SlideShare a Scribd company logo

Airports redacted with_comments_from_tony_yustein

Tony Yustein
Tony Yustein

Redacted CSEC presentation with my comments. This document is technically complex and I tried to make it easier for everyone to understand its content.

News & Politics
1 of 27
Download to read offline
TOP SECRET IP Profiling Analytics & Mission Impacts I will try to explain in simpler terms about what this program tries to do. Even though I respect my friends at CSEC and their efforts to keep our country safe, I think the law which enables this to be done is simply wrong. Spying on citizens is simply wrong. The ends do not justify the means. I'm proud to be Canadian, I don't want my country Tradecraft to turn in to others which we criticize all the time. Developer CSEC – Network Analysis Centre May 10, 2012 nearly 2 years ago imagine the things happened since then Tony Yustein
TOP SECRET Example IP Profile Problem Target appears on IP address, wish to understand network context more fully Example Quova look-up & response for Lat. 60.00 Long: -95.00 (in frozen tundra W. of Hudson Bay) City: unknown Country: Canada, Operator: Bell Canada, Sympatico Issues with IP look-up data: well known Internet problem if this is fixed it will solve accountability issues but opaquewill be a problem where free speech is not available is it actually revealing, or is it is the data even current, or is it out-of-date was the data ever accurate in the first place 2
TOP SECRET Objectives Develop new analytics to provide richer contextual data about a network address Apply analytics against Tipping & Cueing objectives Build upon artefact of techniques to develop new needle-in-a-haystack analytic – contact chaining across air-gaps this looks innocent, for now... 3
TOP SECRET Analytic Concept – Start with Travel Node Begin with single seed Wi-Fi IP address of intl. airport user IDs? sniffing user IDs how? most of the services like Gmail and Facebook forces SSL connections. Does this mean that they can decrypt SSL easily? Assemble set of user IDs seen on network address over two weeks 4
TOP SECRET Profiling Travel Nodes – Next Step Follow IDs backward and forward in recent time Earlier IP clusters of: Later IP clusters of: how? decrypting SSL or recording - local hotels - other intl. airports MAC addresses in a huge database? - domestic airports - domestic airports - local transportation hubs - major intl. hotels - local internet cafes - etc. - etc. 5
TOP SECRET IP Hopping Forward in Time Follow IDs forward in time to next IP & note delta time 1 Hr. Next IP sorted by most popular: … 2 Hr. 3 Hr. 4 Hr. 5 Hr. Many clusters will resolve to other Airports! Can then take seeds from these airports and repeat to cover whole world this means that there is a huge database which records all the Internet activity Ditto for going backward in time, can uncover roaming infrastructure of host city: hotels, conference centers, Wi-Fi hotspots etc. 6 Δ time
TOP SECRET Data Reality The analytic produced excellent profiles, but was more complex than initial concept suggests really? what a surprise! Data had limited aperture – Canadian Special Source major CDN ISPs team with US email majors, losing travel coverage ah does this mean that they don't agree to use fake SSL certificates to intercept user data to Gmail etc.? Behaviour at airports little lingering on arrival; arrivals using phones, not WiFi still, some Wi-Fi use when waiting for connecting flight/baggage different terminals: domestic/international; also private lounges Very many airports and hotels served by large Boingo private network not seen in aperture; traffic seems to return via local Akamai node this means that the mobile carriers are also in bed with this system they provide the means to identify individuals based on IP but this has to be done on the Internal network. they must be matching local IPs to external IPs and activity. and they are doing this with the fees you pay on your cell bill :) 7
TOP SECRET Tradecraft Development Data Set Have two weeks worth of ID-IP data from Canadian Special Source – Rogers, Bell, Telus??? Had program access to Quova dataset connecting into Atlas database So the name of this master database is Atlas Had seed knowledge of a single Canadian Airport WiFi IP address 8
TOP SECRET Hop Geo Profile From CDN Airport Intl. Terminal Long Longitude scale is non-linear a t most far-flung sites are wireless gateways with many other wireless gateways in set where are they getting the Geo data? Some spy apps on phones? Or mobile carriers sharing this data, which is most likely... Profiled/seed IP location: Square = geographic location Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location Plot of where else IDs seen at seed IP have been seen in two weeks Plot shows most hopped to IPs are nearby - confirming reported seed geo data 9
TOP SECRET Effect of Invalid Geo Information Long Longitude scale is non-linear a t Geo incongruence: displacement of seed location from distribution center strongly suggests data error Profiled/seed IP location: Square = geographic location Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location this is because of the IP address Geo location accuracy problem Effect of invalid seed geo information readily apparent 10
TOP SECRET Hop-Out Destinations Seen Other domestic airports Other terminals, lounges, transport hubs Hotels in many cities Mobile gateways in many cities Etc. obviously, travelers go to other airports and hotels... 11
TOP SECRET “Discovered” Other CDN Airport IP Domestic terminal Closeness of majority of hopped-to IPs confirms geo data But, domestic airport can also look like a busy hotel ... yeah but it has to be an airport hotel right? are they talking about the Hilton at Pearson Airport??? 12
TOP SECRET Each horizontal line shows presence pattern of one ID, sorted by order of appearance IDs Presence Profile at “Discovered” Airport Time/days → Dominant pattern is each ID is seen briefly, just once – as expected 13
TOP SECRET Profiles of Discovered Hotel Many IDs present over a few days 14 Time/days →
TOP SECRET Profiles of Discovered Enterprise Time/days → Enterprises? Not fun for corporate secrets right? Regular temporal presence (M-F) with local geographic span Contrasts well against travel/roaming nodes 15
TOP SECRET Discovered Coffee Shop, Library Coffee shop so latte or cappuccino is selling more? Time/days → Library Time/days → Similar patterns of mixed temporal & local geographic presence
TOP SECRET Discovered Wireless Gateway Wireless gateway not unlike a hotel, except ... what do they mean about wireless gateways? 17 wifi access points of private homes? Time/days →
TOP SECRET Partial Range Profile of Wireless Gateway 500 Number of IDs seen on each IP 400 300 ID Total on IP Common IDs 200 100 0 1 2 3 4 5 6 7 8 Individual IP number in range of 8 For wireless gateway, range behaviour is revealing Most IDs seen on an IP are also scattered across entire range ID totals & traffic across full range is very high this means profiling with wireless gateways 18 are not efficient at this moment
TOP SECRET Mission Impact of IP Profiling Tipping and Cueing Task Force (TCTF) a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of events of interest alert to: target country location changes, webmail logins with time-limited cookies etc. this means SSL is not secure anymore, for sure... Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs … hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai … Analytic can hop-sweep through IP address space to identify set of IP addresses for hotels and airports detecting target presence within set will trigger an urgent alert aim to productize analytics to reliably produce set of IPs for alerting my personal opinion is that other methods of spying are much more efficient for tracking down terrorists then this so I think this is an excuse to have a system to track everyone 19
TOP SECRET IP Profiling Summary Different categories of IP ownership/use show distinct characteristics airports, hotels, coffee shops, enterprises, wireless gateways etc. clear characteristics enable formal modeling developments clear identification of hotels and airports enables critical Tipping & Cueing tradecraft obviously... people eat, sleep and travel... Geo-hop profile can confirm/refute IP geo look-up information later could fold-in time deltas for enhanced modeling Can “sweep” a region/city for roaming access points to IP networks leads to a new needle-in-a-haystack analytic ... so another excuse to use more taxpayer money to increase computing capacity... 20
TOP SECRET Tradecraft Problem Statement A kidnapper based in a rural area travels to an urban area to make ransom calls can’t risk bringing attention to low-population rural area won’t use phone for any other comms (or uses payphones ...) Assumption: He has another device that accesses IP networks from public access points having a device isn’t necessary, could use internet cafes, libraries etc. he is also assumed to use IP access around the time of ransom calls a lot of assumptions here... Question: Knowing the time of the ransom calls can we discover the kidnapper’s IP ID/device “contact chain” across air-gap (not a correlation of selectors) wow, somebody is watching a lot of James Bond movies! this is very highly unlikely to happen... 21
TOP SECRET Solution Outline With earlier IP profiling analytics, we can “sweep” a city/region to discover and determine public accesses We can then select which IP network IDs are seen as active in all times surrounding the known ransom calls reduce set to a shortlist Then we examine the reduced set of IP network IDs and eliminate baseline heavy users in the area that fall into the set intersection just because they are always active that is, eliminate those that are highly active outside the times of the ransom calls hopefully leaves only the one needle from the haystack so much money spent, so many civil rights breached and now hopefully??? 22
TOP SECRET First Proof-of-Concept Swept a modest size city and discovered two high traffic public access ranges with >300,000 active IDs over 2 weeks used for initial expediency due to computational intensity Presumed that there were 3 ransom calls, each 50 hours apart during daytime, looked for IDs within 1 Hr of calls reduce large set to a shortlist of just 19 IP network IDs Examined activity level of 19 IP network IDs – how many presences each had in 1 Hr slots over two weeks main worry as the computation was running: there would be a lot of IDs that showed just a handful of appearances: e.g. 3, 4, 5 instances ok, big brother is watching now... 23
TOP SECRET ID Presence of Shortlist Each horizontal line shows presence of ID over time/hour-slots Time/hour-slots → Postulated presence of kidnapper/target again, lots of ifs here... Happy result: least active ID had appearances in 40 hour-slots! Thus could eliminate all, leaving just the kidnapper (if he was there) 24
TOP SECRET Big-Data Computational Challenge All the previous analytics, while successful experimentally, ran much too slowly to allow for practical productization CARE: Collaborative Analytics Research Environment a big-data system being trialed at CSEC (with NSA launch assist) simple distributed computing non-extraordinary hardware minimal impedance between memory, storage and processors highly optimized, in-memory database capabilities columnar storage, high performance vector functional runtime powerful but challenging programming language (derived from APL) Result of first experiments with CARE: game-changing run-time for hop-profiles reduced from 2+ Hrs to several seconds allows for tradecraft to be profitably productized great, near real time tracking... 25
TOP SECRET Overall Summary IP profiling showing terrific value significant analytic asset for IP networks and target mobility enables critical capability within Tipping & Cueing Task force working to productize on powerful new computational platform broader SSO accesses/apertures coming online at CSEC look to formalize models & fold-in timing deltas A new needle-in-a-haystack analytic is viable: contact chaining across air-gaps enabled by sweep capability of IP profiling should test further to understand robustness with respect to loosening assumptions of target behaviour beyond kidnapping, tradecraft could also be used for any target that makes occasional forays into other cities/regions any target? so you accept monitoring all possible targets which is the whole Canadian population... 26
TOP SECRET Tradecraft Studio Example so when China or Russia do this we call it wrong and how come we can justify doing this at home in Canada? What are our politicians doing, who are they serving? Possible route for productizing analytics comments by: Tony Yustein 27

Recommended

shubhadappt(3273)
shubhadappt(3273)shubhadappt(3273)
shubhadappt(3273)
RaniPatil11
 
Identity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms SessionIdentity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms Session
Alan Quayle
 
Dubai 1
Dubai 1Dubai 1
Dubai 1
mmavis
 
Reduce Friction and Risk with Device Authentication
Reduce Friction and Risk with Device AuthenticationReduce Friction and Risk with Device Authentication
Reduce Friction and Risk with Device Authentication
TransUnion
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
Devyani Vaidya
 
NFC and Shopping
NFC and ShoppingNFC and Shopping
NFC and Shopping
BBDO
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacksApijay Kumar
 
How to know my ip address with iplogger.org
How to know my ip address with iplogger.orgHow to know my ip address with iplogger.org
How to know my ip address with iplogger.org
iploggers
 

Recommended

shubhadappt(3273)
shubhadappt(3273)shubhadappt(3273)
shubhadappt(3273)
RaniPatil11
 
Identity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms SessionIdentity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms Session
Alan Quayle
 
Dubai 1
Dubai 1Dubai 1
Dubai 1
mmavis
 
Reduce Friction and Risk with Device Authentication
Reduce Friction and Risk with Device AuthenticationReduce Friction and Risk with Device Authentication
Reduce Friction and Risk with Device Authentication
TransUnion
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
Devyani Vaidya
 
NFC and Shopping
NFC and ShoppingNFC and Shopping
NFC and Shopping
BBDO
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacksApijay Kumar
 
How to know my ip address with iplogger.org
How to know my ip address with iplogger.orgHow to know my ip address with iplogger.org
How to know my ip address with iplogger.org
iploggers
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingSathishkumar A
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
Slawomir Jasek
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
amiable_indian
 
UUUU
UUUUUUUU
UUUUyonny4103
 
Ferret
FerretFerret
Ferretyonny4103
 
Customer Worthy 2012 Customer Experience Forecast
Customer Worthy 2012 Customer Experience ForecastCustomer Worthy 2012 Customer Experience Forecast
Customer Worthy 2012 Customer Experience Forecast
Client X Client
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
Splunk
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Amazon Web Services
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Codemotion
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Amazon Web Services
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnets
mark-smith
 
Augmented reality
Augmented realityAugmented reality
Augmented reality
Abdelrahman Ali
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Amazon Web Services
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Techsylvania
 
Pervasive nation
Pervasive nationPervasive nation
Pervasive nation
lizard4444
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 
Roelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slidesRoelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slides
Leon Kuunders
 
Draft-1-Resolutions-Key-Interventions-.pdf
Draft-1-Resolutions-Key-Interventions-.pdfDraft-1-Resolutions-Key-Interventions-.pdf
Draft-1-Resolutions-Key-Interventions-.pdf
bhavenpr
 
AI and Covert Influence Operations: Latest Trends
AI and Covert Influence Operations: Latest TrendsAI and Covert Influence Operations: Latest Trends
AI and Covert Influence Operations: Latest Trends
CI kumparan
 

More Related Content

Similar to Airports redacted with_comments_from_tony_yustein

Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingSathishkumar A
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
Slawomir Jasek
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
amiable_indian
 
Customer Worthy 2012 Customer Experience Forecast
Customer Worthy 2012 Customer Experience ForecastCustomer Worthy 2012 Customer Experience Forecast
Customer Worthy 2012 Customer Experience Forecast
Client X Client
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
Splunk
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Amazon Web Services
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Codemotion
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Amazon Web Services
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnets
mark-smith
 
Augmented reality
Augmented realityAugmented reality
Augmented reality
Abdelrahman Ali
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Amazon Web Services
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Techsylvania
 
Pervasive nation
Pervasive nationPervasive nation
Pervasive nation
lizard4444
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 
Roelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slidesRoelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slides
Leon Kuunders
 

Similar to Airports redacted with_comments_from_tony_yustein (20)

Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hacking
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
 
UUUU
UUUUUUUU
UUUU
 
Ferret
FerretFerret
Ferret
 
Customer Worthy 2012 Customer Experience Forecast
Customer Worthy 2012 Customer Experience ForecastCustomer Worthy 2012 Customer Experience Forecast
Customer Worthy 2012 Customer Experience Forecast
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnets
 
Augmented reality
Augmented realityAugmented reality
Augmented reality
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
 
Pervasive nation
Pervasive nationPervasive nation
Pervasive nation
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Roelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slidesRoelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slides
 

Recently uploaded

Draft-1-Resolutions-Key-Interventions-.pdf
Draft-1-Resolutions-Key-Interventions-.pdfDraft-1-Resolutions-Key-Interventions-.pdf
Draft-1-Resolutions-Key-Interventions-.pdf
bhavenpr
 
AI and Covert Influence Operations: Latest Trends
AI and Covert Influence Operations: Latest TrendsAI and Covert Influence Operations: Latest Trends
AI and Covert Influence Operations: Latest Trends
CI kumparan
 
Preview of Court Document for Iseyin community
Preview of Court Document for Iseyin communityPreview of Court Document for Iseyin community
Preview of Court Document for Iseyin community
contact193699
 
31052024_First India Newspaper Jaipur.pdf
31052024_First India Newspaper Jaipur.pdf31052024_First India Newspaper Jaipur.pdf
31052024_First India Newspaper Jaipur.pdf
FIRST INDIA
 
Letter-from-ECI-to-MeiTY-21st-march-2024.pdf
Letter-from-ECI-to-MeiTY-21st-march-2024.pdfLetter-from-ECI-to-MeiTY-21st-march-2024.pdf
Letter-from-ECI-to-MeiTY-21st-march-2024.pdf
bhavenpr
 
Do Linguistics Still Matter in the Age of Large Language Models.pptx
Do Linguistics Still Matter in the Age of Large Language Models.pptxDo Linguistics Still Matter in the Age of Large Language Models.pptx
Do Linguistics Still Matter in the Age of Large Language Models.pptx
Slator- Language Industry Intelligence
 
03062024_First India Newspaper Jaipur.pdf
03062024_First India Newspaper Jaipur.pdf03062024_First India Newspaper Jaipur.pdf
03062024_First India Newspaper Jaipur.pdf
FIRST INDIA
 
Sharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdf
Sharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdfSharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdf
Sharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdf
bhavenpr
 
What Ukraine Has Lost During Russia’s Invasion
What Ukraine Has Lost During Russia’s InvasionWhat Ukraine Has Lost During Russia’s Invasion
What Ukraine Has Lost During Russia’s Invasion
LUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Hogan Comes Home: an MIA WWII crewman is returned
Hogan Comes Home: an MIA WWII crewman is returnedHogan Comes Home: an MIA WWII crewman is returned
Hogan Comes Home: an MIA WWII crewman is returned
rbakerj2
 
Codes n Conventionss copy (1).paaaaaaptx
Codes n Conventionss copy (1).paaaaaaptxCodes n Conventionss copy (1).paaaaaaptx
Codes n Conventionss copy (1).paaaaaaptx
ZackSpencer3
 
Resolutions-Key-Interventions-28-May-2024.pdf
Resolutions-Key-Interventions-28-May-2024.pdfResolutions-Key-Interventions-28-May-2024.pdf
Resolutions-Key-Interventions-28-May-2024.pdf
bhavenpr
 
Hindustan Insider 2nd edition release now
Hindustan Insider 2nd edition release nowHindustan Insider 2nd edition release now
Hindustan Insider 2nd edition release now
hindustaninsider22
 
01062024_First India Newspaper Jaipur.pdf
01062024_First India Newspaper Jaipur.pdf01062024_First India Newspaper Jaipur.pdf
01062024_First India Newspaper Jaipur.pdf
FIRST INDIA
 
2024 is the point of certainty. Forecast of UIF experts
2024 is the point of certainty. Forecast of UIF experts2024 is the point of certainty. Forecast of UIF experts
2024 is the point of certainty. Forecast of UIF experts
olaola5673
 

Recently uploaded (15)

Draft-1-Resolutions-Key-Interventions-.pdf
Draft-1-Resolutions-Key-Interventions-.pdfDraft-1-Resolutions-Key-Interventions-.pdf
Draft-1-Resolutions-Key-Interventions-.pdf
 
AI and Covert Influence Operations: Latest Trends
AI and Covert Influence Operations: Latest TrendsAI and Covert Influence Operations: Latest Trends
AI and Covert Influence Operations: Latest Trends
 
Preview of Court Document for Iseyin community
Preview of Court Document for Iseyin communityPreview of Court Document for Iseyin community
Preview of Court Document for Iseyin community
 
31052024_First India Newspaper Jaipur.pdf
31052024_First India Newspaper Jaipur.pdf31052024_First India Newspaper Jaipur.pdf
31052024_First India Newspaper Jaipur.pdf
 
Letter-from-ECI-to-MeiTY-21st-march-2024.pdf
Letter-from-ECI-to-MeiTY-21st-march-2024.pdfLetter-from-ECI-to-MeiTY-21st-march-2024.pdf
Letter-from-ECI-to-MeiTY-21st-march-2024.pdf
 
Do Linguistics Still Matter in the Age of Large Language Models.pptx
Do Linguistics Still Matter in the Age of Large Language Models.pptxDo Linguistics Still Matter in the Age of Large Language Models.pptx
Do Linguistics Still Matter in the Age of Large Language Models.pptx
 
03062024_First India Newspaper Jaipur.pdf
03062024_First India Newspaper Jaipur.pdf03062024_First India Newspaper Jaipur.pdf
03062024_First India Newspaper Jaipur.pdf
 
Sharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdf
Sharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdfSharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdf
Sharjeel-Imam-Judgement-CRLA-215-2024_29-05-2024.pdf
 
What Ukraine Has Lost During Russia’s Invasion
What Ukraine Has Lost During Russia’s InvasionWhat Ukraine Has Lost During Russia’s Invasion
What Ukraine Has Lost During Russia’s Invasion
 
Hogan Comes Home: an MIA WWII crewman is returned
Hogan Comes Home: an MIA WWII crewman is returnedHogan Comes Home: an MIA WWII crewman is returned
Hogan Comes Home: an MIA WWII crewman is returned
 
Codes n Conventionss copy (1).paaaaaaptx
Codes n Conventionss copy (1).paaaaaaptxCodes n Conventionss copy (1).paaaaaaptx
Codes n Conventionss copy (1).paaaaaaptx
 
Resolutions-Key-Interventions-28-May-2024.pdf
Resolutions-Key-Interventions-28-May-2024.pdfResolutions-Key-Interventions-28-May-2024.pdf
Resolutions-Key-Interventions-28-May-2024.pdf
 
Hindustan Insider 2nd edition release now
Hindustan Insider 2nd edition release nowHindustan Insider 2nd edition release now
Hindustan Insider 2nd edition release now
 
01062024_First India Newspaper Jaipur.pdf
01062024_First India Newspaper Jaipur.pdf01062024_First India Newspaper Jaipur.pdf
01062024_First India Newspaper Jaipur.pdf
 
2024 is the point of certainty. Forecast of UIF experts
2024 is the point of certainty. Forecast of UIF experts2024 is the point of certainty. Forecast of UIF experts
2024 is the point of certainty. Forecast of UIF experts
 

Airports redacted with_comments_from_tony_yustein

  • 1. TOP SECRET IP Profiling Analytics & Mission Impacts I will try to explain in simpler terms about what this program tries to do. Even though I respect my friends at CSEC and their efforts to keep our country safe, I think the law which enables this to be done is simply wrong. Spying on citizens is simply wrong. The ends do not justify the means. I'm proud to be Canadian, I don't want my country Tradecraft to turn in to others which we criticize all the time. Developer CSEC – Network Analysis Centre May 10, 2012 nearly 2 years ago imagine the things happened since then Tony Yustein
  • 2. TOP SECRET Example IP Profile Problem Target appears on IP address, wish to understand network context more fully Example Quova look-up & response for Lat. 60.00 Long: -95.00 (in frozen tundra W. of Hudson Bay) City: unknown Country: Canada, Operator: Bell Canada, Sympatico Issues with IP look-up data: well known Internet problem if this is fixed it will solve accountability issues but opaquewill be a problem where free speech is not available is it actually revealing, or is it is the data even current, or is it out-of-date was the data ever accurate in the first place 2
  • 3. TOP SECRET Objectives Develop new analytics to provide richer contextual data about a network address Apply analytics against Tipping & Cueing objectives Build upon artefact of techniques to develop new needle-in-a-haystack analytic – contact chaining across air-gaps this looks innocent, for now... 3
  • 4. TOP SECRET Analytic Concept – Start with Travel Node Begin with single seed Wi-Fi IP address of intl. airport user IDs? sniffing user IDs how? most of the services like Gmail and Facebook forces SSL connections. Does this mean that they can decrypt SSL easily? Assemble set of user IDs seen on network address over two weeks 4
  • 5. TOP SECRET Profiling Travel Nodes – Next Step Follow IDs backward and forward in recent time Earlier IP clusters of: Later IP clusters of: how? decrypting SSL or recording - local hotels - other intl. airports MAC addresses in a huge database? - domestic airports - domestic airports - local transportation hubs - major intl. hotels - local internet cafes - etc. - etc. 5
  • 6. TOP SECRET IP Hopping Forward in Time Follow IDs forward in time to next IP & note delta time 1 Hr. Next IP sorted by most popular: … 2 Hr. 3 Hr. 4 Hr. 5 Hr. Many clusters will resolve to other Airports! Can then take seeds from these airports and repeat to cover whole world this means that there is a huge database which records all the Internet activity Ditto for going backward in time, can uncover roaming infrastructure of host city: hotels, conference centers, Wi-Fi hotspots etc. 6 Δ time
  • 7. TOP SECRET Data Reality The analytic produced excellent profiles, but was more complex than initial concept suggests really? what a surprise! Data had limited aperture – Canadian Special Source major CDN ISPs team with US email majors, losing travel coverage ah does this mean that they don't agree to use fake SSL certificates to intercept user data to Gmail etc.? Behaviour at airports little lingering on arrival; arrivals using phones, not WiFi still, some Wi-Fi use when waiting for connecting flight/baggage different terminals: domestic/international; also private lounges Very many airports and hotels served by large Boingo private network not seen in aperture; traffic seems to return via local Akamai node this means that the mobile carriers are also in bed with this system they provide the means to identify individuals based on IP but this has to be done on the Internal network. they must be matching local IPs to external IPs and activity. and they are doing this with the fees you pay on your cell bill :) 7
  • 8. TOP SECRET Tradecraft Development Data Set Have two weeks worth of ID-IP data from Canadian Special Source – Rogers, Bell, Telus??? Had program access to Quova dataset connecting into Atlas database So the name of this master database is Atlas Had seed knowledge of a single Canadian Airport WiFi IP address 8
  • 9. TOP SECRET Hop Geo Profile From CDN Airport Intl. Terminal Long Longitude scale is non-linear a t most far-flung sites are wireless gateways with many other wireless gateways in set where are they getting the Geo data? Some spy apps on phones? Or mobile carriers sharing this data, which is most likely... Profiled/seed IP location: Square = geographic location Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location Plot of where else IDs seen at seed IP have been seen in two weeks Plot shows most hopped to IPs are nearby - confirming reported seed geo data 9
  • 10. TOP SECRET Effect of Invalid Geo Information Long Longitude scale is non-linear a t Geo incongruence: displacement of seed location from distribution center strongly suggests data error Profiled/seed IP location: Square = geographic location Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location this is because of the IP address Geo location accuracy problem Effect of invalid seed geo information readily apparent 10
  • 11. TOP SECRET Hop-Out Destinations Seen Other domestic airports Other terminals, lounges, transport hubs Hotels in many cities Mobile gateways in many cities Etc. obviously, travelers go to other airports and hotels... 11
  • 12. TOP SECRET “Discovered” Other CDN Airport IP Domestic terminal Closeness of majority of hopped-to IPs confirms geo data But, domestic airport can also look like a busy hotel ... yeah but it has to be an airport hotel right? are they talking about the Hilton at Pearson Airport??? 12
  • 13. TOP SECRET Each horizontal line shows presence pattern of one ID, sorted by order of appearance IDs Presence Profile at “Discovered” Airport Time/days → Dominant pattern is each ID is seen briefly, just once – as expected 13
  • 14. TOP SECRET Profiles of Discovered Hotel Many IDs present over a few days 14 Time/days →
  • 15. TOP SECRET Profiles of Discovered Enterprise Time/days → Enterprises? Not fun for corporate secrets right? Regular temporal presence (M-F) with local geographic span Contrasts well against travel/roaming nodes 15
  • 16. TOP SECRET Discovered Coffee Shop, Library Coffee shop so latte or cappuccino is selling more? Time/days → Library Time/days → Similar patterns of mixed temporal & local geographic presence
  • 17. TOP SECRET Discovered Wireless Gateway Wireless gateway not unlike a hotel, except ... what do they mean about wireless gateways? 17 wifi access points of private homes? Time/days →
  • 18. TOP SECRET Partial Range Profile of Wireless Gateway 500 Number of IDs seen on each IP 400 300 ID Total on IP Common IDs 200 100 0 1 2 3 4 5 6 7 8 Individual IP number in range of 8 For wireless gateway, range behaviour is revealing Most IDs seen on an IP are also scattered across entire range ID totals & traffic across full range is very high this means profiling with wireless gateways 18 are not efficient at this moment
  • 19. TOP SECRET Mission Impact of IP Profiling Tipping and Cueing Task Force (TCTF) a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of events of interest alert to: target country location changes, webmail logins with time-limited cookies etc. this means SSL is not secure anymore, for sure... Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs … hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai … Analytic can hop-sweep through IP address space to identify set of IP addresses for hotels and airports detecting target presence within set will trigger an urgent alert aim to productize analytics to reliably produce set of IPs for alerting my personal opinion is that other methods of spying are much more efficient for tracking down terrorists then this so I think this is an excuse to have a system to track everyone 19
  • 20. TOP SECRET IP Profiling Summary Different categories of IP ownership/use show distinct characteristics airports, hotels, coffee shops, enterprises, wireless gateways etc. clear characteristics enable formal modeling developments clear identification of hotels and airports enables critical Tipping & Cueing tradecraft obviously... people eat, sleep and travel... Geo-hop profile can confirm/refute IP geo look-up information later could fold-in time deltas for enhanced modeling Can “sweep” a region/city for roaming access points to IP networks leads to a new needle-in-a-haystack analytic ... so another excuse to use more taxpayer money to increase computing capacity... 20
  • 21. TOP SECRET Tradecraft Problem Statement A kidnapper based in a rural area travels to an urban area to make ransom calls can’t risk bringing attention to low-population rural area won’t use phone for any other comms (or uses payphones ...) Assumption: He has another device that accesses IP networks from public access points having a device isn’t necessary, could use internet cafes, libraries etc. he is also assumed to use IP access around the time of ransom calls a lot of assumptions here... Question: Knowing the time of the ransom calls can we discover the kidnapper’s IP ID/device “contact chain” across air-gap (not a correlation of selectors) wow, somebody is watching a lot of James Bond movies! this is very highly unlikely to happen... 21
  • 22. TOP SECRET Solution Outline With earlier IP profiling analytics, we can “sweep” a city/region to discover and determine public accesses We can then select which IP network IDs are seen as active in all times surrounding the known ransom calls reduce set to a shortlist Then we examine the reduced set of IP network IDs and eliminate baseline heavy users in the area that fall into the set intersection just because they are always active that is, eliminate those that are highly active outside the times of the ransom calls hopefully leaves only the one needle from the haystack so much money spent, so many civil rights breached and now hopefully??? 22
  • 23. TOP SECRET First Proof-of-Concept Swept a modest size city and discovered two high traffic public access ranges with >300,000 active IDs over 2 weeks used for initial expediency due to computational intensity Presumed that there were 3 ransom calls, each 50 hours apart during daytime, looked for IDs within 1 Hr of calls reduce large set to a shortlist of just 19 IP network IDs Examined activity level of 19 IP network IDs – how many presences each had in 1 Hr slots over two weeks main worry as the computation was running: there would be a lot of IDs that showed just a handful of appearances: e.g. 3, 4, 5 instances ok, big brother is watching now... 23
  • 24. TOP SECRET ID Presence of Shortlist Each horizontal line shows presence of ID over time/hour-slots Time/hour-slots → Postulated presence of kidnapper/target again, lots of ifs here... Happy result: least active ID had appearances in 40 hour-slots! Thus could eliminate all, leaving just the kidnapper (if he was there) 24
  • 25. TOP SECRET Big-Data Computational Challenge All the previous analytics, while successful experimentally, ran much too slowly to allow for practical productization CARE: Collaborative Analytics Research Environment a big-data system being trialed at CSEC (with NSA launch assist) simple distributed computing non-extraordinary hardware minimal impedance between memory, storage and processors highly optimized, in-memory database capabilities columnar storage, high performance vector functional runtime powerful but challenging programming language (derived from APL) Result of first experiments with CARE: game-changing run-time for hop-profiles reduced from 2+ Hrs to several seconds allows for tradecraft to be profitably productized great, near real time tracking... 25
  • 26. TOP SECRET Overall Summary IP profiling showing terrific value significant analytic asset for IP networks and target mobility enables critical capability within Tipping & Cueing Task force working to productize on powerful new computational platform broader SSO accesses/apertures coming online at CSEC look to formalize models & fold-in timing deltas A new needle-in-a-haystack analytic is viable: contact chaining across air-gaps enabled by sweep capability of IP profiling should test further to understand robustness with respect to loosening assumptions of target behaviour beyond kidnapping, tradecraft could also be used for any target that makes occasional forays into other cities/regions any target? so you accept monitoring all possible targets which is the whole Canadian population... 26
  • 27. TOP SECRET Tradecraft Studio Example so when China or Russia do this we call it wrong and how come we can justify doing this at home in Canada? What are our politicians doing, who are they serving? Possible route for productizing analytics comments by: Tony Yustein 27