surveillance & anonymity cs642 computer security adam everspaugh

Size: px

Start display at page:

Download "surveillance & anonymity cs642 computer security adam everspaugh"

Geraldine Merritt
6 years ago
Views:

2 surveillance & anonymity cs642 computer security adam everspaugh

3 today Internet-wide scanning, zmap Massive surveillance, packet inspection Anonymous browsing, TOR

4 TCP handshake Client SYN seqc,0 SYN/ACK seqs,seqc+1 Server ACK seqc+1,seqs+1 TCP connection established SYN = syn flag set ACK = ack flag set x,y = x is sequence #, y is acknowledge #

5 mass scanning What if we want to scan the "whole internet"? Why? / Find all the unsecured webcams [shodani.io] / Find all the broken webservers How would we do this? / nmap -p /32 / IPv4: 32-bits - 14% IANA reserved addresses How long would this take? / Assume mean round-trip time = 100ms think-pair-share

6 zmap [zmap, Durumeric et al.] ZMap paper: 1300x faster than nmap How?

7 fast scanning Client Record responses SYN SYN SYN SYN SYN SYN SYN SYN SYN/ACK SYN/ACK SYN/ACK SYN/ACK RST RST RST

8 zmap Can't scan at high-speed in-order Why? a a 8 a 9 a 1 a a 7 a 3 ZMap uses a permutation over the address space a 6 a 5 a 4 Random ordering, but don't have to track list of scanned addresses

9 dual ec Investigating "rigged" random number generator (RNG) called "dual elliptic curve" (dual EC) RNG that could be used in setting up TLS connections Q: How many web servers support this RNG in real life? Scanned IPv4 with ZMap / 39M servers responding on port 443 / Took 48 hours from CSL@UW Probed each web server with instrumented OpenSSL client (recorded TLS handshake) / 22M TLS (half-)handshakes; took 4 weeks [On the Practical Exploitability of Dual-EC, Checkoway et al.]

10 AT&T Wiretap case Mark Klein discloses potential wiretapping activities by NSA at San Francisco AT&T office Fiber optic splitter on major trunk line for Internet communications Electronic voice and data communications copied to secret room Narus STA 6400 device

Interception technology From Narus website [http://narus.com/index.

11 Interception technology From Narus website [ Target by phone number, URI, account, user name, keyword, protocol, application and more, Service- and network agnostic, IPV 6 ready Collects at wire speeds beyond 10 Gbps

12 Wiretap surveillance Interception gear Other major backbone AT&T network Other major backbone MAE-West (Metropolitan Area Exchange, West) Large amounts of Internet traffic cross relatively few key points

13 Types of packet inspection IP datagram IP header TCP header Appl header user data Internet service providers need only look at IP headers to perform routing Shallow packet inspection investigates lower level headers such as TCP/UDP Which inspection is most powerful? What are the technology challenges? Deep packet inspection (DPI) analyzes application headers and data

14 Intrusion Detection Systems (IDS) Web server Internet Customer databases Inner firewall IDS Outer firewall What can an IDS do that a router cannot? Store information for forensics Match known attack patterns (malware, XSS, SQL injection)

15 Preventing intercept End-to-end encryption (TLS, SSH) Interception gear IP: Other major backbone AT&T network IP: What does this protect? What does it leak? What can go wrong? think-pair-share

16 End-run around HTTPS HTTPS terminated at edge of Google networks Internal data center-to-data center communications on privately leased lines

17 Hiding connectivity is harder IP addresses are required to route communication, yet not encrypted by normal end-to-end encryption talked to over HTTPs How can we hide connectivity information?

18 Tor (The Onion Router) Interception gear IP: Other major backbone AT&T network IP: Tor Node Other major backbone Tor Node Tor Node Client -> > > > Destination Called a circuit

19 IP: IP: Onion routing: the basic idea Src: Dest: HTTP packet Src: Dest: Encrypted to Src: Dest: Encrypted to Src: Dest: Encrypted to Tor implements more complex version of this basic idea

20 What does adversary see? Src: Dest: HTTP packet Interception gear IP: Other major backbone AT&T network IP: Tor Node Other major backbone Tor Node Tor Node Tor obfuscates who talked to whom, need end-to-end encryption (e.g., HTTPS) to protect payload

21 Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous service) Used ToR to connect to Guerilla Mail (from his dorm room) Caught within 2 days How did he get caught? Guerilla Mail indicated user connected via ToR node FBI compared timestamp on to Harvard network logs, He was the only one using ToR at that time, confessed when confronted

22 [As of: April 13, 2016]

23 Other anonymization systems Single-hop proxy services Anonymizer.com JonDonym, anonymous r ers (MixMaster, MixMinion), many more

24 recap Internet-wide scanning, zmap Massive surveillance, packet inspection Anonymous browsing, TOR

network security s642 computer security adam everspaugh

network security s642 computer security adam everspaugh network security s642 adam everspaugh ace@cs.wisc.edu computer security today Announcement: HW3 to be released WiFi IP, TCP DoS, DDoS, prevention 802.11 (wifi) STA = station AP = access point BSS = basic