computing
non-extraordinary hardware
minimal impedance between memory, storage and processors
highly optimized, in-memory database capabilities
columnar storage, high performance vector functional runtime
powerful but challenging programming language (derived from APL)
Result of first experiments with CARE: game-changing
run-time for hop-profiles reduced from 2+ Hrs to several seconds
allows for tradecraft to be profitably productized
great, near real time tracking...
25
26. TOP SECRET
Overall Summary
IP profiling showing terrific value
significant analytic asset for IP networks and target mobility
enables critical capability within Tipping & Cueing Task force
working to productize on powerful new computational platform
broader SSO accesses/apertures coming online at CSEC
look to formalize models & fold-in timing deltas
A new needle-in-a-haystack analytic is viable: contact
chaining across air-gaps
enabled by sweep capability of IP profiling
should test further to understand robustness with respect to loosening
assumptions of target behaviour
beyond kidnapping, tradecraft could also be used for any target that makes
occasional forays into other cities/regions
any target? so you accept monitoring
all possible targets which is the whole
Canadian population...
26
27. TOP SECRET
Tradecraft Studio Example
so when China or Russia do this we call it wrong and how come we can justify
doing this at home in Canada? What are our politicians doing, who are they serving?
Possible route for productizing analytics
comments by: Tony Yustein
27