pervasive monitoring
play

Pervasive Monitoring stephen.farrell@cs.tcd.ie June 2014 - PowerPoint PPT Presentation

Oct 25, 2022 •188 likes •352 views

Pervasive Monitoring stephen.farrell@cs.tcd.ie June 2014 stephen.farrell@cs.tcd.ie 1/16 It's an attack The actions of NSA and their partners (nation-state or corporate, coerced or not) are a multi-faceted form of attack, or are

  1. Pervasive Monitoring stephen.farrell@cs.tcd.ie June 2014 stephen.farrell@cs.tcd.ie 1/16

  2. It's an attack ● The actions of NSA and their partners (nation-state or corporate, coerced or not) are a multi-faceted form of attack, or are indistinguishable from that ● Not unique, others are likely doing the same... or will ● The scale arguably makes this an example of a new pervasive monitoring threat model that is neither purely passive nor a classic Man-in-the-Middle and that we have not normally considered in protocol design, implementation or deployment ● A purely technical response will not “solve the problem” but we should treat an attack as we usually do and try mitigate it stephen.farrell@cs.tcd.ie 2/16

  3. A Definition From RFC7258/BCP188 “Pervasive Monitoring is an Attack” Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol meta-data such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large- scale, rather than by introducing new types of technical compromise. stephen.farrell@cs.tcd.ie 3/16

  4. IETF (Re)Action ● Overall: snowdonia has re-energised folks to do better on security and privacy in general (and not solely in response to PM) – Side meeting in Berlin @ IETF-87 – Tech plenary, major discussion @ IETF-88 – STRINT workshop before IETF-89 ● htps://tools.ietf.org/html/draft-iab-strint-report – Topic at many meetings/BoFs @ IETF-89 – Wanting to see results from IETF-90 onwards... ● Unsurprisingly this is similar to the more broad technical community reaction stephen.farrell@cs.tcd.ie 4/16

  5. New IETF work related to PM ● UTA WG formed, update BCPs on how to use TLS in applications – WG has to do work now of course ● RFC7258/BCP188 published after major IETF LC debate – sets the basis for further actions ● Proposals for new work discussed around IETF-89: – DNS Privacy - unthinkable before snowdonia – TCP encryption: was proposed two years ago but mistakenly rejected ● Including by me, as ack'd at mic @ IETF-88, bummer ● Old-RFC privacy/PM review team formed – Please help! Mail me. ● IAB re-factoring their security and privacy programmes. stephen.farrell@cs.tcd.ie 5/16

  6. Other relevant IETF Things ● TLS 1.3 being developed aiming for better handshake encryption properties (and learning from previous TLS problems) ● HTTPBIS WG developing HTTP/2.0, the major deployment model for which seems to be to run much much more HTTP traffic over TLS ● And since all this is IETF stuff, you can (and please do) join in and help if you're willing and able stephen.farrell@cs.tcd.ie 6/16

  7. DNS Privacy ● IETF-89 BoF materials – https://www.ietf.org/proceedings/89/dnse.html ● I stole slides from there mostly:-) ● Mailing list: – https://www.ietf.org/mailman/listinfo/dns-privacy ● Drafts – All “unofficial” remember, nothing here has consensus yet – Problem statement: draft-bortzmeyer-dnsop-dns-privacy – Some requirements: draft-hallambaker-dnse stephen.farrell@cs.tcd.ie 7/16

  8. DNS Privacy Problem ● Query timing and content is “meta-data” that can help a pervasive monitor – Could correlating DNS queries (e.g. via timing) be a fingerprint for which web page you're on? ● QNAME itself can be sensitive: – <political-party>.<cctld> or <ailment>.org ● Full QNAME sent too often, too far in queries – Can go to root, not needed there, at least in principle stephen.farrell@cs.tcd.ie 8/16

  9. Problems with this Problem (1) ● DNS names likely to be exposed elsewhere anyway, primarily in TLS ServerNameIndication (SNI) which is not easy to protect – SNI protection is being considered in TLS1.3, but load-balancers probably need something ● QNAME is used by some CDNs and others for valid networking purposes – Maybe. Could have interaction with “solving” public-suffix list via DNS ● DNS privacy was never a requirement and we have DNSSEC; don't make deploying DNSSEC harder! – Yep, but times change. Privacy solutions can almost certainly be independent of, and complementary to, DNSSEC stephen.farrell@cs.tcd.ie 9/16

  10. Problems with this Problem (2) ● Stub<->Recursive and Recursive<->Authoritative patterns of interaction are hugely different – Yep. May need different approaches to privacy for those, but that might well be ok, since the privacy issues are fairly different ● If you get your DNS from DHCP, there's no point since the resolver could anyone and could be spying on you – Yep. But that'd mean a more active attack. ● There's no way to get this deployable via UDP – Maybe. But maybe there is! stephen.farrell@cs.tcd.ie 10/16

  11. Solutions ● Basic ideas for solutions are “easy” – QNAME minimisation: just don't! No protocol change needed – Crypto moving parts are fairly obvious ● See the BoF materials – How to arrange those parts so that something might be deployed and useful is not at all obvious ● State of play: – Mailing list are discussing. – If interested, sign up and go stephen.farrell@cs.tcd.ie 11/16

  12. Crypto + Data Minimisation ● Mitigation = Crypto + Minimisation – For DNS protocol and other cases – Though undoubtedly we will learn more/better as we go ● That includes registries too presumably – whois coudn't be controversial could it? ● Are there activities feeding into policy development that are already considering PM? – If not should/could there be? stephen.farrell@cs.tcd.ie 12/16

  13. What to do? (1) ● Turn on crypto – For applications and between data-centres – Current tools: TLS, IPsec, IEEE MAC-sec, DNSSEC – Future tools?: DNS-priv, TCPInc (tcpcrypt), MPLS-OE ● Discussions ongoing – Measure/gamify what is being used ● Data minimisation – E.g. DNS QNAME minimisation – More uncertain, more to learn here stephen.farrell@cs.tcd.ie 13/16

  14. What to do? (2) ● Better implementations – https://cryptech.is/ and similar – Update/check/audit crypto support – Make security/privacy admin easier ● Deployments – Turn on stuff that helps privacy – Significant issues with business models and deployed base of services ● Users – Target diversity - Don't all use the same services all the time stephen.farrell@cs.tcd.ie 14/16

  15. What to do? (3) ● Discuss the issue openly – In whatever fora are relevant for you ● Agitate (if that's your kind of thing:-) ● Go and be responsible engineers/computer scientists/whatever and take the broader implications of your work/research into account before, while and after doing it stephen.farrell@cs.tcd.ie 15/16

  16. Conclusions ● IETF has consensus PM is an attack (RFC7258) and is working that problem ● We all should consider how we can work to make PM harder, since those doing it will not just stop ● When/if societies do decide that PM is as bad as it is, then the technical community should have in place the tools to effect that decision stephen.farrell@cs.tcd.ie 16/16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scaling-up SLA Monitoring in Scaling-up SLA Monitoring in Pervasive Environments Pervasive

Scaling-up SLA Monitoring in Scaling-up SLA Monitoring in Pervasive Environments Pervasive

Istituto di Scienza e Tecnologie dell'Informazione A. Faedo Software Engineering Laboratory Scaling-up SLA Monitoring in Scaling-up SLA Monitoring in Pervasive Environments Pervasive Environments Engineering of Software Services for

677 views • 22 slides
IETF-88 Update: Pervasive Monitoring Jari Arkko Russ Housley IETF Chair

IETF-88 Update: Pervasive Monitoring Jari Arkko Russ Housley IETF Chair

IETF-88 Update: Pervasive Monitoring Jari Arkko Russ Housley IETF Chair IAB Chair I. IETF-88 hot topics II. The pervasive monitoring problem III. What is the IETF doing about it? 1 Monday, November 18,

402 views • 12 slides
Cloud Privacy in a PervasivE Monitoring t Landscape pt

Cloud Privacy in a PervasivE Monitoring t Landscape pt

44 pt Cloud Privacy in a PervasivE Monitoring t Landscape pt JOHN MATTSSON

259 views • 7 slides
Security for Pervasive Computing CS239 Kevin Eustice V. Ramakrishna 4/24/06 What is Pervasive

Security for Pervasive Computing CS239 Kevin Eustice V. Ramakrishna 4/24/06 What is Pervasive

Security for Pervasive Computing CS239 Kevin Eustice V. Ramakrishna 4/24/06 What is Pervasive Computing? One Vision of Pervasive Computing PHYSICAL INTEGRATION Coffee Shop Personal Network Change route! My location? L o c a t i

318 views • 20 slides
Pervasive Devices Pervasive Devices: Low memory, few gates Low power, no clock, little

Pervasive Devices Pervasive Devices: Low memory, few gates Low power, no clock, little

Authenticating Pervasive Devices with Human Protocols Ari Juels Stephen A. Weis RSA Laboratories MIT CSAIL Pervasive Devices Pervasive Devices: Low memory, few gates Low power, no clock, little state Low computational power

611 views • 20 slides
BALANCE: Towards a Usable Pervasive Wellness Application with Pervasive Wellness Application with

BALANCE: Towards a Usable Pervasive Wellness Application with Pervasive Wellness Application with

BALANCE: Towards a Usable Pervasive Wellness Application with Pervasive Wellness Application with Accurate Activity Inference Tamara Denning, Adrienne Andrew, Rohit Chaudhri, Carl Hartung, Jonathan Lester, Gaetano Borriello, Glen Duncan

584 views • 23 slides
Pervasive Computing: Opportunities and Challenges Dimitris Kalofonos Pervasive Computing Group

Pervasive Computing: Opportunities and Challenges Dimitris Kalofonos Pervasive Computing Group

Pervasive Computing: Opportunities and Challenges Dimitris Kalofonos Pervasive Computing Group (PCG) Nokia Research Center, Boston 1 ASWN04 Panel Discussion, August 10, 2004, Dimitris Kalofonos The Vision for Pervasive Computing (PC)

128 views • 9 slides
PERVASIVE Home ! Work ! Play 2 2 Pervasive (Home) TURBOCHEF www.turbochef.com MOXI

PERVASIVE Home ! Work ! Play 2 2 Pervasive (Home) TURBOCHEF www.turbochef.com MOXI

Embedded Systems Silicon Valley 2011 ESC-202 Implementing Secure Remote Firmware Updates Tuesday May 3 rd , 8:00 9:15 Loren Shade loren@allegrosoft.com 1 1 PERVASIVE Home ! Work ! Play 2 2 Pervasive (Home) TURBOCHEF

435 views • 14 slides
MobiDIS A Pervasive A Pervasive MobiDIS Architecture for Emergency Architecture for

MobiDIS A Pervasive A Pervasive MobiDIS Architecture for Emergency Architecture for

MobiDIS A Pervasive A Pervasive MobiDIS Architecture for Emergency Architecture for Emergency Management Management Massimiliano de Leoni Fabio De Rosa Massimo Mecella Univ. Roma LA SAPIENZA, Italy Dipartimento di Informatica e

1.18k views • 33 slides
Pervasive and ubiquitous computing and MazeMap Paper 4, 9 and 15 Sergi Orra Gener Pervasive

Pervasive and ubiquitous computing and MazeMap Paper 4, 9 and 15 Sergi Orra Gener Pervasive

Pervasive and ubiquitous computing and MazeMap Paper 4, 9 and 15 Sergi Orra Gener Pervasive Computing Vs Ubiquitous Computing Main goal and challenges The knowledge of human behaviour. Challenges: Too much data to process. Too

432 views • 4 slides
Evalua&lt;ng your Ubicomp prototype SPCL-E2012 Pervasive Compu5ng

Evalua&lt;ng your Ubicomp prototype SPCL-E2012 Pervasive Compu5ng

Evalua&lt;ng your Ubicomp prototype SPCL-E2012 Pervasive Compu5ng course (project) Thomas Pederson Associate Professor, Pervasive Interac&lt;on Technology Lab IT University of

522 views • 12 slides
Community-Driven Adaptation: Automatic Content Adaptation in Pervasive Environments Iqbal

Community-Driven Adaptation: Automatic Content Adaptation in Pervasive Environments Iqbal

Community-Driven Adaptation: Automatic Content Adaptation in Pervasive Environments Iqbal Mohomed, Alvin Chin, Jim Cai, Eyal de Lara Department of Computer Science University of Toronto WMCSA 2004: Session V - Pervasive Technologies One Size

648 views • 26 slides
Situvis A Visual Tool for Modeling a User's Behavior Patterns in a Pervasive Environment Adrian

Situvis A Visual Tool for Modeling a User's Behavior Patterns in a Pervasive Environment Adrian

Situvis A Visual Tool for Modeling a User's Behavior Patterns in a Pervasive Environment Adrian K. Clear et al. Pervasive and Mobile Computing journal 2010 Dominic Langenegger Distributed Systems Seminar FS12 1 Overview Situation, Goal

763 views • 19 slides
Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network functionality can be really helpful Security (IPS) Performance (proxies) Fairness (traffic management) 2 Middleboxes are pervasive

617 views • 37 slides
Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe Breaking Down the Issues (summary) Breaking Down the Issues (summary) Wireless is easy to sniff. We still need encryption services and key management.

533 views • 13 slides
From a Client-Server based e-health Platform to a Pervasive Solution TELEFNICA I+D Date: 4 th

From a Client-Server based e-health Platform to a Pervasive Solution TELEFNICA I+D Date: 4 th

From a Client-Server based e-health Platform to a Pervasive Solution TELEFNICA I+D Date: 4 th of September 2007 Index 01 Seguitel: an eHealth Platform 02 Transformation to a Pervasive Service provisioning platform 03 Use of the Plastic

417 views • 15 slides
Connect, Plan, Train, Report Active Shooter Preparedness Run, Hide, Fight The webinar will

Connect, Plan, Train, Report Active Shooter Preparedness Run, Hide, Fight The webinar will

Welcome to Connect, Plan, Train, Report Active Shooter Preparedness Run, Hide, Fight The webinar will begin promptly at 3:00PM ESRD Network of New York Connect, Plan, Train, Report Active Shooter Preparedness Run, Hide, Fight June 25,

862 views • 48 slides
Licensure Under Attack Todays Panelists Mark Golden, CAE, FASAE National Society of

Licensure Under Attack Todays Panelists Mark Golden, CAE, FASAE National Society of

Licensure Under Attack Todays Panelists Mark Golden, CAE, FASAE National Society of Professional Engineers Executive Director Jerry Carter National Council of Examiners for Engineering and Surveying Chief Executive Officer Melissa

611 views • 31 slides
The Office of Infrastructure Protection National Protection and Programs Directorate Department

The Office of Infrastructure Protection National Protection and Programs Directorate Department

The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Active Threat Options for Consideration Run Hide Fight Todays Discussion Training vs. Facilitated Discussion Tools

352 views • 24 slides
Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection

478 views • 23 slides
CADET EMILIANO GONZALEZ, USMA 2018 HOMELAND SECURITY INTERNSHIP RESEARCH PRESENTATION 2018

CADET EMILIANO GONZALEZ, USMA 2018 HOMELAND SECURITY INTERNSHIP RESEARCH PRESENTATION 2018

CADET EMILIANO GONZALEZ, USMA 2018 HOMELAND SECURITY INTERNSHIP RESEARCH PRESENTATION 2018 HOMELAND SECURITY INTERNSHIP Purpose To provide information on research conducted during my 2018 Homeland Security Internship and to provide

497 views • 48 slides
Active Shooter Training Created by Security Strategies Today For The Hospitality Law Conference

Active Shooter Training Created by Security Strategies Today For The Hospitality Law Conference

Active Shooter Training Created by Security Strategies Today For The Hospitality Law Conference Houston, April 24-26, 2017 Proprietary-Security Strategies Today Steve Cocco Steve Cocco, President of Security Strategies Today, is a counter-

180 views • 14 slides
On the Computational Complexities of Three Privacy Measures for Large Networks Under Active Attack

On the Computational Complexities of Three Privacy Measures for Large Networks Under Active Attack

On the Computational Complexities of Three Privacy Measures for Large Networks Under Active Attack Bhaskar DasGupta Department of Computer Science University of Illinois at Chicago Chicago, IL 60607, USA dasgupta@cs.uic.edu

477 views • 15 slides
Smashing WEP in A Passive Attack POUYAN SEPEHRDAD PETR SUSIL SERGE VAUDENAY MARTIN VUAGNOUX 1

Smashing WEP in A Passive Attack POUYAN SEPEHRDAD PETR SUSIL SERGE VAUDENAY MARTIN VUAGNOUX 1

Smashing WEP in A Passive Attack POUYAN SEPEHRDAD PETR SUSIL SERGE VAUDENAY MARTIN VUAGNOUX 1 2 No one Uses WEP Any More. 2 Hotels No one Uses WEP Any More. Restaurants Airports 2 Wireless Networks in Singapore: 20% WEP Hotels No

746 views • 51 slides

More recommend