Airports redacted with_comments_from_tony_yustein

TOP SECRETTOP SECRET

IP Profiling Analytics&Mission Impacts

Tradecraft DeveloperCSEC – Network Analysis Centre

May 10, 2012

nearly 2 years agoimagine the thingshappened since then

nearly 2 years agoimagine the thingshappened since then

I will try to explain in simpler terms about what thisprogram tries to do. Even though I respect my friendsat CSEC and their efforts to keep our country safe, I thinkthe law which enables this to be done is simply wrong.

Spying on citizens is simply wrong. The ends do not justifythe means. I'm proud to be Canadian, I don't want my countryto turn in to others which we criticize all the time.

I will try to explain in simpler terms about what thisprogram tries to do. Even though I respect my friendsat CSEC and their efforts to keep our country safe, I thinkthe law which enables this to be done is simply wrong.

Spying on citizens is simply wrong. The ends do not justifythe means. I'm proud to be Canadian, I don't want my countryto turn in to others which we criticize all the time.

Tony YusteinTony Yustein

TOP SECRET

2

Example IP Profile Problem

Target appears on IP address, wish to understandnetwork context more fully

Example Quova look-up & response forLat. 60.00 Long: -95.00 (in frozen tundra W. of Hudson Bay)

City: unknown

Country: Canada,

Operator: Bell Canada, Sympatico

Issues with IP look-up data:is it actually revealing, or is it opaque

is the data even current, or is it out-of-datewas the data ever accurate in the first place

well known Internet problemif this is fixed it will solveaccountability issues but will be a problem where freespeech is not available

well known Internet problemif this is fixed it will solveaccountability issues but will be a problem where freespeech is not available

TOP SECRET

3

Objectives

Develop new analytics to provide richer contextualdata about a network address

Apply analytics against Tipping & Cueing objectives

Build upon artefact of techniques to develop newneedle-in-a-haystack analytic – contact chainingacross air-gaps

this looks innocent, for now...this looks innocent, for now...

TOP SECRET

4

Analytic Concept – Start with Travel Node

Begin with single seed Wi-Fi IP address of intl. airport

Assemble set of user IDs seen on network addressover two weeks

user IDs? sniffing user IDshow? most of the serviceslike Gmail and Facebookforces SSL connections.Does this mean that theycan decrypt SSL easily?

user IDs? sniffing user IDshow? most of the serviceslike Gmail and Facebookforces SSL connections.Does this mean that theycan decrypt SSL easily?

TOP SECRET

5

Profiling Travel Nodes – Next Step

Follow IDs backward and forward in recent time

Later IP clusters of:- other intl. airports- domestic airports- major intl. hotels- etc.

Earlier IP clusters of:- local hotels- domestic airports- local transportation hubs- local internet cafes

- etc.

how? decrypting SSL or recordingMAC addresses in a huge database?how? decrypting SSL or recordingMAC addresses in a huge database?

TOP SECRET

6

IP Hopping Forward in TimeFollow IDs forward in time tonext IP & note delta time

Δ time1 Hr. 2 Hr. 3 Hr. 4 Hr. 5 Hr.Next IP sortedby most popular:

…

Many clusters will resolve to other Airports!

Can then take seeds from these airports andrepeat to cover whole world

Ditto for going backward in time, can uncoverroaming infrastructure of host city: hotels,conference centers, Wi-Fi hotspots etc.

this means that there is a huge databasewhich records all the Internet activitythis means that there is a huge databasewhich records all the Internet activity

TOP SECRET

7

Data Reality

The analytic produced excellent profiles, but was morecomplex than initial concept suggests

Data had limited aperture – Canadian Special Sourcemajor CDN ISPs team with US email majors, losing travel coverage

Behaviour at airportslittle lingering on arrival; arrivals using phones, not WiFi

still, some Wi-Fi use when waiting for connecting flight/baggage

different terminals: domestic/international; also private lounges

Very many airports and hotels served by large Boingoprivate network

not seen in aperture; traffic seems to return via local Akamai node

really? what a surprise!really? what a surprise!

ah does this mean that they don't agree to use fake SSL certificatesto intercept user data to Gmail etc.?ah does this mean that they don't agree to use fake SSL certificatesto intercept user data to Gmail etc.?

this means that the mobile carriers are also in bed with this systemthey provide the means to identify individuals based on IP butthis has to be done on the Internal network. they must be matchinglocal IPs to external IPs and activity. and they are doing this withthe fees you pay on your cell bill :)

this means that the mobile carriers are also in bed with this systemthey provide the means to identify individuals based on IP butthis has to be done on the Internal network. they must be matchinglocal IPs to external IPs and activity. and they are doing this withthe fees you pay on your cell bill :)

TOP SECRET

8

Tradecraft Development Data Set

Have two weeks worth of ID-IP data from Canadian SpecialSource –

Had program access to Quova dataset connecting into Atlasdatabase

Had seed knowledge of a single Canadian Airport WiFi IPaddress

Rogers, Bell, Telus???Rogers, Bell, Telus???

So the name of this master database is AtlasSo the name of this master database is Atlas

TOP SECRET

9

Hop Geo Profile From CDN Airport Intl. Terminal

Long Longitude scale is non-linearat

Profiled/seed IP location:

Hopped-to IP location:

Square = geographic location

Line height = numbers of unique hopped-to IPs at location

Plot of where else IDs seen at seed IP have been seen in two weeksPlot shows most hopped to IPs are nearby - confirming reported seed geo data

most far-flung sites are wireless gatewayswith many other wireless gateways in set

where are they getting the Geo data? Some spy apps on phones?Or mobile carriers sharing this data, which is most likely...where are they getting the Geo data? Some spy apps on phones?Or mobile carriers sharing this data, which is most likely...

TOP SECRET

Effect of Invalid Geo Information

10

Profiled/seed IP location:

Hopped-to IP location:

Square = geographic location

Line height = numbers of unique hopped-to IPs at location

Effect of invalid seed geo information readily apparent

Geo incongruence:displacement of seed locationfrom distribution centerstrongly suggests data error

Long Longitude scale is non-linearat

this is because of the IP address Geo location accuracy problemthis is because of the IP address Geo location accuracy problem

TOP SECRET

11

Hop-Out Destinations Seen

Other domestic airports

Other terminals, lounges, transport hubs

Hotels in many cities

Mobile gateways in many cities

Etc.

obviously, travelers go to other airports and hotels...obviously, travelers go to other airports and hotels...

TOP SECRET

12

“Discovered” Other CDN Airport IP

Domestic terminal

Closeness of majority of hopped-to IPs confirms geo data

But, domestic airport can also look like a busy hotel ...yeah but it has to be an airport hotel right?are they talking about the Hilton at Pearson Airport???yeah but it has to be an airport hotel right?are they talking about the Hilton at Pearson Airport???

TOP SECRET

13

IDs Presence Profile at “Discovered” Airport

Dominant pattern is each ID is seen briefly, just once – as expected

EachhorizontallineshowspresencepatternofoneID,sortedbyorderofappearance

Time/days →

TOP SECRET

14

Profiles of Discovered Hotel

Many IDs present over a few days

Time/days →

TOP SECRET

15

Profiles of Discovered Enterprise

Regular temporal presence (M-F) with local geographic spanContrasts well against travel/roaming nodes

Time/days →

Enterprises? Not fun for corporate secrets right?Enterprises? Not fun for corporate secrets right?

TOP SECRET

Discovered Coffee Shop, Library

Coffee shop

Library

Similar patterns of mixed temporal & local geographic presence

Time/days →

Time/days →so latte or cappuccino is selling more? so latte or cappuccino is selling more?

TOP SECRET

17

DiscoveredWireless Gateway

Wireless gateway not unlike a hotel, except ... Time/days →

what do they mean about wireless gateways?wifi access points of private homes?what do they mean about wireless gateways?wifi access points of private homes?

TOP SECRET

18

Partial Range Profile of Wireless Gateway

0

100

200

300

400

500

1 2 3 4 5 6 7 8

ID Total on IP

Common IDs

Individual IP number in range of 8

Number ofIDs seenon each IP

For wireless gateway, range behaviour is revealingMost IDs seen on an IP are also scattered across entire rangeID totals & traffic across full range is very high

this means profiling with wireless gatewaysare not efficient at this momentthis means profiling with wireless gatewaysare not efficient at this moment

TOP SECRET

19

Mission Impact of IP Profiling

Tipping and Cueing Task Force (TCTF)a 5-Eyes effort to enable the SIGINT system to provide real-time alerts ofevents of interest

alert to: target country location changes, webmail logins with time-limitedcookies etc.

Targets/Enemies still target air travel and hotelsairlines: shoe/underwear/printer bombs …

hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai …

Analytic can hop-sweep through IP address space to identifyset of IP addresses for hotels and airports

detecting target presence within set will trigger an urgent alert

aim to productize analytics to reliably produce set of IPs for alerting

this means SSL is not secure anymore, for sure...this means SSL is not secure anymore, for sure...

my personal opinion is that other methods of spying aremuch more efficient for tracking down terrorists then thisso I think this is an excuse to have a system to track everyone

my personal opinion is that other methods of spying aremuch more efficient for tracking down terrorists then thisso I think this is an excuse to have a system to track everyone

TOP SECRET

20

IP Profiling Summary

Different categories of IP ownership/use show distinctcharacteristics

airports, hotels, coffee shops, enterprises, wireless gateways etc.

clear characteristics enable formal modeling developments

clear identification of hotels and airports enables critical Tipping & Cueingtradecraft

Geo-hop profile can confirm/refute IP geo look-upinformation

later could fold-in time deltas for enhanced modeling

Can “sweep” a region/city for roaming access points to IPnetworks

leads to a new needle-in-a-haystack analytic ...

obviously... people eat, sleep and travel...obviously... people eat, sleep and travel...

so another excuse to use more taxpayer moneyto increase computing capacity...so another excuse to use more taxpayer moneyto increase computing capacity...

TOP SECRET

21

Tradecraft Problem Statement

A kidnapper based in a rural area travels to an urban area tomake ransom calls

can’t risk bringing attention to low-population rural area

won’t use phone for any other comms (or uses payphones ...)

Assumption: He has another device that accesses IPnetworks from public access points

having a device isn’t necessary, could use internet cafes, libraries etc.

he is also assumed to use IP access around the time of ransom calls

Question: Knowing the time of the ransom calls can wediscover the kidnapper’s IP ID/device

“contact chain” across air-gap (not a correlation of selectors)

a lot of assumptions here...a lot of assumptions here...

wow, somebody is watching a lot of James Bond movies!this is very highly unlikely to happen...wow, somebody is watching a lot of James Bond movies!this is very highly unlikely to happen...

TOP SECRET

22

Solution Outline

With earlier IP profiling analytics, we can “sweep” acity/region to discover and determine public accesses

We can then select which IP network IDs are seen as activein all times surrounding the known ransom calls

reduce set to a shortlist

Then we examine the reduced set of IP network IDs andeliminate baseline heavy users in the area that fall into theset intersection just because they are always active

that is, eliminate those that are highly active outside the times of the ransomcalls

hopefully leaves only the one needle from the haystack

so much money spent, so many civil rights breachedand now hopefully???so much money spent, so many civil rights breachedand now hopefully???

TOP SECRET

23

First Proof-of-Concept

Swept a modest size city and discovered two high trafficpublic access ranges with >300,000 active IDs over 2 weeks

used for initial expediency due to computational intensity

Presumed that there were 3 ransom calls, each 50 hoursapart during daytime, looked for IDs within 1 Hr of calls

reduce large set to a shortlist of just 19 IP network IDs

Examined activity level of 19 IP network IDs – howmanypresences each had in 1 Hr slots over two weeks

main worry as the computation was running: there would be a lot of IDs thatshowed just a handful of appearances: e.g. 3, 4, 5 instances

ok, big brother is watching now...ok, big brother is watching now...

TOP SECRET

24

ID Presence of Shortlist

Happy result: least active ID had appearances in 40 hour-slots!Thus could eliminate all, leaving just the kidnapper (if he was there)

Each horizontal line shows presence of ID over time/hour-slots

Postulated presence of kidnapper/targetTime/hour-slots →

again, lots of ifs here...again, lots of ifs here...

TOP SECRET

25

Big-Data Computational Challenge

All the previous analytics, while successful experimentally,ran much too slowly to allow for practical productization

CARE: Collaborative Analytics Research Environmenta big-data system being trialed at CSEC (with NSA launch assist)

non-extraordinary hardware

minimal impedance between memory, storage and processors

highly optimized, in-memory database capabilities

columnar storage, high performance vector functional runtime

powerful but challenging programming language (derived from APL)

Result of first experiments with CARE: game-changingrun-time for hop-profiles reduced from 2+ Hrs to several seconds

allows for tradecraft to be profitably productized

simple distributed computingsimple distributed computing

great, near real time tracking...great, near real time tracking...

TOP SECRET

26

Overall Summary

IP profiling showing terrific valuesignificant analytic asset for IP networks and target mobility

enables critical capability within Tipping & Cueing Task force

working to productize on powerful new computational platform

broader SSO accesses/apertures coming online at CSEC

look to formalize models & fold-in timing deltas

A new needle-in-a-haystack analytic is viable: contactchaining across air-gaps

enabled by sweep capability of IP profiling

should test further to understand robustness with respect to looseningassumptions of target behaviour

beyond kidnapping, tradecraft could also be used for any target that makesoccasional forays into other cities/regions

any target? so you accept monitoringall possible targets which is the wholeCanadian population...

any target? so you accept monitoringall possible targets which is the wholeCanadian population...

TOP SECRET

27

Tradecraft Studio Example

Possible route for productizing analyticsso when China or Russia do this we call it wrong and how come we can justifydoing this at home in Canada? What are our politicians doing, who are they serving?so when China or Russia do this we call it wrong and how come we can justifydoing this at home in Canada? What are our politicians doing, who are they serving?

comments by: Tony Yusteincomments by: Tony Yustein