Undersea data – the evidence of the snoop ?

It’s been a while since I put out a blog, but this caught my eye.

This [LINK] interactive graphic shows the undersea cable maps of the world. It’s a really good graphic and is very useful in giving us some intelligence. We’ve seen other graphics of the undersea cable maps [LINK] but this new interactive one can show the cable routes per year.

So how come this important ?

Well, if we look at the Snowden leak info of the NSA PowerPoint screenshots, we can see that most of the dates quoted on these documents are from 2004 onwards. [LINK]

If we also add this intelligence with the time to lay a cable – which is around 100-150km per day [LINK] we can start making projections backwards as to which cables are being used for which projects and where the boosts in investment may have come from. If you fancy having a go and putting projects to cables, feel free to get in touch and I’ll add an update to this blog.

More info about undersea cables [LINK]

 

@SPCoulson

What is an ‘Ethical Hack’ ?

This great question was posted on LinkedIn and it got me thinking.

 

In the strictest use of the phrase ethical security testing – I believe an accurate description would include:

  • explicit instruction
  • authorisation
  • owned system

 

However, we need to get pernickety about definitions with this phrase:

Ethical.

‘No-one got hurt’ or  ‘no data was exfiltrated’ perhaps.

Hacking.

A wide description can be inferred here – but let us allow the words ‘attack’ or ‘exfiltration’ to be used.

 

So let us see if these example instances are Ethical Hacking and therefore explore the relevance and use of the phrase :

Example 1:

An Anonymous DDoS is ethical hacking is it not ?

    • Ethical – fighting for the masses,
    • Hacking – a form of hacking is DDoS.

Technically yes and no. Ethical – whose ethics ? Ethical in that it is a their belief they are fighting for, so I guess yes, but hacking – DDoS. Hmm I have a problem with DDoS as it is an orchestrated attack with the intent to cease traffic hitting a website or web service. As a result of the ‘intent’ I believe that this no longer becomes ethical.

Example 2:

Is Edward Snowden an ethical hacker ?

    • Ethical – he released documents that exposed government misdemeanours
    • Hacking – using social engineering techniques.

No, because he broke the law. Quite a simple line here. Irrelevant of what the Governments allegedly have been up to, he broke the law by stealing information and for that this is not ethical hacking – but crime.

Example 3:

NSA backdoors in common-use technologies

    • Ethical – they are protecting the greater good of the US
    • Hacking – creating backdoors in code for later use

Here we see an easy delineation – there is a potential Ethical standpoint, but there is no visibility / transparency of intent and as such, no ethical standpoint.

 

Summary :

Ethical Hacking is a not so common term and we are more used to seeing Ethical Security Testing. This implies testing – part of a project lifecycle. The very introduction of the term hacking takes an already broad term Ethical and muddies it with an already media-hyped phrase Hacking and as such creates a phrase which could describe crime or business activity. As such, I would recommend to avoid using the term Ethical Hacking and concentrate on a much stricter phrase Ethical Security Testing.

The not so shocking NSA revelations

I don’t work for the government.
I am a UK citizen.
I work in IT security.

 
Edward Snowden stole 1.2 million documents and has started leaking them in small batches. News agency Spiegel has found some interesting stuff in there :

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

It appears that the NSA in 2007 (7 years ago) had a catalog of tools that could be used to allow varying degrees access to devices. This confidential document is now public for all to see and we can now browse through this catalog ourselves – http://t.co/Ra19VNCwEJ
 
Although it is revealing as to what was available back in 2007, we need to remember that we are judging 2007 technology through 2014 eyes. Our perception as to how we view privacy etc has changed in the last 7 years. If we could rewind to 2007, how many people would have supported this technology at that time ?

So let us put ourselves back in the frame of mind of 2007 :

  • the first iPhone was launched (June 29th)which means …
  • Steve Jobs is still alive (in fact he hasn’t got ill yet)
  • We launch the Core 2 duo this year
  • Dropbox … 1st lines of code are written
  • Vista and Office 2007 were January 30th
  • Tumblr is launched
  • There is no Anonymous
  • Android was released November 2007

In 1 year Chrome will be launched

In 2 years Minecraft is to be launched

In 3 years we get Stuxnet discovery

In 4 years Aarown Swartz gets arrested

In 5 years SOPA protests get commercial backing

In 6 years Hotmail brand gets shut down
 
 
Since 2007 we have had a hell of a ride and we are now all so much more paranoid about our security and our privacy. We loved the lack of privacy in 2007 – I mean, 7 years ago, how much were you posting on Facebook/MySpace/Bebo before you realised what was going on ?

And so we need to think about the NSA again. In 2007, they were snooping – isn’t that their job? Now I don’t know about you but I’m not surprised. I mean, the UK has had Goonhilly since 1962. Why are we all so shocked?

And so to get to the point…

If you are a good citizen who is behaving responsibly then what fear have you if the NSA/GCHQ/FSB or whoever the hell is in authority reads what you are doing. If you are so concerned about your privacy then why are you on the internet exposing all your data to all the parties involved in getting you online ?

When I connect to the internet, I connect via a router I do not own over a telecoms company’s cable through ISP equipment onto undersea cables owned by someone else to a data-centre owned by a hosting company to a web developers server to a website of a person who I hope knows how to write secure code and give them my credit card number and delivery address which is then passed on to my bank and his bank to complete the transaction. Privacy ? Where ?

If the NSA want to read all emails and therefore build up a profile of how a typical user in the US / UK / France or wherever should operate, then it is easier for those who do not behave like the norm to be spotted. If we find in the UK that no-one uses the word bomb and fertiliser together but ‘da bomb’ is popularised, then we can discount 90% of noise from the holistic view and focus on only those who appear to be creating an unusual profile.

So

Reading that catalog from the eyes of the NSA : We have got a massive set of interfaces that we need to be aware of and somehow access .. how can we make it easy to monitor ?

If we have access to the machine use the USB, if the target uses common routers then have an accessible backdoor in that router etc. Now build this up to a nation of billions of people – the targets can then be targeted and if an innocent is picked up – so long as they fit the population normal model then they’ll be fine. There is no way the NSA could monitor the whole of the US – the traffic would be so massive it could not be analysed realtime and the storage would be prohibitively massive – so it cannot be a whole population monitor. That NSA shopping list is designed for specific targets not for whole populations.

Am I concerned ?

Well no actually. I know my privacy is shot – I gave it up well before 2007 when we had that thing called the internet and I first naively connected to that BBS using my real name!
 
 
So I guess the real question is ..
 
If that was the 2007 catalog .. I wonder what the 2014 catalog looks like ?