Rajat Mohanty.pptx

67
Internet Interception and Limitations Presenter: Rajat Mohanty

Transcript of Rajat Mohanty.pptx

Slide 1

Internet Interception and LimitationsPresenter: Rajat MohantyPresentation Name

Arab spring2Internet MisuseCybercrimeIdentity theft, data stealing, frauds, threats, cyber attacksCyber terrorismLarge scale attack on critical infrastructureTerrorist usage Disinformation/ Rumours/ civil unrestPresentation Name

Agenda of PresentationInternet Misuse CasesInternet ArchitectureHow & What to MonitorTypical functionalitiesTypical Limitations4Internet MisuseInternet as a ChannelInternet is one amongst the many ways to communicate. However it is gaining in popularity for criminal purposes due to -A sense of anonymity- no personal possessionEasy to communicateConnect to Internet from anywhere and anytimeWith one click, reach out to multiple peopleNo need for receiving party to be in active stateExplain things in detail with pictures, graphs, animation, audio & videoLittle or no interception in most part of the globeLowest cost for potentially undetected communication6Misuse for TerrorismPropaganda of ideologiesPotential sympathizers/ funders/ recruitsNewspapers/ journalistsEnemy public

From the Middle East, Hamas (the Islamic Resistance Movement), the Lebanese Hezbollah (Party of God), the al Aqsa Martyrs Brigades, Fatah Tanzim, the Popular Front for the Liberation of Palestine (PFLP), the Palestinian Islamic Jihad, the Kahane Lives movement, the People's Mujahedin of Iran (PMOIMujahedin-e Khalq), the Kurdish Workers' Party (PKK), and the Turkish-based Popular Democratic Liberation Front Party (DHKP/C) and Great East Islamic Raiders Front (IBDA-C).

From Europe, the Basque ETA movement, Armata Corsa (the Corsican Army), and the Irish Republican Army (IRA).

From Latin America, Peru's Tupak-Amaru (MRTA) and Shining Path (Sendero Luminoso), the Colombian National Liberation Army (ELN-Colombia), and the Armed Revolutionary Forces of Colombia (FARC).

From Asia, al Qaeda, the Japanese Supreme Truth (Aum Shinrikyo), Ansar al Islam (Supporters of Islam) in Iraq, the Japanese Red Army (JRA), Hizb-ul Mujehideen in Kashmir, the Liberation Tigers of Tamil Eelam (LTTE), the Islamic Movement of Uzbekistan (IMU), the Moro Islamic Liberation Front (MILF) in the Philippines, the Pakistan-based Lashkar-e-Taiba, and the rebel movement in Chechnya.

Source: united states institute of peace (www.usip.org) 7Estimated 4800 terrorist sitesFew Propaganda Website snapshots

Supplement to websitesApart from websitesChatsBlogs, bulletin boards, Discussion forumsOnline magazinesSocial media sites like facebook etcGoogle Blogs

Yahoo, MSN Blogs

Misuse for TerrorismDissemination of informationSeveral sites post detailed information describing target locations

Several terrorist handbook available on Internet. Al-ansar.biz last year had instructions on how to make and test explosive belts in buses

Alnusra Forum

12Online MagazineAl-Qaeda's online military magazine Mu'askar Al-Battar. (www.qa3edoon.com)

In its inaugural edition in 2004, the magazine exhorted potential recruits to use the Internet: "Oh Mujahid brother, in order to join the great training camps you don't have to travel to other lands. Alone, in your home or with a group of your brothers, you too can begin to execute the training program.

13Training MaterialSome websites carry information on manufacturing explosives and for making homemade dirty bombs

Website: www.w-n-n.com . ISP:SiteGenie,LLC, Minnesota, USA14Misuse for TerrorismPlanning & ConspiracyThe September 11 hijackers used conventional tools like chat rooms and e-mail to communicate and used the Web to gather basic information on targets. (Philip Zelikow, 9/11 Commission) Email communication: Khalid Sheik Mohammed, a key planner of the Sept. 11 attacks later arrested in Pakistan, extensively used free email sites for planning (terrorism research center) Chat rooms, Newsgroups, discussion boards: Realizing that fixed id can be monitored, posting messages here is safer. Mohammed Momin Khawaja, arrested on March 29, 2004, for alleged complicity in transatlantic plot to bomb targets in London and Canada.

15Misuse for Terrorism'

Lashkar's handlers used VoIP services of skype, google during the Mumbai attacks.Lashkar known for using technology more than any other terror group in Kashmir, has its own private VoIP, Ibotel, to communicate with its cadres in Pakistan and Kashmir. The group began recruiting technicians, engineers and information technology executives almost a decade ago to intensify its operations across India.

Cyber crime for TerrorismCybercrime (chiefly fraud or the theft of financial data, such as credit card numbers) is potentially a good tool for terrorist organizations.Cybercrime is an attractive replacement to the bank robberies or kidnappings that terrorists used in the past to finance their operations because it holds very little risk.Two hundred two people died in the Bali in October 12, 2002. The mastermind of the attacksImam Samudra wrote a jailhouse memoir that offers a primer on the use of online credit card fraud to fund terrorist activities. Evidence collected from Samudra's laptop computer shows he used several such techniques actually to make money. Cyber crime for TerrorismA trial in 2007 of three British residents, Tariq al-Daour, Waseem Mughal, and Younes Tsouli, revealed a significant link with cybercrime. The men had used stolen credit card information at online web stores to purchase items to assist fellow jihadists in the field items such as night vision goggles, tents, global positioning satellite devices, and hundreds of prepaid cell phones, and more than 250 airline tickets, through using 110 different stolen credit cards. Another 72 stolen credit cards were used to register over 180 Internet web domains at 95 different web hosting companies. Intl Examples of MonitoringVarious countries already have a mechanism for such monitoring-ETSI European UnionCALEA- USCarnivore, Echelon- USOther countries include UK, Dutch, Belgium, Australia, Russia, China, Japan etcIndia: ISP license provides for monitoring by law enforcement agenciesInternet Overview in BriefInternetPacket Switched NetworkNetwork of NetworksHierarchy of NetworkRedundancy of pathsNo single point of failurePresentation Name

Typical Hierarchy for Data InterchangePresentation Name

NAP- network access pointMAE- metropolitan area exchange used by verizon (US- MAE east, MAE west)22Presentation Name

From User PerspectiveUser computing device- laptop/ desktop/ mobileMAC, IP AddressInternet Access equipment- Dial up modems/ Wifi/ ADSL/ Cable/ Lease line routersLocal service provider (POPs)Rack of modems: Authentication and billing servicesNational ISPs (city & International gateways)DNS, Email, websitesInternet Mesh (Peering routers, NAPs)Online content servers (Datacenters)URL, IP Address, MAC24Data FlowUser connects to the nearest POP of his ISP Through his on premise devices/ mobile phonesUser id is authenticated and billing is started (Radius/ AAA server)User wants to reach a particular destinationWebsite (URL)Email idRole of IP and DNS serverwww.rediff.comPresentation Name

Data FlowInformation to be send by a person is broken down into smaller pieces of Packet Data

Packets have multiple layers of encapsulationWe are interested finally in data.Data FilePacketPacketPacketPacket

PacketPacketPacketPacketPacketPacketPacketPacketInternet Routers and PathPacketPacketPacketPacketPacketPacketPacketPacket

Internet Router Directs your data to the Network closest to the Destination IP Address of Packet DataRouters communicate with each other to share the routing details to direct the Packets to the destination IP AddressGateway Router Every ISP has a Gateway Router which act as a point of contact for Internet Superhighway

Internet RoutersInternet PathsRouters- the building block of InternetLinks 2 or more networkIt knows which network it should send its packetWithin a network, all computers can see all packets flowing and based on its MAC/ IP a computer will pick up the packet.A router sees packets of both the network and decides to route them.Based on route tablesBased on route congestion/ availabilityBased on policies

Presentation NamePath TraversalInternet Data Path can vary with the amount of traffic. The Packets may not take the same path always to reach the destination At Instance the Packets may also be delayed and reach out of turn.The upstream path and downstream path may be different (and not just due to congestion)Packets may be retransmitted in the networkPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPacketPackets across routersWhat changes in a packetIP AddressMAC AddressApplication and dataTTL

Presentation NameInternet Monitoring TechniqueWhere to InterceptUser computing device- laptop/ desktop/ mobileInternet Access equipment- Dial up modems/ Wifi/ ADSL/ Cable/ Lease line routersLocal service provider (POPs)Authentication and billing servicesNational ISPs (city & International gateways)DNS, Email, websitesInternet Mesh (Peering routers, NAPs)Online content servers (Datacenters)32Architecture Diagram For ISPInternet PopulationISP Switch/ routerInternet

ProbesISP LocationMonitoring Agencies

Off-site

Lease Line

Collection Center

Radius Server33Network Devices with Span PortsL2/L3 Manageable Devices generally have the facility of spanning / mirroringGateway Router Exit point for the Packet from the Service Providers Network to the Internet

Internet Cloud/ next networkService Providers Gateway Switch/ routerService Providers NetworkMirror / Span Copy of the Traffic Flowing through the Gateway

Passive Network TapsIn case of No availability of Span / Mirror Ports from the Manageable Network Devices, a Passive Network Tap is usedNetwork Tap It behaves as a Switch between the Gateway Router and Internet Cloud, Simultaneously it also Spans / Mirrors a copy of Traffic flowing through it to the Span port.

Internet CloudService Providers International Gateway RouterMirror / Span Copy of the Traffic Flowing through the TapPassive TapInput InterfacesEthernet10 / 100 baseGigabit EthernetOptical1 G10 G40 GSTMSTM 1STM 4STM 16STM 64

High performance cardsNetwork tapsMulti Location Implementation

Collection & Analysis CenterUser Desktops

Probe Servers

Probe ServersProbe ServersProbe Servers37Mobile Network

ProbesBTS, BSCPDSN38Wifi Network

Interception systemWifi LaptopsWifi RouterInternet

Interception of a single hotspot can be done with one probe system located within the range of wirless router. The diagram is shown belowIntercepting ISP networkInterception- Normal TrafficUSERSInternet SwitchInternet

Radius Server

Monitoring DeviceISP LocationInternetMonitoring Personnel

Off-site41Interception- Suspicious TrafficUSERSInternet SwitchInternet

Radius Server

Monitoring DeviceISP LocationInternetMonitoring Personnel

Off-site42Defining FiltersStandard FiltersIP addressMAC addressEmail id, chat id, login idISP user account namesTelephone numbersKeyword search is possible within above filtered traffic 43Defining FiltersAdditional featuresGeneric Keywords across trafficSegregated further by protocols, direction, domainsWebsitesLocations (city/ country)BehaviourSave as draftNon english wordsEncrypted messagingTime/ date, duration, size of communication, location, type of subscriberSpecial attachment files

44Granular FilteringTargeted filtering within Header only, body only or bothSent or received communication or bothSpecific domains (hotmail, yahoo etc)Specific protocols (mails, chats, P2P, social media etc)Specific ApplicationsWithin a geographic location/ cybercafes etcCombination filtering criteriaAnd, Or, Not, atleast Boolean operationsExact & partial match

45Target Configuration Screen

LanguageProbesTarget TypeTargetExactIP PoolDomainTrafficUp/DownLocationusersTarget DetailsOverview of working modelInput KeywordsCity/ CountryField OperationsTrack for usersGet mail, chat idGet ISP account, telephone no, locationContinuously gather information of user from the systemData to prevent crimeData to solve crimeBehavior AnalysisPropagandawebsites47Advanced analysisProviding built-in GIS information (geographic and location information of intercepted messages)Automatic social network analysis of targeted entity (like their network of associates, time & duration of communication, nature of communication, location of communication etc)Built-in tools to carry out password cracking, detection of steganography, detection of encrypted traffic and collecting information on encryption usedCreate database of login informationGiven a target, automatically store ISP userid & telephone number used, time & duration of internet use over a period48Reporting & Viewing

Pane for User / Cases / FiltersRecords PaneStatistics PanePreview PaneHeader DetailsSystem Dependencies and Limitations1. Getting the raw DataThe point of interception decides the completeness of dataClosure to the target userAuthentication trafficFull mirroring (if taps not used)One way or two way trafficBandwidth to handle1G/ STM16/ 10GFuture 40G, 100GPresentation Name2. Protocols InterceptedInternet protocols supportedIP, TCP, UDP packetsWeb browsingHTTP, social mediaE-mails SMTP, POP3, MIMEChat IRC, ICQ, Web based mail Hotmail, Yahoo, Rediffmail, Indiatimes, AOL, Google etcEncoded mails (Base 64, Gzip)Web ChatMSN, Yahoo, Rediff, Indiatimes, AOL etc

522. Protocols InterceptedInternet protocols supportedNewsgroupsNNTP, Yahoo, Google etcP2P networkGnutella, Emule, EdonkeyVOIP, Video over IPH. 323, SIP, Megaco, MGCP- signallingRTP/ RTCP- audio mediaG711, G723, G 726, siren, isaac- codecFile transfersFTP, HTTP filesRadiusTelnet

533. Files supportedAttachments and file downloads can beWord, xl, ppt, pdf, txt, Jpg, bmp, gif, tif, pngMp3, wav, wmaMp4, mpeg, avi, swf, wmvHtml, jsp, xml, phpExe, sys, bin, conZip, rar, tar, Presentation Name4. Encrypted dataMany webmails have encryptionGmail to gmail, hushmail to hushmail etcWebsites have SSL to encrypt the trafficSkype (VOIP) is encryptedFiles can be encrypted and sentFiles may be password protected to avoid generic keyword searchesPresentation Name6. Identity InformationTracing the sender or receiver to last mile identityCommunication over webmail masks source/ destinationNeeds local ISP/ provider dataUse of Proxy ServersWithin companyWithin ISPOpen proxiesAnnonymizersTOR networkPresentation NamePresentation Name

Presentation Name

Presentation Name

. 59Open Source MonitoringTypes of MonitoringWebsite/ blogs/ news monitoring based on keywordshttp://bingmatrix.cloudapp.net/Default.aspxhttp://www.wordle.net/create http://palizine.plynt.com/Social media monitoringWord based, topic based, author importance, sentiment analysishttp://www.guardian.co.uk/uk/interactive/2011/dec/07/london-riots-twitter

Presentation NameGeo Tag Search Trends/ Twitter trends

63Paladion Brand Intelligence

Paladion technology helps clients monitor what employees are saying and doing online. Numerous Kotak Mahindra Bank employees openly discuss the company in social media sites like MySpace.com. 63http://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=AllMySpace&qry=Kotak%20Mahindra64Paladion Brand Intelligence

Online postings, user reviews, and customer comments reveal public perceptions of company business, and provide insight into known and unknown customer service issues. This popular consumer complaint forum displays 30 recent complaints from dissatisfied customers, including this post accusing Kotak Mahindra employees of telephone harassment. 64http://www.complaintsboard.com/bycompany/kotak-mahindra-bank-a5767.html65Paladion Brand Intelligence

Social media sites like Twitter.com quickly spread commentary and information across the Internet. Various articles and postings about Kotak Mahindra Bank are rebroadcasted by numerous Twitter followers as events occur.65http://twitter.com/#search?q=Kotak%20Mahindra66Paladion Brand Intelligence

This site solicits and posts reviews of Kotak Mahindra Bank written by past and current employees. Many reviews contain highly critical comments about the companys brand, corporate leadership, and overall reputation. 66http://www.glassdoor.com/Reviews/Kotak-Reviews-E212808.htmThank YouQ & A