Monday, October 22, 2012

More Security and Surveillance Analysis

I should probably put some of what I've previously said (  into better context. I was examining Ethernet over Power solutions and it seems clear that a lot of them use the same chipsets and can often be configured by the same software to be interoperable. Hence, my interests in the total possible number of practical/theoretical 'class breaks' in existing security technology.

My interest in surveillance/counter-surveillance stems from recent discussion regarding a possible change in laws in several developed countries. The laws basically state that a chunk of metadata regarding communications should be held on file for a short while by service providers to aide law enforcement/intelligence operations. There are arguments from both sides.

Arguments against include civil liberties, that it doesn't really help (based on experience in Europe), cost (it's not cheap to store the amount of data we're talking about here. I know of medium sized cloud companies who chew through terabytes of data a month. Even if the amount of data is small securing it is not cheap. Moreover, based on personal experiments (using a web proxy Squid in combination with SARG to examine the total amount of traffic flowing through my personal network) even if you turn off all images and most scripts you're still only halving the amount of downstream traffic flowing through your network (if you're curious proxying has resulted in mostly single digit percentage cache hits on a daily basis. Disabling certain types of traffic have resulted in significant gains though.) Nonetheless, even if we only look at the remaining traffic that's still a lot content from a lot of different sources. Use TamperData/FireBug add-ons on Firefox and you'll see a lot of content/traffic that often makes little sense in the current context without further digging. Do some more research on EverCookies and other tracking mechanisms ('waterhole' strategies are becoming more popular amongst intelligence/criminals based on what I've being seeing rather direct 'spearphishing' attacks.)), and combine this with the fact that there are already many countermeasures out there already (anonymous tunneling of phone traffic via the Internet and increased use of solid encryption) and you'll begin to see how much more difficult the defensive position becomes.

Arguments for include that cybercrime/terrorism have made (and continue to make) substantial strides in tradecraft and technology has only aided that (as I've stated previously there seems to be strong and widespread knowledge of how to bypass existing computer security in highly policed states) and yet law enforcement/intelligence have not had an adequate increase in resources/powers along the way, crimes are becoming increasingly sophisticated and the only real way to keep track of everything is to basically log everything (real time analysis is difficult and requires a high level of resources to setup/maintain and many programs designed to achieve this have had problems that have limited their usefulness in the past (NSA). Even so automated programs have been able to achieve high levels of efficiency. Some forms of intelligence analysis were claimed to have gone from several days/hours down to minutes at the CIA) and hope that there is trail left over afterwards after a report is made (I'd love to see more research between the actual time of incursion and time of detection.). Access would only be granted to such information under exceptional circumstances (for more serious crimes) but it's clear that we've seen abuses both locally and elsewhere in the past. If this goes ahead there needs to be strong oversight/controls in place.

There is public debate at the moment regarding these issues but in a lot of cases I wonder whether or not enough of the right people are involved in the decision making process. It always seems as though the same people involved. Namely, the usual government agencies and lobbyists such as Electronic Frontiers Foundation (EFF), and GetUp. Moreover, the decision making process has not been entirely transparent. It's true that being more transparency may result in giving certain entities a 'heads up' with regards to what particular forms of communication to avoid but it's also clear that in a semi-democratic/democratic environment the dog should wag the tail, not he other way around. Making a decent decision (and with 90% of the picture rather than 60%) now rather than making a panicked legislation in the aftermath of an attack will help us to avoid us becoming a democratic society in name only.

With regards to actual surveillance/counter-surveillance it should be obvious that in this day and age there are enormous variations with regards to the options with regards to both. We'll cover them only briefly here. The are four main types are outlined here,

Combined with computer hardware/software (keycatchers, keyloggers, trojans and other malware, cloners, jammers, scanners, noise/signal generators, frequency counters, and so on) you have serious problems from the defensive perspective.

Perhaps the worrying thing is that jamming/interception (technically illegal depending on the circumstance) equipment is available if you know of the correct channels and at the right price. Given the stringency of communications interception laws in many democratic nations it seems strange (to me) that many forms of surveillance and some forms of counter-surveillance equipment is openly/widely available without requiring a license. If you do purchase such equipment though a strong tip is to test it before purchasing/using it (quality varies drastically and so does cost depending on where you go to), if it requires assembly be prepared to have some or develop some technical knowledge, and it is best to have separate/specialised detection devices for each type of bug that you encounter (a hybrid camera/RF bug detector is often inferior to separate camera and RF bug detectors and so on).

Just as with computer security, most of the time a knowledgeable and creative attacker should technically/strategically always be in the stronger position. In fact, even professionals have troubles when doing a proper sweep (time consuming even when you have the right equipment if the person doing the bugging is sufficiently skilled/creative) sometimes (Hence, my interest into multiplexing, encoding, encryption, stenography, power, and so on... as a means of defense).

To put this into perspective, I recall a story about an embassy being bugged. Clearly, they knew that there bugs in that particular room. In fact, they ran a sweep and while most of the bugs were found they didn't find them all (they were located in a metal window sill in one room). Since they knew that their integrity had been compromised but couldn't find the bugs they built a SCIF (it's far easier to keep a SCIF clean than it is to maintain the integrity of an entire building. In fact, some countries have been using portable SCIFs and SCIFs within existing rooms for decades.) and then basically did nothing of any worth in the room where the bug was supposed to be (The bugs were actually placed in the building during the process of constructing the building. Hence, a proper sweep that could have found these devices would have had them tearing the place apart. However, that was out of the question for various cultural, technical, and other reasons. Hence, they left things as were.).

With regards to Business Continuity Planning (BCP) and Disaster Recovery (DR) I think it's becoming clearer that in secure environments you should be planning backwards rather than forwards. Start from the weakest point (your last backup) and then secure it from there. As I discovered during my experiment ('Convergence' document) a lot of the time people just forget/neglect non-primary systems. The worrying thing is that others are more likely to discover these particular flaws than the actual person running these systems themselves (particularly in under-resourced, under-manned, or under-motivated environments (Something which I recently thought about is that in some environments balancing the security and accessibility of end users is borderline impossible. Some environments quite simply can not be secured simply because that is the nature of the business. The only way to achieve it would be to have (physical or virtual) separate networks and a lot of the time depending on the environment this may be impossible due to resource restrictions.)).

Life in Vietnam 2, Data Recovery Work, and More

This is a continuation of my other post: - more Yo...