Airports redacted with_comments_from_tony_yustein

50 %
50 %
Information about Airports redacted with_comments_from_tony_yustein
News & Politics

Published on February 21, 2014

Author: yustein

Source: slideshare.net

Description

Redacted CSEC presentation with my comments. This document is technically complex and I tried to make it easier for everyone to understand its content.

TOP SECRET IP Profiling Analytics & Mission Impacts I will try to explain in simpler terms about what this program tries to do. Even though I respect my friends at CSEC and their efforts to keep our country safe, I think the law which enables this to be done is simply wrong. Spying on citizens is simply wrong. The ends do not justify the means. I'm proud to be Canadian, I don't want my country Tradecraft to turn in to others which we criticize all the time. Developer CSEC – Network Analysis Centre May 10, 2012 nearly 2 years ago imagine the things happened since then Tony Yustein

TOP SECRET Example IP Profile Problem Target appears on IP address, wish to understand network context more fully Example Quova look-up & response for Lat. 60.00 Long: -95.00 (in frozen tundra W. of Hudson Bay) City: unknown Country: Canada, Operator: Bell Canada, Sympatico Issues with IP look-up data: well known Internet problem if this is fixed it will solve accountability issues but opaquewill be a problem where free speech is not available is it actually revealing, or is it is the data even current, or is it out-of-date was the data ever accurate in the first place 2

TOP SECRET Objectives Develop new analytics to provide richer contextual data about a network address Apply analytics against Tipping & Cueing objectives Build upon artefact of techniques to develop new needle-in-a-haystack analytic – contact chaining across air-gaps this looks innocent, for now... 3

TOP SECRET Analytic Concept – Start with Travel Node Begin with single seed Wi-Fi IP address of intl. airport user IDs? sniffing user IDs how? most of the services like Gmail and Facebook forces SSL connections. Does this mean that they can decrypt SSL easily? Assemble set of user IDs seen on network address over two weeks 4

TOP SECRET Profiling Travel Nodes – Next Step Follow IDs backward and forward in recent time Earlier IP clusters of: Later IP clusters of: how? decrypting SSL or recording - local hotels - other intl. airports MAC addresses in a huge database? - domestic airports - domestic airports - local transportation hubs - major intl. hotels - local internet cafes - etc. - etc. 5

TOP SECRET IP Hopping Forward in Time Follow IDs forward in time to next IP & note delta time 1 Hr. Next IP sorted by most popular: … 2 Hr. 3 Hr. 4 Hr. 5 Hr. Many clusters will resolve to other Airports! Can then take seeds from these airports and repeat to cover whole world this means that there is a huge database which records all the Internet activity Ditto for going backward in time, can uncover roaming infrastructure of host city: hotels, conference centers, Wi-Fi hotspots etc. 6 Δ time

TOP SECRET Data Reality The analytic produced excellent profiles, but was more complex than initial concept suggests really? what a surprise! Data had limited aperture – Canadian Special Source major CDN ISPs team with US email majors, losing travel coverage ah does this mean that they don't agree to use fake SSL certificates to intercept user data to Gmail etc.? Behaviour at airports little lingering on arrival; arrivals using phones, not WiFi still, some Wi-Fi use when waiting for connecting flight/baggage different terminals: domestic/international; also private lounges Very many airports and hotels served by large Boingo private network not seen in aperture; traffic seems to return via local Akamai node this means that the mobile carriers are also in bed with this system they provide the means to identify individuals based on IP but this has to be done on the Internal network. they must be matching local IPs to external IPs and activity. and they are doing this with the fees you pay on your cell bill :) 7

TOP SECRET Tradecraft Development Data Set Have two weeks worth of ID-IP data from Canadian Special Source – Rogers, Bell, Telus??? Had program access to Quova dataset connecting into Atlas database So the name of this master database is Atlas Had seed knowledge of a single Canadian Airport WiFi IP address 8

TOP SECRET Hop Geo Profile From CDN Airport Intl. Terminal Long Longitude scale is non-linear a t most far-flung sites are wireless gateways with many other wireless gateways in set where are they getting the Geo data? Some spy apps on phones? Or mobile carriers sharing this data, which is most likely... Profiled/seed IP location: Square = geographic location Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location Plot of where else IDs seen at seed IP have been seen in two weeks Plot shows most hopped to IPs are nearby - confirming reported seed geo data 9

TOP SECRET Effect of Invalid Geo Information Long Longitude scale is non-linear a t Geo incongruence: displacement of seed location from distribution center strongly suggests data error Profiled/seed IP location: Square = geographic location Hopped-to IP location: Line height = numbers of unique hopped-to IPs at location this is because of the IP address Geo location accuracy problem Effect of invalid seed geo information readily apparent 10

TOP SECRET Hop-Out Destinations Seen Other domestic airports Other terminals, lounges, transport hubs Hotels in many cities Mobile gateways in many cities Etc. obviously, travelers go to other airports and hotels... 11

TOP SECRET “Discovered” Other CDN Airport IP Domestic terminal Closeness of majority of hopped-to IPs confirms geo data But, domestic airport can also look like a busy hotel ... yeah but it has to be an airport hotel right? are they talking about the Hilton at Pearson Airport??? 12

TOP SECRET Each horizontal line shows presence pattern of one ID, sorted by order of appearance IDs Presence Profile at “Discovered” Airport Time/days → Dominant pattern is each ID is seen briefly, just once – as expected 13

TOP SECRET Profiles of Discovered Hotel Many IDs present over a few days 14 Time/days →

TOP SECRET Profiles of Discovered Enterprise Time/days → Enterprises? Not fun for corporate secrets right? Regular temporal presence (M-F) with local geographic span Contrasts well against travel/roaming nodes 15

TOP SECRET Discovered Coffee Shop, Library Coffee shop so latte or cappuccino is selling more? Time/days → Library Time/days → Similar patterns of mixed temporal & local geographic presence

TOP SECRET Discovered Wireless Gateway Wireless gateway not unlike a hotel, except ... what do they mean about wireless gateways? 17 wifi access points of private homes? Time/days →

TOP SECRET Partial Range Profile of Wireless Gateway 500 Number of IDs seen on each IP 400 300 ID Total on IP Common IDs 200 100 0 1 2 3 4 5 6 7 8 Individual IP number in range of 8 For wireless gateway, range behaviour is revealing Most IDs seen on an IP are also scattered across entire range ID totals & traffic across full range is very high this means profiling with wireless gateways 18 are not efficient at this moment

TOP SECRET Mission Impact of IP Profiling Tipping and Cueing Task Force (TCTF) a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of events of interest alert to: target country location changes, webmail logins with time-limited cookies etc. this means SSL is not secure anymore, for sure... Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs … hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai … Analytic can hop-sweep through IP address space to identify set of IP addresses for hotels and airports detecting target presence within set will trigger an urgent alert aim to productize analytics to reliably produce set of IPs for alerting my personal opinion is that other methods of spying are much more efficient for tracking down terrorists then this so I think this is an excuse to have a system to track everyone 19

TOP SECRET IP Profiling Summary Different categories of IP ownership/use show distinct characteristics airports, hotels, coffee shops, enterprises, wireless gateways etc. clear characteristics enable formal modeling developments clear identification of hotels and airports enables critical Tipping & Cueing tradecraft obviously... people eat, sleep and travel... Geo-hop profile can confirm/refute IP geo look-up information later could fold-in time deltas for enhanced modeling Can “sweep” a region/city for roaming access points to IP networks leads to a new needle-in-a-haystack analytic ... so another excuse to use more taxpayer money to increase computing capacity... 20

TOP SECRET Tradecraft Problem Statement A kidnapper based in a rural area travels to an urban area to make ransom calls can’t risk bringing attention to low-population rural area won’t use phone for any other comms (or uses payphones ...) Assumption: He has another device that accesses IP networks from public access points having a device isn’t necessary, could use internet cafes, libraries etc. he is also assumed to use IP access around the time of ransom calls a lot of assumptions here... Question: Knowing the time of the ransom calls can we discover the kidnapper’s IP ID/device “contact chain” across air-gap (not a correlation of selectors) wow, somebody is watching a lot of James Bond movies! this is very highly unlikely to happen... 21

TOP SECRET Solution Outline With earlier IP profiling analytics, we can “sweep” a city/region to discover and determine public accesses We can then select which IP network IDs are seen as active in all times surrounding the known ransom calls reduce set to a shortlist Then we examine the reduced set of IP network IDs and eliminate baseline heavy users in the area that fall into the set intersection just because they are always active that is, eliminate those that are highly active outside the times of the ransom calls hopefully leaves only the one needle from the haystack so much money spent, so many civil rights breached and now hopefully??? 22

TOP SECRET First Proof-of-Concept Swept a modest size city and discovered two high traffic public access ranges with >300,000 active IDs over 2 weeks used for initial expediency due to computational intensity Presumed that there were 3 ransom calls, each 50 hours apart during daytime, looked for IDs within 1 Hr of calls reduce large set to a shortlist of just 19 IP network IDs Examined activity level of 19 IP network IDs – how many presences each had in 1 Hr slots over two weeks main worry as the computation was running: there would be a lot of IDs that showed just a handful of appearances: e.g. 3, 4, 5 instances ok, big brother is watching now... 23

TOP SECRET ID Presence of Shortlist Each horizontal line shows presence of ID over time/hour-slots Time/hour-slots → Postulated presence of kidnapper/target again, lots of ifs here... Happy result: least active ID had appearances in 40 hour-slots! Thus could eliminate all, leaving just the kidnapper (if he was there) 24

TOP SECRET Big-Data Computational Challenge All the previous analytics, while successful experimentally, ran much too slowly to allow for practical productization CARE: Collaborative Analytics Research Environment a big-data system being trialed at CSEC (with NSA launch assist) simple distributed computing non-extraordinary hardware minimal impedance between memory, storage and processors highly optimized, in-memory database capabilities columnar storage, high performance vector functional runtime powerful but challenging programming language (derived from APL) Result of first experiments with CARE: game-changing run-time for hop-profiles reduced from 2+ Hrs to several seconds allows for tradecraft to be profitably productized great, near real time tracking... 25

TOP SECRET Overall Summary IP profiling showing terrific value significant analytic asset for IP networks and target mobility enables critical capability within Tipping & Cueing Task force working to productize on powerful new computational platform broader SSO accesses/apertures coming online at CSEC look to formalize models & fold-in timing deltas A new needle-in-a-haystack analytic is viable: contact chaining across air-gaps enabled by sweep capability of IP profiling should test further to understand robustness with respect to loosening assumptions of target behaviour beyond kidnapping, tradecraft could also be used for any target that makes occasional forays into other cities/regions any target? so you accept monitoring all possible targets which is the whole Canadian population... 26

TOP SECRET Tradecraft Studio Example so when China or Russia do this we call it wrong and how come we can justify doing this at home in Canada? What are our politicians doing, who are they serving? Possible route for productizing analytics comments by: Tony Yustein 27

Add a comment

Related presentations

Cfbp barometre octobre

Cfbp barometre octobre

November 10, 2014

VITOGAZ vous présente: CFBP baromètre gpl carburant

Ata Escrita da 16ª Sessão Ordinária realizada em 16/10/2014 pela Câmara de Vereado...

Ata Escrita da 10ª Sessão Extraordinária realizada em 16/10/2014 pela Câmara de Ve...

Rx1 nasil kullanilir

Rx1 nasil kullanilir

November 8, 2014

Rx1 zayiflama hapi, kullanimi nasildir, yan etkileri var mi? yan etkiler var ise h...

Esposto del MoVimento 5 Stelle sul Patto del Nazareno

Slide Servizi postali

Slide Servizi postali

November 7, 2014

Slides per i servizi postali presentati in occasione dell'incontro azienda e organ...

Related pages

N2012-0001 redacted - Documents

Airports redacted with_comments_from_tony_yustein FDA 510(k) ... Airports redacted. ... Totally Redacted FOIA response.
Read more