TOP SECRET TOP SECRET IP Profiling Analytics & Mission Impacts Tradecraft Developer CSEC – Network Analysis Centre May 10, 2012 nearly 2 years ago imagine the things happened since then nearly 2 years ago imagine the things happened since then I will try to explain in simpler terms about what this program tries to do. Even though I respect my friends at CSEC and their efforts to keep our country safe, I think the law which enables this to be done is simply wrong. Spying on citizens is simply wrong. The ends do not justify the means. I'm proud to be Canadian, I don't want my country to turn in to others which we criticize all the time. I will try to explain in simpler terms about what this program tries to do. Even though I respect my friends at CSEC and their efforts to keep our country safe, I think the law which enables this to be done is simply wrong. Spying on citizens is simply wrong. The ends do not justify the means. I'm proud to be Canadian, I don't want my country to turn in to others which we criticize all the time. Tony Yustein Tony Yustein
Redacted CSEC presentation with my comments. This document is technically complex and I tried to make it easier for everyone to understand its content.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TOP SECRETTOP SECRET
IP Profiling Analytics&Mission Impacts
Tradecraft DeveloperCSEC – Network Analysis Centre
May 10, 2012
nearly 2 years agoimagine the thingshappened since then
nearly 2 years agoimagine the thingshappened since then
I will try to explain in simpler terms about what thisprogram tries to do. Even though I respect my friendsat CSEC and their efforts to keep our country safe, I thinkthe law which enables this to be done is simply wrong.
Spying on citizens is simply wrong. The ends do not justifythe means. I'm proud to be Canadian, I don't want my countryto turn in to others which we criticize all the time.
I will try to explain in simpler terms about what thisprogram tries to do. Even though I respect my friendsat CSEC and their efforts to keep our country safe, I thinkthe law which enables this to be done is simply wrong.
Spying on citizens is simply wrong. The ends do not justifythe means. I'm proud to be Canadian, I don't want my countryto turn in to others which we criticize all the time.
Tony YusteinTony Yustein
TOP SECRET
2
Example IP Profile Problem
Target appears on IP address, wish to understandnetwork context more fully
Example Quova look-up & response forLat. 60.00 Long: -95.00 (in frozen tundra W. of Hudson Bay)
City: unknown
Country: Canada,
Operator: Bell Canada, Sympatico
Issues with IP look-up data:is it actually revealing, or is it opaque
is the data even current, or is it out-of-datewas the data ever accurate in the first place
well known Internet problemif this is fixed it will solveaccountability issues but will be a problem where freespeech is not available
well known Internet problemif this is fixed it will solveaccountability issues but will be a problem where freespeech is not available
TOP SECRET
3
Objectives
Develop new analytics to provide richer contextualdata about a network address
Apply analytics against Tipping & Cueing objectives
Build upon artefact of techniques to develop newneedle-in-a-haystack analytic – contact chainingacross air-gaps
this looks innocent, for now...this looks innocent, for now...
TOP SECRET
4
Analytic Concept – Start with Travel Node
Begin with single seed Wi-Fi IP address of intl. airport
Assemble set of user IDs seen on network addressover two weeks
user IDs? sniffing user IDshow? most of the serviceslike Gmail and Facebookforces SSL connections.Does this mean that theycan decrypt SSL easily?
user IDs? sniffing user IDshow? most of the serviceslike Gmail and Facebookforces SSL connections.Does this mean that theycan decrypt SSL easily?
TOP SECRET
5
Profiling Travel Nodes – Next Step
Follow IDs backward and forward in recent time
Later IP clusters of:- other intl. airports- domestic airports- major intl. hotels- etc.
Earlier IP clusters of:- local hotels- domestic airports- local transportation hubs- local internet cafes
- etc.
how? decrypting SSL or recordingMAC addresses in a huge database?how? decrypting SSL or recordingMAC addresses in a huge database?
TOP SECRET
6
IP Hopping Forward in TimeFollow IDs forward in time tonext IP & note delta time
Δ time1 Hr. 2 Hr. 3 Hr. 4 Hr. 5 Hr.Next IP sortedby most popular:
…
Many clusters will resolve to other Airports!
Can then take seeds from these airports andrepeat to cover whole world
Ditto for going backward in time, can uncoverroaming infrastructure of host city: hotels,conference centers, Wi-Fi hotspots etc.
this means that there is a huge databasewhich records all the Internet activitythis means that there is a huge databasewhich records all the Internet activity
TOP SECRET
7
Data Reality
The analytic produced excellent profiles, but was morecomplex than initial concept suggests
Data had limited aperture – Canadian Special Sourcemajor CDN ISPs team with US email majors, losing travel coverage
Behaviour at airportslittle lingering on arrival; arrivals using phones, not WiFi
still, some Wi-Fi use when waiting for connecting flight/baggage
different terminals: domestic/international; also private lounges
Very many airports and hotels served by large Boingoprivate network
not seen in aperture; traffic seems to return via local Akamai node
really? what a surprise!really? what a surprise!
ah does this mean that they don't agree to use fake SSL certificatesto intercept user data to Gmail etc.?ah does this mean that they don't agree to use fake SSL certificatesto intercept user data to Gmail etc.?
this means that the mobile carriers are also in bed with this systemthey provide the means to identify individuals based on IP butthis has to be done on the Internal network. they must be matchinglocal IPs to external IPs and activity. and they are doing this withthe fees you pay on your cell bill :)
this means that the mobile carriers are also in bed with this systemthey provide the means to identify individuals based on IP butthis has to be done on the Internal network. they must be matchinglocal IPs to external IPs and activity. and they are doing this withthe fees you pay on your cell bill :)
TOP SECRET
8
Tradecraft Development Data Set
Have two weeks worth of ID-IP data from Canadian SpecialSource –
Had program access to Quova dataset connecting into Atlasdatabase
Had seed knowledge of a single Canadian Airport WiFi IPaddress
Rogers, Bell, Telus???Rogers, Bell, Telus???
So the name of this master database is AtlasSo the name of this master database is Atlas
TOP SECRET
9
Hop Geo Profile From CDN Airport Intl. Terminal
Long Longitude scale is non-linearat
Profiled/seed IP location:
Hopped-to IP location:
Square = geographic location
Line height = numbers of unique hopped-to IPs at location
Plot of where else IDs seen at seed IP have been seen in two weeksPlot shows most hopped to IPs are nearby - confirming reported seed geo data
most far-flung sites are wireless gatewayswith many other wireless gateways in set
where are they getting the Geo data? Some spy apps on phones?Or mobile carriers sharing this data, which is most likely...where are they getting the Geo data? Some spy apps on phones?Or mobile carriers sharing this data, which is most likely...
TOP SECRET
Effect of Invalid Geo Information
10
Profiled/seed IP location:
Hopped-to IP location:
Square = geographic location
Line height = numbers of unique hopped-to IPs at location
Effect of invalid seed geo information readily apparent
Geo incongruence:displacement of seed locationfrom distribution centerstrongly suggests data error
Long Longitude scale is non-linearat
this is because of the IP address Geo location accuracy problemthis is because of the IP address Geo location accuracy problem
TOP SECRET
11
Hop-Out Destinations Seen
Other domestic airports
Other terminals, lounges, transport hubs
Hotels in many cities
Mobile gateways in many cities
Etc.
obviously, travelers go to other airports and hotels...obviously, travelers go to other airports and hotels...
TOP SECRET
12
“Discovered” Other CDN Airport IP
Domestic terminal
Closeness of majority of hopped-to IPs confirms geo data
But, domestic airport can also look like a busy hotel ...yeah but it has to be an airport hotel right?are they talking about the Hilton at Pearson Airport???yeah but it has to be an airport hotel right?are they talking about the Hilton at Pearson Airport???
TOP SECRET
13
IDs Presence Profile at “Discovered” Airport
Dominant pattern is each ID is seen briefly, just once – as expected
Regular temporal presence (M-F) with local geographic spanContrasts well against travel/roaming nodes
Time/days →
Enterprises? Not fun for corporate secrets right?Enterprises? Not fun for corporate secrets right?
TOP SECRET
Discovered Coffee Shop, Library
Coffee shop
Library
Similar patterns of mixed temporal & local geographic presence
Time/days →
Time/days →so latte or cappuccino is selling more? so latte or cappuccino is selling more?
TOP SECRET
17
DiscoveredWireless Gateway
Wireless gateway not unlike a hotel, except ... Time/days →
what do they mean about wireless gateways?wifi access points of private homes?what do they mean about wireless gateways?wifi access points of private homes?
TOP SECRET
18
Partial Range Profile of Wireless Gateway
0
100
200
300
400
500
1 2 3 4 5 6 7 8
ID Total on IP
Common IDs
Individual IP number in range of 8
Number ofIDs seenon each IP
For wireless gateway, range behaviour is revealingMost IDs seen on an IP are also scattered across entire rangeID totals & traffic across full range is very high
this means profiling with wireless gatewaysare not efficient at this momentthis means profiling with wireless gatewaysare not efficient at this moment
TOP SECRET
19
Mission Impact of IP Profiling
Tipping and Cueing Task Force (TCTF)a 5-Eyes effort to enable the SIGINT system to provide real-time alerts ofevents of interest
alert to: target country location changes, webmail logins with time-limitedcookies etc.
Targets/Enemies still target air travel and hotelsairlines: shoe/underwear/printer bombs …
hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai …
Analytic can hop-sweep through IP address space to identifyset of IP addresses for hotels and airports
detecting target presence within set will trigger an urgent alert
aim to productize analytics to reliably produce set of IPs for alerting
this means SSL is not secure anymore, for sure...this means SSL is not secure anymore, for sure...
my personal opinion is that other methods of spying aremuch more efficient for tracking down terrorists then thisso I think this is an excuse to have a system to track everyone
my personal opinion is that other methods of spying aremuch more efficient for tracking down terrorists then thisso I think this is an excuse to have a system to track everyone
TOP SECRET
20
IP Profiling Summary
Different categories of IP ownership/use show distinctcharacteristics
airports, hotels, coffee shops, enterprises, wireless gateways etc.
clear identification of hotels and airports enables critical Tipping & Cueingtradecraft
Geo-hop profile can confirm/refute IP geo look-upinformation
later could fold-in time deltas for enhanced modeling
Can “sweep” a region/city for roaming access points to IPnetworks
leads to a new needle-in-a-haystack analytic ...
obviously... people eat, sleep and travel...obviously... people eat, sleep and travel...
so another excuse to use more taxpayer moneyto increase computing capacity...so another excuse to use more taxpayer moneyto increase computing capacity...
TOP SECRET
21
Tradecraft Problem Statement
A kidnapper based in a rural area travels to an urban area tomake ransom calls
can’t risk bringing attention to low-population rural area
won’t use phone for any other comms (or uses payphones ...)
Assumption: He has another device that accesses IPnetworks from public access points
having a device isn’t necessary, could use internet cafes, libraries etc.
he is also assumed to use IP access around the time of ransom calls
Question: Knowing the time of the ransom calls can wediscover the kidnapper’s IP ID/device
“contact chain” across air-gap (not a correlation of selectors)
a lot of assumptions here...a lot of assumptions here...
wow, somebody is watching a lot of James Bond movies!this is very highly unlikely to happen...wow, somebody is watching a lot of James Bond movies!this is very highly unlikely to happen...
TOP SECRET
22
Solution Outline
With earlier IP profiling analytics, we can “sweep” acity/region to discover and determine public accesses
We can then select which IP network IDs are seen as activein all times surrounding the known ransom calls
reduce set to a shortlist
Then we examine the reduced set of IP network IDs andeliminate baseline heavy users in the area that fall into theset intersection just because they are always active
that is, eliminate those that are highly active outside the times of the ransomcalls
hopefully leaves only the one needle from the haystack
so much money spent, so many civil rights breachedand now hopefully???so much money spent, so many civil rights breachedand now hopefully???
TOP SECRET
23
First Proof-of-Concept
Swept a modest size city and discovered two high trafficpublic access ranges with >300,000 active IDs over 2 weeks
used for initial expediency due to computational intensity
Presumed that there were 3 ransom calls, each 50 hoursapart during daytime, looked for IDs within 1 Hr of calls
reduce large set to a shortlist of just 19 IP network IDs
Examined activity level of 19 IP network IDs – howmanypresences each had in 1 Hr slots over two weeks
main worry as the computation was running: there would be a lot of IDs thatshowed just a handful of appearances: e.g. 3, 4, 5 instances
ok, big brother is watching now...ok, big brother is watching now...
TOP SECRET
24
ID Presence of Shortlist
Happy result: least active ID had appearances in 40 hour-slots!Thus could eliminate all, leaving just the kidnapper (if he was there)
Each horizontal line shows presence of ID over time/hour-slots
Postulated presence of kidnapper/targetTime/hour-slots →
again, lots of ifs here...again, lots of ifs here...
TOP SECRET
25
Big-Data Computational Challenge
All the previous analytics, while successful experimentally,ran much too slowly to allow for practical productization
CARE: Collaborative Analytics Research Environmenta big-data system being trialed at CSEC (with NSA launch assist)
non-extraordinary hardware
minimal impedance between memory, storage and processors
highly optimized, in-memory database capabilities
columnar storage, high performance vector functional runtime
powerful but challenging programming language (derived from APL)
Result of first experiments with CARE: game-changingrun-time for hop-profiles reduced from 2+ Hrs to several seconds
allows for tradecraft to be profitably productized
great, near real time tracking...great, near real time tracking...
TOP SECRET
26
Overall Summary
IP profiling showing terrific valuesignificant analytic asset for IP networks and target mobility
enables critical capability within Tipping & Cueing Task force
working to productize on powerful new computational platform
broader SSO accesses/apertures coming online at CSEC
look to formalize models & fold-in timing deltas
A new needle-in-a-haystack analytic is viable: contactchaining across air-gaps
enabled by sweep capability of IP profiling
should test further to understand robustness with respect to looseningassumptions of target behaviour
beyond kidnapping, tradecraft could also be used for any target that makesoccasional forays into other cities/regions
any target? so you accept monitoringall possible targets which is the wholeCanadian population...
any target? so you accept monitoringall possible targets which is the wholeCanadian population...
TOP SECRET
27
Tradecraft Studio Example
Possible route for productizing analyticsso when China or Russia do this we call it wrong and how come we can justifydoing this at home in Canada? What are our politicians doing, who are they serving?so when China or Russia do this we call it wrong and how come we can justifydoing this at home in Canada? What are our politicians doing, who are they serving?
comments by: Tony Yusteincomments by: Tony Yustein