We are NOT Secure
Security is everything. We as beings seek to feel secure in all aspects. Safety speaks to the preservation of life, and that means survival. But, as we know, there is always someone, or someones, that seeks to change your state of security. Someone that seeks to exploit and milk you of your resources. In this modern age, information is the resource they want to steal the most. To know is to have power and those who know the most control the most. So it is with a sense of gravity and importance that I share a paper, which was part of the DEFCON 18 conference in Sau Paulo, on how secure we really are. Snowden, Manning and Assange know this stuff, and this is why they are in perennial danger. WE cannot keep silent, though. Read, spread the word. Thanks to DEFCON.org and Blackhat.com for keeping the fight alive. We writers will Write your times.
Governments with unsavory privacy policies and data-hungry social media companies aside, what degree of monitoring, interception, and profiling could the average citizen or small organization impose on their fellow man? The Snoopy project was created to explore just this, and is perhaps a warning that we should not only be cautious of the more obvious/large privacy adversary. Snoopy is a distributed tracking, data interception, and profiling framework. It was created on a shoestring budget, and has been freely released.
Distributed? Snoopy has a client/server model, with numerous 'drones' deployed in the field collecting data about the Wi-Fi signals the devices in your pockets are emitting. All of this data is uploaded to a central server for processing. A drone may be any Linux based device that has an IEEE 802.11 adapter supporting packet injection, and some form of Internet connectivity. Examples of drone devices include the Nokia N900, the SheevaPlug, and the RaspberryPi.
Tracking? If the signals your devices are emitting are unique, then we can track your movements. For example, 802.11 (Wi-Fi) or 802.15 (Bluetooth) signals would include your device's unique MAC addresses. With enough drones deployed over an area it would be possible to monitor peoples' movements on both a macro and micro scale. For example, deploying drones at every London underground station we could observe a device (and its master) entering the underground at Liverpool Street station each morning between 8am and 9am, and leaving at Victoria Station at 10am. At the macro scale we could observe large-scale human movement patterns [3].
Passive Data Interception? The devices we carry may emit more than just an identifying signal, as per the above point. They may also inadvertently disclose information about themselves, or their masters. For example, Snoopy monitors for 802.11 probe requests.
These requests reveal the vendor of the device (via the MAC), but of greater interest include the names of the networks the device is looking for. Alas, the default behavior of all our wireless gadgets is to constantly search for every wireless network we've ever saved. The harm in this may be subtle at first thought, but for example, we are able to determine the street address of these SSIDs if they are suitably unique.
Active Data Interception? Snoopy can create rogue access points, tricking your devices into obtaining their Internet via them. Cunningly all data is routed through the Snoopy server - allowing traffic analysis or manipulation at a central point (of which Snoopy does plenty of).
Profiling? Snoopy explores collected data with the assistance of Maltego. We have numerous transforms to explore physical word movements (e.g. who attended Black Hat Vegas, Abu Dhabi, and Amsterdam?) and Internet traffic (e.g. extracting friends from Facebook traffic). Numerous transforms have been written, but it is trivial for the end user to write their own.
Many aspects of Snoopy exist independently of other projects, but when brought together, we believe their whole is greater than the sum of their individual parts.
=================================================================
[1] Def Con 18 Changing threats to privacy - Moxie Marlinspike - https://www.youtube.com/watch?v=eG0KrT6pBPk
[2] Palantir Technologies Nabs $56M In New Funding - http://techcrunch.com/2012/05/16/palantir-new-funding/
[3] The Really Smart Phone - http://online.wsj.com/article/SB100014240527487045476045762632616798 48814.html?KEYWORDS=Really+Smart
[4] https://www.blackhat.com
The Machines that Betrayed their Masters
The mobile devices we carry betray us to those who want to invade our privacy. Other researchers [1] have suggested that there is little difference between government mandated tracking devices and mobile phones - after all, a mobile phone is just a real time tracking device that reports your current location to one of a few telecommunication companies that are required by law to turn that information over to the government. Combine this with data interception laws, and large-scale data mining initiatives [2] and we have the commonly painted picture of the Big Brother Orwellian state. Large Internet organisations such as Google, Yahoo, Twitter, and Facebook have enough data on a large proportion of the planets' citizens to understand relationships, tastes, and even thoughts of their users. As Moxie put forward, "Who knows more about the citizens in their own country, Kim Jong-il, or Google?" [3]
Governments with unsavory privacy policies and data-hungry social media companies aside, what degree of monitoring, interception, and profiling could the average citizen or small organization impose on their fellow man? The Snoopy project was created to explore just this, and is perhaps a warning that we should not only be cautious of the more obvious/large privacy adversary. Snoopy is a distributed tracking, data interception, and profiling framework. It was created on a shoestring budget, and has been freely released.
Distributed? Snoopy has a client/server model, with numerous 'drones' deployed in the field collecting data about the Wi-Fi signals the devices in your pockets are emitting. All of this data is uploaded to a central server for processing. A drone may be any Linux based device that has an IEEE 802.11 adapter supporting packet injection, and some form of Internet connectivity. Examples of drone devices include the Nokia N900, the SheevaPlug, and the RaspberryPi.
Tracking? If the signals your devices are emitting are unique, then we can track your movements. For example, 802.11 (Wi-Fi) or 802.15 (Bluetooth) signals would include your device's unique MAC addresses. With enough drones deployed over an area it would be possible to monitor peoples' movements on both a macro and micro scale. For example, deploying drones at every London underground station we could observe a device (and its master) entering the underground at Liverpool Street station each morning between 8am and 9am, and leaving at Victoria Station at 10am. At the macro scale we could observe large-scale human movement patterns [3].
Passive Data Interception? The devices we carry may emit more than just an identifying signal, as per the above point. They may also inadvertently disclose information about themselves, or their masters. For example, Snoopy monitors for 802.11 probe requests.
These requests reveal the vendor of the device (via the MAC), but of greater interest include the names of the networks the device is looking for. Alas, the default behavior of all our wireless gadgets is to constantly search for every wireless network we've ever saved. The harm in this may be subtle at first thought, but for example, we are able to determine the street address of these SSIDs if they are suitably unique.
Active Data Interception? Snoopy can create rogue access points, tricking your devices into obtaining their Internet via them. Cunningly all data is routed through the Snoopy server - allowing traffic analysis or manipulation at a central point (of which Snoopy does plenty of).
Profiling? Snoopy explores collected data with the assistance of Maltego. We have numerous transforms to explore physical word movements (e.g. who attended Black Hat Vegas, Abu Dhabi, and Amsterdam?) and Internet traffic (e.g. extracting friends from Facebook traffic). Numerous transforms have been written, but it is trivial for the end user to write their own.
Many aspects of Snoopy exist independently of other projects, but when brought together, we believe their whole is greater than the sum of their individual parts.
=================================================================
[1] Def Con 18 Changing threats to privacy - Moxie Marlinspike - https://www.youtube.com/watch?v=eG0KrT6pBPk
[2] Palantir Technologies Nabs $56M In New Funding - http://techcrunch.com/2012/05/16/palantir-new-funding/
[3] The Really Smart Phone - http://online.wsj.com/article/SB100014240527487045476045762632616798 48814.html?KEYWORDS=Really+Smart
[4] https://www.blackhat.com
Comments
Post a Comment