Ryan Lackey and Marc Rogers mostly focus on network forensics here, in particular the types of metadata that can be retrieved as a result of such analysis.Ryan Lackey: So, what are the common mistakes and vulnerabilities here? These are just several examples (see right-hand image), there’s a bunch more. It’s always insider threat, which is probably the most insidious and difficult to resolve, also the easiest to find in almost any organization. It’s pretty universal. There are people making mistakes, human error; and then data leakage – people using the wrong channels for the wrong kind of data. There are more serious technical threats. You’ve got people either seizing your hardware or getting temporary access to your hardware, doing live or cold analysis on it. You’ve got people doing either network or RF monitoring of your system. You’ve got people tearing down remote servers. Also you’ve got active tampering with things.
These are pretty serious threats, and maybe it’s not worth trying to mitigate the most difficult thing – start with the easy things. And then, of course, there’s the financial and physical audit trails left by almost every system people interact with.
Marc Rogers: One of the probably most important points about this is you cannot take care of everything, you can’t think about everything. But if you can automatically catch the low-hanging fruit and protect a certain segment of your stuff that you don’t have to think about, you can then focus the rest of your resources on the more complex problems.Ryan Lackey: Network forensics is pretty widely understood, metadata of course being the target of almost everything (see right-hand image). Metadata is so much easier to process from the attacker side. They don’t need to bother translating it into the native language, they don’t need to normalize the data. It’s already there, it’s automated, it’s trusted, it’s reliable, and it’s the easiest thing to go after. We have seen a lot of recent attacks where metadata, really, was the focus of the attack.
Marc Rogers: And it is very much the low-hanging fruit. As we saw from a talk that was given at H.O.P.E., even data that you think is encrypted, such as some of your personal information on the iPhone, is not; because when the device is running, certain segments of the device are unencrypted so that the device can operate and receive messages. That means it’s accessible, and in fact the only time your iPhone is completely secure is when it’s powered off.Ryan Lackey: There’s all this kind of data you would attack from a desktop system (see left-hand image), any sort of server that you are attacking – it’s all pretty clear. And on cellphones, which are basically computers, you have fairly similar kinds of targets (see right-hand image). They have some additional threat vectors because they connect to telco networks directly, and in fact they are with you at all times, they are taken into secure spaces, taken out of secure spaces, taken back into secure spaces and taken out over and over again. It’s a more interesting threat, but it’s not really terribly novel.
Marc Rogers: The important thing to point out is this is all low-hanging fruit. This is easy stuff that can be gotten off of almost every type of cellphone with commonly available tools and without expending too much effort.Ryan Lackey: Yeah, all of this stuff used to actually be hard. People haven’t taken into account that it has changed and it has become a lot easier to go after (see right-hand image). It used to be you had maybe one agency in the U.S. and one agency in the Soviet Union to worry about – now pretty much anybody with a little bit of RF equipment can be your threat, anybody with a network router in your path can be a threat, anybody running a service can be a threat, and anybody who gets access to your equipment. So it’s a much wider population of people attacking you. If you are not attractive to the government as a target, perhaps you are attractive to a different government or to an individual or to an organization. It’s really sort of a democratization of SIGINT and attacks.
Marc Rogers: One interesting thing from this slide is everyone is talking about the impact of Snowden and how that’s changing behavior, how everyone is moving towards more encrypted. It has had an effect on the traffic on the Internet. We’ve gone in U.S. from 2.29% of traffic that was deemed to be SSL traffic – today it’s 3.8%. That’s a really big increase, right?Ryan Lackey: And a lot of the traffic that is unencrypted, of course, leaves all this data available (see right-hand image). Even if the data is encrypted you can get a lot of information just from pure traffic analysis. You can see source and destination of target; you can see the type of traffic in a flow. You can actually in a lot of cases get content information just by the sizes of packets and how they interact, because it’s not data-independent. And it’s pretty terrifying.
Marc Rogers: And what you have to realize is a lot of the time you don’t have control over this. Vast majority of this traffic is backend traffic. This is your application talking to application server; you don’t have a choice to say “I’ll only use encryption,” because that’s up to the dev who built your app.
Ryan Lackey: Yeah, it’s pretty bad when you pop up a commercial operating system on a new computer for the first time – it’s got all this other software that you are not really familiar with, and you don’t really know what’s phoning home and when.Cellphones are even scarier (see right-hand image), because you actually do have pretty good information that they are phoning home all the time, they are always in contact with the tower, and they are relaying an awful lot of information that you don’t really ever see as a user but is there and is a threat. And the scary thing is, while you might trust your operator and you might trust your phone vendor, over the air a lot of this data can be gathered just from passive monitoring, and anybody else who is over the air can do a lot of this stuff.
Read next: Masquerade 3: “The Great Firewall of China”