surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016:...
Transcript of surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016:...
![Page 1: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/1.jpg)
![Page 3: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/3.jpg)
todayInternet-wide scanning, zmap
Massive surveillance, packet inspection
Anonymous browsing, TOR
![Page 4: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/4.jpg)
TCPhandshake
SYNseqC,0
SYN/ACKseqS,seqC+1
ACKseqC+1,seqS+1
SYN=synflagsetACK=ackflagsetx,y=xissequence#,yisacknowledge#
Client Server
TCPconnectionestablished
![Page 5: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/5.jpg)
mass scanningWhat if we want to scan the "whole internet"?
Why? / Find all the unsecured webcams [shodani.io] / Find all the broken webservers
How would we do this? / nmap -p 443 0.0.0.0/32 / IPv4: 32-bits - 14% IANA reserved addresses
How long would this take? / Assume mean round-trip time = 100ms
think-pair-share
![Page 6: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/6.jpg)
zmap
[zmap, Durumeric et al.]
ZMap paper: 1300x faster than nmap How?
![Page 7: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/7.jpg)
fast scanning
Client
SYN
SYN
SYN
SYNSYN
SYN
SYN
SYNSYN/ACK
SYN/ACK
SYN/ACK
SYN/ACKRecord responsesRSTRSTRST
![Page 8: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/8.jpg)
zmapa0
a2
a3a4a5
a6
a7
a8
a9 a1
1.1.1.11.1.1.2
1.1.1.3
Can't scan at high-speed in-order Why?
ZMap uses a permutation over the address space
Random ordering, but
don't have to track list of scanned addresses
![Page 9: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/9.jpg)
dual ecInvestigating "rigged" random number generator (RNG) called "dual elliptic curve" (dual EC) RNG
… that could be used in setting up TLS connections
Q: How many web servers support this RNG in real life?
Scanned IPv4 with ZMap / 39M servers responding on port 443 / Took 48 hours from CSL@UW
Probed each web server with instrumented OpenSSL client (recorded TLS handshake) / 22M TLS (half-)handshakes; took 4 weeks
[On the Practical Exploitability of Dual-EC, Checkoway et al.]
![Page 10: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/10.jpg)
AT&TWiretapcase
• MarkKleindisclosespotentialwiretappingactivitiesbyNSAatSanFranciscoAT&Toffice
• FiberopticsplitteronmajortrunklineforInternetcommunications– Electronicvoiceanddatacommunicationscopiedto“secretroom”
– NarusSTA6400device
![Page 11: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/11.jpg)
Interceptiontechnology
• FromNaruswebsite [http://narus.com/index.php/product/narusinsight-intercept]– “Targetbyphonenumber,URI,emailaccount,username,keyword,protocol,applicationandmore”,“Service-andnetworkagnostic”,“IPV6ready”
– Collectsatwirespeedsbeyond10Gbps
![Page 12: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/12.jpg)
Othermajorbackbone
Othermajorbackbone
AT&Tnetwork
Wiretapsurveillance
Interceptiongear
MAE-West(MetropolitanAreaExchange,West)
LargeamountsofInternettrafficcrossrelativelyfewkeypoints
![Page 13: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/13.jpg)
Typesofpacketinspection
userdataApplheaderTCPheaderIPheaderIPdatagram
Deeppacketinspection(DPI)analyzesapplicationheadersanddata
InternetserviceprovidersneedonlylookatIPheaderstoperformrouting Shallowpacketinspection
investigateslowerlevelheaderssuchasTCP/UDP
Whichinspectionismostpowerful?Whatarethetechnologychallenges?
![Page 14: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/14.jpg)
Internet
IntrusionDetectionSystems(IDS)
Outerfirewall
Innerfirewall
Webserver
IDSCustomerdatabases
WhatcananIDSdothataroutercannot?StoreinformationforforensicsMatchknownattackpatterns(malware,XSS,SQLinjection)
![Page 15: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/15.jpg)
Preventingintercept
• End-to-endencryption(TLS,SSH)
• Whatdoesthisprotect?Whatdoesitleak?
• Whatcangowrong?
Othermajorbackbone
AT&Tnetwork
Interceptiongear
IP:1.2.3.4
IP:5.6.7.8
think-pair-share
![Page 16: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/16.jpg)
End-runaroundHTTPS
• HTTPSterminatedatedgeofGooglenetworks
• Internaldatacenter-to-datacentercommunicationsonprivatelyleasedlines
![Page 17: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/17.jpg)
Hidingconnectivityisharder
• IPaddressesarerequiredtoroutecommunication,yetnotencryptedbynormalend-to-endencryption– 1.2.3.4talkedto5.6.7.8overHTTPs
• Howcanwehideconnectivityinformation?
![Page 18: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/18.jpg)
Tor(TheOnionRouter)
Othermajorbackbone
AT&Tnetwork
Interceptiongear
IP:1.2.3.4
IP:5.6.7.8
Othermajorbackbone
TorNodeTorNode TorNode
7.8.9.1 8.9.1.19.1.1.2
Client->7.8.9.1->8.9.1.1->9.1.1.2->DestinationCalledacircuit
![Page 19: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/19.jpg)
HTTPpacketSrc:
9.1.1.2Dest:5.6.7.8
IP:1.2.3.4
IP:5.6.7.8
Encryptedto9.1.1.2Src:
8.9.1.1Dest:9.1.1.2
9.1.1.28.9.1.1
Encryptedto8.9.1.1Src:
8.9.1.1Dest:9.1.1.2
7.8.9.1
Encryptedto7.8.9.1Src:
7.8.9.1Dest:8.9.1.1
Onionrouting:thebasicidea
Torimplementsmorecomplexversionofthisbasicidea
![Page 20: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/20.jpg)
Whatdoesadversarysee?
Othermajorbackbone
AT&Tnetwork
Interceptiongear
IP:1.2.3.4
IP:5.6.7.8
Othermajorbackbone
TorNodeTorNode TorNode
7.8.9.1 8.9.1.19.1.1.2
HTTPpacketSrc:
9.1.1.2Dest:5.6.7.8
Torobfuscateswhotalkedtowhom,needend-to-endencryption(e.g.,HTTPS)toprotectpayload
![Page 21: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/21.jpg)
• Dec2016:EldoKim,Harvardsophomore,sentbombthreatsusingGuerillaMail(anonymousemailservice)
• UsedToRtoconnecttoGuerillaMail(fromhisdormroom)
• Caughtwithin2days
• Howdidhegetcaught?
• GuerillaMailindicateduserconnectedviaToRnode
• FBIcomparedtimestamponemailtoHarvardnetworklogs,
• HewastheonlyoneusingToRatthattime,confessedwhenconfronted
![Page 22: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/22.jpg)
[Asof:April13,2016]
![Page 23: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/23.jpg)
Otheranonymizationsystems
• Single-hopproxyservices
• JonDonym,anonymousremailers(MixMaster,MixMinion),manymore…
Anonymizer.com
![Page 24: surveillance & anonymitypages.cs.wisc.edu/~ace/media/lectures/surveillance.pdf · • Dec 2016: Eldo Kim, Harvard sophomore, sent bomb threats using Guerilla Mail (anonymous email](https://reader034.fdocuments.net/reader034/viewer/2022051917/60097e9e98cad225335bfe6e/html5/thumbnails/24.jpg)
recapInternet-wide scanning, zmap
Massive surveillance, packet inspection
Anonymous browsing, TOR