All HTTP goes through a proxy. If you connect to a service provider, all your flows go through an HTTP proxy system.  The proxy system scans requests and compares them to a database of categorized sites.   The government provides policies to the service providers, and it is required by law they are enforced.  They are enforced in real time.  Attempting to visit an unauthorized site you will be re-directed to a page in Arabic explaining that it is not permitted.  I actually kept a screen capture of the page and was going to post it, but I can’t find it.  However, if you are in Dubai, just try to go to a site that has questionable material.  You will be re-directed.  Anyone can do it, it is not a secret.

HTTPS was ready to be implemented. Approximately 2 years ago, they were testing the ability to decrypt SSL on the fly so that they could perform analysis on the requests and grant or deny access as with HTTP traffic.  I am sure this is deployed by now.

Voice Over IP, Instant messaging and other protocols had specific policies. I won’t go into the details here, as I don’t know how public this information is, but there were active policies deployed around these and other protocols.

Privacy is not the same as North America. In North America, we many feel that privacy is slowly being eroded.  In comparison to Dubai our policies with respect to privacy are impressive.  The ISP has the right to watch what you are doing and actively grant, block, and log your activities.  It is actually a requirement in order to get a license to be an ISP from the Government.

When Saudi Arabia indicated they were going to ban Research In Motion devices due to the fact the government was unable to decrypt communications as needed, I was hopeful that RIM would say too bad.  Of course that was the idealist in me hoping that RIM, a Canadian company with one of their key features they market is  about Blackberry and its security would not be compromised.  The realist in me understands that the Middle East is a growing market and from a business perspective RIM has no choice but to be a part of it.  If you want to do business in Canada you have to play by our rules, so it only makes sense that if you want to do business in the U.A.E., you have to play by their rules.  As expected, RIM reached a deal with Saudi Arabia.  They also reached a deal with India earlier this week.

What I find amusing is the latest Spin they have put on security given the situation.

RIM made no direct comment on any discussions with the UAE or others, but it sought to reassure customers about the security of their data on BlackBerry networks.  “While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments,” the company said in a statement to customers.

A RIM spokeswoman could not be reached for comment.

RIM said in its statement that under its security system customers have their own encryption key and “only the customer ever possesses a copy” of that key.

While I am sure they have not lied, you can’t have it both ways.  Either you comply with the government request that they can decrypt messages and data as they require, or you don’t.  Any other suggestion implies that the laws within the UAE have changed.  I am not a lawyer, but I haven’t seen any news about new laws protecting UAE citizens privacy.  The best part is the last statement how the customers have their own encryption key that only they possess.  I am sure that statement is true.   But it is what is not said that is telling.  Are there any more encryption keys other than the one the customer possesses with respect to the customer’s messages?   Companies that deploy encryption and decryption of email, files, and data in general give each employee a copy of their own key that only they possess.  When encrypting data, the system creates some sort of a unique key (lets call it E) that is actually used to encrypt or decrypt the data.  The E key is then encrypted with the customers encryption key (lets call that key Ec).  The trick with businesses, is that the E key’ is also encrypted with their own key (lets call it Eb).  If you loose your key (Ec) or refuse to give it when asked, they can use their key Eb to decrypt and obtain E key.  Once they have the E key, they can then decrypt the message.  There are several variations to this but the basic premise from a recovery perspective are the same.

This is not the first time this has happened either.  Not sure how many people remember Hushmail.  I wrote about them here.  Hushmail marketing was based on the fact that if you used them for email, no one but you could retrieve your email stored on their servers.  Even Hushmail staff was not able to retrieve the email if they wanted to as they did not have the keys.  (Sound familiar to the RIM article above?).  Yet, when U.S. law enforcement contacted them about an individual they were investigating, Hushmail was able to provide them with 12 CDs filled with unencrypted emails of the individual under investigation.

While I don’t blame RIM for their bowing to the governments of India and Saudi Arabia if they wish to do business in their countries, I dislike the spin they are placing on security.   They are mis-leading the public and playing on the fact that many people do not understand the intricacies of security.  While they are not lying, I strongly suspect they are not being forthright.

When all the dust settles, it is important that people realize that money is what drives business.  You can claim all morals, goals, and visions you want.  But if at some these come into conflict that causes enough money to be at stake compromises will be made.  Security unfortunately is no different.

My first day in Dubai, I went to lunch with one of the executives of the Telco.  During our lunch, I asked him how they manage encrypted connections.  He explained that they were currently getting ready to deploy a solution to solve that.  The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required.   Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available.   Previously, I had seen software that law enforcement used for this purpose.  I myself had done it for clients using available tools during a engagement.  But these tools were designed more for targeted surveillance, not mass scale.  Like all technology, it improves and gets less expensive over time I guess.

Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so.  Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons.  One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions.  In order to look for data leakage, you need to see past any encryption that might be present.  Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.

With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going.  What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run.   If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs.  The net result is that everything is decrypted and no one has any privacy.

Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these

along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.

Do you deploy any type of decryption on your network?  If it is deployed are you aware of it?

photo credit

Here is a simple example to illustrate.  I have found when speaking to many users of email, they feel that their location could not be determined by the recipient in an email unless they specifically give it, or it would be at least difficult to find out.  They even feel more comfortable with this statement when they are using their personal email from a terminal at work or a Internet cafe via a browser.

I was recently corresponding with a friend of mine.  She has a Rogers email account that she uses for her personal email.  She sent me a response to an email.  By looking at the email itself, there is no information that would give away where she was located.  However, if I look at the email headers a wealth of information is available.  Let’s focus on one piece.

* headers not required for purposes of entry have been removed and others edited as required to protect identities

The ‘Received:’ header above displays an IP address.  Taking that IP address and doing a ‘whois’ (shown below) reveals the company name where the email originated.

* removed ISP information and edited company info to ensure privacy

How could this information be used?  If someone wanted to surreptitiously gather intelligence on a target, one could send a email to a target asking an innocuous question.  By responding the target has unknowingly revealed their place of employment.  A few searches on Google, a picture on Facebook of yourself and family members … you get the idea.

This type of information gathering has valid uses.  Determining a time-line of a target and their actions from a corporate or legal investigation, determining if your spouse is cheating on you, or your teenage child is lying are some examples.

I am not suggesting that you should try to hide this or not use the Internet.  I am also not suggesting it will be fixed anytime soon, if ever.  I am suggesting to be aware.  Be aware that in todays world, data about yourself is being leaked all the time and any determined individual or group can find out what you are up to with minimal effort.  Be aware that even the most common activity leaks data.

How secure or anonymous do you feel when using the Internet?

photo credit

]]> http://michaeldundas.com/2010/03/01/information-leakage-and-privacy/feed/ 0 http://michaeldundas.com/2010/01/28/identifying-the-anonymous-in-todays-digital-world/ http://michaeldundas.com/2010/01/28/identifying-the-anonymous-in-todays-digital-world/#comments Thu, 28 Jan 2010 16:29:09 +0000 Clear2Go http://michaeldundas.com/?p=1475

http://www.flickr.com/photos/solarider/2255744829/

A few years ago, I was having a discussion with an acquaintance who was involved in an investigation.  One individual they were tracking kept changing his mobile phone every few days.  Each new mobile was typically pay as you go or stolen and personal information connected to the mobile was either false or not available.  Yet the investigators were able to very quickly determine the new number of the individual each time they switched mobile numbers.    How they did this at the time impressed me, and I use the logic to this day.

Throughout the course of the investigation they were able to determine who this individual contacted.  A few of the mobiles that the individual contacted did not routinely change their mobile number.  As a result, by watching the calling patterns of the mobile phones where the numbers did not change, the investigators could quickly determine a new number that suddenly was calling each of the static numbers in a similar pattern.  This of course requires access to mobile network data, but it worked.  Even though this individual thought they were not being tracked,  their efforts to remain anonymous unknown to them were ineffective.   As a side note, there is software that will search for and detect these types of calling patterns automatically.  The same logic here can easily be applied to a Internet connection.

A more common example is when you are ever pulled over by a police officer and you don’t have your license.  Aside from them giving you a ticket for not having your license on your person, they will most likely ask you for your full name and birth date.  The reason for the birth date is to help assure them that when they go back to the cruiser to search on their laptop, the records they obtain are actually yours and not someone else with the same name.   How many Michael Dundas’ are there in Canada?  Not sure, but the number of Michael Dundas’ with the exact same birth date really lowers the probability of a false positive.  This same logic can be applied to social networking and there is interesting research in this area including twitter.

The EFF recently published a post on information theory and privacy.  In it they discuss the concept of Entropy and how it applies to information and privacy.  It touches a bit on some of the math behind it, but if you are interested it is a good explanation of why when you think you are anonymous you may not be, even when you take precautions.  If you skip the math, their example of how a ‘user-agent’ header transmitted by your browser can narrow you down to one of 1500 people can start to give people that are new to information and anonymity a good perspective.

I was talking to a individual recently who was involved in an investigation.  They assumed that by using a proxy, the target site would not have an IP address or any other data logged that could link them to the target site.  I explained this is false assumption and why, but it got me thinking about others that may be in law enforcement or corporate security conducting investigations and feel comfortable they are hidden via a proxy service when they are actually exposed.

If a target site wants to detect you, there are many ways it can accomplish this easily, and often they obtain identifying information unintentionally.  Here is a quick and simple example I put together.  First, I shutdown all the servers and clients on my home network except a single computer and the gateway.  On the gateway, I captured all the traffic entering and leaving the network. Next, I configured Firefox to use a SSH proxy.  SSH has the ability to emulate a SOCKS4 or SOCKS5 proxy.  A side note to using SOCKS4 or SOCKS5 is DNS is not proxied.  This is not a concern for this particular investigative scenario, but could be a concern for other investigations, so it is important to be aware of that issue should it become a concern during an investigation.

Firefox was configured to proxy via Socks 5:

Next, I visited a site that hosted the latest Britney Spears video entitled ’3′.  The page load is shown below.

The initial page loads along with the embedded video player.  Up to this point, the logs show that the packets are ingressing and egressing via the configured proxy server only which is our desired behaviour.

The communication as shown above between the proxy server and the client continues until the video player application loads.  Once the player loads, it first does a DNS request for the the video service.

The player then directly connects to the video service bypassing the proxy at this point you have been identified.   This continues as the audio and video is streamed to the client.

Keep in mind that you may already have been identified through the proxy itself.  It is entirely possible and likely that the website or player has transmitted other information about your system within the RTMP stream itself or even HTTP.  The problem stems from the fact that these embedded objects are in fact executable programs that can bypass the browser and other system settings.

If you are involved in an investigation where you don’t want to be detected by the target, do not assume that by using a proxy you are safe from detection.  There are ways to avoid detection in this way, but they require more sophisticated network and client configuration.  Regardless of your setup and configuration I would suggest always capturing the data transmitted and received.  Even if you don’t analyze every packet, it provides a detailed log of what actually was transmitted and received allowing you to go back and verify if necessary.

There has been lots of discussion lately about Flash websites using Local Shared Objects (LSO) to track users selections, browsing habits, and other information.  One of the advantages for websites has been that until now they have not been well known.  From my basic searching they have been around since at least 2004 and probably earlier.  A user may configure their browser to remove or delete all ‘cookies’, but LSOs stay.  According to some, many of the top websites use them.

I tried a little experiment to see how LSOs are stored.  The directory that they are stored varies depending upon your operating system.  For me I use Linux as my primary O/S.  The default directory for LSOs is ~/.macromedia/Flash_Player.

Under the ‘Flash_Player’ there are two directories and under each of these directories are the security configuration and the binary installer for the Flash Air application.  Nothing interesting.  Next, I started Firefox and went to youtube.com and selected a video.  After the video completed, I took another look at the ~/.macromedia/Flash_Player directory.

Under~/.macromedia/Flash_Player we now have two new directories, macromedia.com and #SharedObjects.  If we decend the macromedia.com directory, we find 3 nested single directories called support, flashplayer, and sys respectively.  Under the ‘sys’ directory we find a binary file called settings.sol and a subdirectory which is #s.ytimg.com owned by Google.  The #s.ytimg.com directory contains a separate settings.sol which is binary.

Under the #SharedObjects directory, there is a single oddly named directory ’3BJH4AW6′, then a directory for the website ‘s.ytimg.com’, a domain owned by Google.  Below this are two files entitled videostats.sol and soundData.sol, both containing binary data.

I haven’t investigated the format or contents of the .sol files, but it is obviously where the metadata is stored.  I may try to investigate the format or see if anyone else has already figured it out as I am curious.  The bigger question in my mind is how does one properly erase this data.  There is a Firefox add-on called BetterPrivacy which will do just that. It can be configured to delete LSOs on request or remove all the LSOs when you shutdown Firefox.  I installed BetterPrivacy and tried it.  Sure enough, upon shutting down Firefox I was greeted with this window:

Selecting OK, put my ~/.macromedia/Flash_Player directory back to its original state with no LSOs or website directories present.  For the normal user that should suffice.  However, these are files and they have been deleted.  Most people should know that files these days that are deleted are typically still recoverable.   File systems such as NTFS (windows), ext2/ext3 (*nix) all can have files deleted on them recovered.  In the case of ext3, it is a journal file system and the default file system installed on most *nix platforms today.  Without getting into the details in this post, this effectively means that even if you wipe a file it can potentially still be recovered.

If you carry around sensitive information on your laptop, I recommend you create an encrypted volume on your hard drive using a package such as TrueCrypt, PGP.  In the case of my system, I formatted the encrypted file system to be ext2.  This means there is no journaling.  This has the disadvantage of being less ‘recoverable’ but it has the advantage that if you wipe a file with ‘wipe’, ‘shred’ or some other wiping software it is unlikely to be recovered.  Next, I point my ~/.macromedia directory to the encrypted file system.

You can see the ~/mndData file which is the truecrypt fileystem.  ~/.macromedia is symbolically linked to the encrypted filesystem.  For those interested, you can see that my Evolution (~/.evolution), Google Desktop (~/.google), Firefox Cache and bookmarks (~/.mozilla), IM client (~/.purple) and Skype (~/.Skype) all write to the encrypted file system.  You have to be able to mount the ~/mndData to get at any of the email, browser cache, bookmarks, IM conversations and now LSOs.  It isn’t fool proof, but it offers another layer of protection so that client data remains unviewable in the event of my laptop being stolen.

http://www.flickr.com/photos/lwr/3318166499/

At work we have this white board which has a up-to-date list of a particular project my team is working on.  It is nice in that you can just look up at it while in the office or anyone can walk over and get current information.  One of the guys on the team likes to see the list get shorter.  For these reasons we keep it on the white board.  The problem is when you are working remote as I often do, how do you get or obtain the current status?  My solution is to take a picture of it with my PDA before I leave at the end of each day.  Besides keeping a time chronology of the project with the pictures, it allows me to pull it up on my laptop when I am not in the office and work.

This morning, I am sitting in Starbucks working away and I get my PDA out to download the latest task list picture to my laptop.  In the process of getting to the application, I accidentally took a picture of my table.  The mouse was on the the ‘take a picture’ selection by default and I must have pressed the enter key.   Two people heard the ‘click’ noise and immediately looked over.  No big deal, but I found their reactions interesting and amusing.  The next thought was to ask myself the question how does one disable the sound?  Turns out you cannot.

A quick look around the web and I discovered a few things on the topic of PDAs and the sound of the picture taking.  RIM, the makers of Blackberry do not provide the option to disable the noise.  Some speculate this is because RIM doesn’t want you covertly taking pictures, but maybe they just forgot or dropped it from the design due to time pressures.  Regardless it seemed kind of silly.

It is well accepted now a days that there is no expectation of privacy in public.  Stores, businesses, and places of employment have cameras both overt and covert that constantly record and store the people and activities.  Street cameras downtown constantly record and store traffic and the movements of people.  If this is acceptable, why is it not acceptable for a individual to take a picture?  I find the assumption that there is more risk to individuals taking pictures or video than a registered business or government entity very naive.  Turns out there is even  an attempt somewhere in the world to put a law in place that would ‘require’ the noise on all digital devices.

No matter, like all things there are ways around it.  A quick search led me to this application. Downloaded it to my blackberry and problem solved.  No technical wizardry required.  I can now take silent pictures of my table and I won’t disturb the people sitting over on the couch.  These laws are just silly.  If someone really wants to take covert pictures they will always be able to do it and regulating the technology will not help.

The question is not about technology it is about the expectation of privacy.  If there is an expectation of privacy in public, then change the laws to support that and enforce it.  However, based on the court decisions I have read over the years, there is never an expectation of privacy in public.  I am not a lawyer, but I believe that precident has been set.   If you query most people on this topic,  they will assume they are being phtographed and recorded on video regularly, and they would be silly not to.

2009-02-08 05:34:02.680383 IP 216.240.7.12.58684 > 208.67.222.222.53: 30554+ A? ap-1.sandvine.com. (35)
2009-02-08 05:34:03.037603 IP 208.67.222.222.53 > 216.240.7.12.58684: 30554 1/0/0 A 216.16.234.191 (51)

This query happened every 10-20 minutes.  Tracing it back I realized it was coming from my mobile phone.  This got me to thinking, could one determine when I was or was not home with just access to a DNS trace?  To answer that I did a bit of investigation of the address ap-1.sandvine.com.

mike@Janel:~/investigation/homeDns$ dig @ns1.domainmonger.com ap-1.sandvine.com

; <<>> DiG 9.5.0-P2 <<>> @ns1.domainmonger.com ap-1.sandvine.com

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36335

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; WARNING: recursion requested but not available

;; QUESTION SECTION:

;ap-1.sandvine.com. IN A

;; ANSWER SECTION:

ap-1.sandvine.com. 60 IN A 216.16.234.191

;; AUTHORITY SECTION:

sandvine.com. 60 IN NS ns1.domainmonger.com.

sandvine.com. 60 IN NS ns2.domainmonger.com.

;; Query time: 92 msec

;; SERVER: 216.98.150.33#53(216.98.150.33)

;; WHEN: Sun Apr 12 12:29:19 2009

;; MSG SIZE rcvd: 100

mike@Janel:~/investigation/homeDns$

From above the record, for ap-1.sandvine.com refreshes every 60 seconds.  That means that my mobile ignores the refresh request from the DNS.  While interesting to know, it doesn’t help answer my question.

I extracted all queries to ap-1.sandvine.com, the timestamp for each and quickly plotted them with gnuplot.  Next, I pulled my calendar and daily logs and added notes to the graph. The y-axis is irrelevant.  The red dots show when the queries were made and the green arrows and notes are my comments based on my calendar and logs.

A third party could easily determine when I was or was not home with a high degree of certainty.    With mobile phones now having wi-fi capabilities and connecting to the local wireless network it becomes trivial to use them as a vector to determine when someone is home or not.  I ran the same analysis on my wife’s mobile and got similar results (I didn’t add them to the chart here).

Obviously you could use other protocols and do a much more detailed analysis and correlation (or just execute standard physical surveillance), but DNS is good in that it is required for the Internet, a standard, and is not encrypted.  This was a relatively simple exercise and reasonably cost effective.   I am not a lawyer, but I suspect based on the ongoing privacy debate and  some recent court decisions that DNS queries executed by an individual or a business might be considered ‘public’ with no expectation of privacy.  I’d argue that with access to DNS information from a particular entity, one could glean interesting information from a competitive company.

I heard that quote a few years ago, it is one that has always stuck with me.  Personally, I am a big proponent of respecting privacy, but secrecy is an entirely different thing.  Where the line is drawn depends on each individual unfortunately.

Previously, when doing security consulting for businesses, one of the common themes was the employers ability to access email, files, voice mail and even phone conversations of an employee if they felt it was necessary.   Taking email for example, most employers feel they have a right to read any email that enters or leaves their company network, regardless of whether it is private in nature or not.  I have been given arguments that the employer owns the equipment and the network and are ultimately responsible and must have the ability to do these types of activities if they feel it necessary.   I had a discussion with an individual that was a senior executive that felt very strongly in favour of this opinion.  I then gave him a scenario where he was collaborating with another company in a different province and the conversations were around some trade secrets or business that was sensitive in nature.  I asked him if it would it be okay if his upstream ISP or one of the ISPs along the path captured and read his email correspondence with this company.  His response was an absolute ‘no’ it would not be okay.  I then stated that it is the ISPs network, they are ultimately responsible for the security and integrity of it.  Two things happened.  First he didn’t like the conversation anymore, that became very obvious.  Second, he made some statement about it being ‘different’ and changed the topic.  This made me realize that  everyone wants secrecy for themselves, but do not want anyone to have secrets kept from them.  Yes, a very obvious statement, but I think it also comes down to that simple concept which drives all these debates, discussions, and laws or lack of laws.

So why am I bringing this up?   Michael Hyatt has a blog that I read regularly.  I don’t know him personally, but he seems like a good guy and has some insightful entries.  He recently commented on the idea of using Gmail for his business email. I completely understand why he is considering it, and would argue that if you are a small or medium size business it could make complete sense financially and logistically.   What about the privacy implications?  What if Google has a security breech and data is lost or stolen?  What if Google is late to apply a security patch? What if there is a security hole that Google isn’t aware of but a criminal is?   If there is a legal issue with a company in Germany that is using a cloud computing application who’s laws apply for data access?  Suppose you accept the terms of service and policies around Gmail and choose to use their service for email.  A year later, you change your mind and wish to have all your email transferred to a different server or service.  Can you do this?  Will all your data be erased from Gmail servers and their backup systems so they could never retrieve it again?  Do you care?

I think technology, innovation, and the internet are awesome.  But I also think it is very important that individuals and businesses realize and think seriously about the privacy implications.  Some suggest this is pointless.   With GoogleDocs, Gmail, online CRM systems, and the multitude of other cloud computing applications available and in use, we have already made this decision even if it is somewhat unconciously as a society.   I feel this statement may be right, and that makes me sad.

You can see in the server name in the SSL client hello packet.  The hello packet is the first part of the initial SSL handshake sequence when a application attempts to establish and SSL session.

Using Wireshark, and digging a little deeper, I found it is classified as an ‘Extension’ labeled ‘server_name’

It appears to be one of the acceptable extensions for SSL.  A quick check of the RFC revealed that it is an optional addition that applications such as a browser can add to the SSL negotiation process.

<snip>
.2. Extended Server Hello

The extended server hello message format MAY be sent in place of the
server hello message when the client has requested extended
functionality via the extended client hello message specified in
Section 2.1.

……

In order to provide the server name, clients MAY include an extension
of type “server_name” in the (extended) client hello.  The
“extension_data” field of this extension SHALL contain
“ServerNameList” where:

struct {
NameType name_type;
select (name_type) {
</snip>

As it turns out, this functionality was added to permit virtual hosting of SSL/TLS enabled sites.  Without it, every site requires a unique IP address.  With that reasoning, I expect it to become common place in the future.  One can argue that by having the destination IP address (which is not encrypted) of a network flow, determining which site a user is visiting when each IP address is mapped to a single SSL application is trivial.  Therefore adding this extended server_name option is no different and hence there is no added privacy concerns.   While I agree with this, it makes it much easier for the automation of statistics and monitoring of network flows.

The main point to keep in mind is that although you data is still encrypted, TLS/SSL still reveals the sites you visit.