The problem with surveillance software is that there’s probably a whole lot out there that we just don’t know about, either because it’s a proprietary application for a private firm or government agency. I’m sure we have all heard about the recent FBI vs Apple debacle in which the FBI demanded that Apple build an app to crack iPhone encryption, so that they could access the phone data of a San Bernardino shooter. Had Apple complied with the FBI’s demands, this would have set an important precedence and could have potentially rendered many encryption algorithms potentially useless. Although Apple stuck to their guns and refused to assist, the FBI suddenly found their way in to the iPhone with the help of an Israeli firm called Cellebrite.
All of this business with the iPhone cracking has got me thinking again about security, hacking and surveillance software. By no means can I even begin to scratch the surface of what’s out there, but I do want to examine a few important pieces of software that could impact all TOR users. But before we look at TOR surveillance and all of that fancy stuff, let’s take a look at what has gone on with Clearnet internet, phone, email and other normal day-to-day communications.
Thanks to folks like Edward Snowden, Julian Assange and WikiLeaks we know that the US Government and NSA kicked up surveillance not long after 9/11 devastated the country. Electronic Frontier Foundation talks about an early mass surveillance implementation called the “President’s Surveillance Program” executed shortly after the September 11th 2001 attacks. This was possibly the beginning of major telecommunications companies allowing the NSA to install secretive gear in their data centres to massively monitor data. What they did was something often used in network troubleshooting to capture packets and determine the cause of the problem: we call this port mirroring. If I know that a certain remote site is experiencing latency, but not coming anywhere close to maxing out their circuit’s bandwidth, I could program a spare router or switch port to mirror their uplink to the internet and then collect that data on a PC running Wireshark. This would be known as ‘port-mirroring’ in order to collect a ‘tcpdump’ (SEE FIGURE A).
As you can see it’s pretty simple to set up a PC and collect all source IP, destination IP and application information on a site; but to do this you need access. I need physical access to the hardware and I also need administrative access to the network gear to set up this type of monitoring. Folks would probably start noticing if the NSA, set up a PC port-mirroring at every business and home, so what did they decide to do? Put in their monitoring at the top of the line. Although many have denied it, the NSA was able to install a similar type of scenario at the ISP’s (Internet Service Provider’s) cores and backbones (SEE FIGURE B).
It’s hard to determine where one NSA program ends and another begins, but you will also here tell of them taking things a step further. At some point, mirroring mass ISP data was not enough and they decided that they had to set up similar operations with major ‘big data’ companies like Facebook, Google, Yahoo, etc. It was not enough to look at network traffic, but the government needed more; they needed application layer data and metadata. Once this foundational backend system was in place, the NSA was free to try all sorts of methods to filter and manipulate traffic. Back in 2013 The Guardian had written up a very revealing article on some frontend applications called XKeyscore and DNI Presenter, which provided analysts with user friendly GUIs which would allow them to filter based on email address, phone number, or even name or Facebook account. Just by entering such minimal information and filling out a less than through exception form, analysts could pull up all kinds of collected data including Facebook and email conversations, search history, etc. The Guardian even went so far as to post an acquired presentation on XKeyscore here.
Of course we are all extremely careful these days and insist on using things like VPN, TOR and proxies. Remember that whole business with de-anonymizing TOR with 80% + certainty? They must have been using some pretty high tech gadgetry to see what was going on there? No, they weren’t at all. They were using something called Netflow, which can theoretically be set up on any Layer 3 device (that is any device with gateways that handles routing). In the past many techs and spies alike had to rely on only IPs, but with Netflow it opened up the ability to look at a given IP, see where he’s going and see what protocol he’s using. Now, if someone was monitoring you using Netflow without TOR in the mix it can be pretty revealing. Here is just one example pf many interfaces used to view Netflow information, but you can see how revealing it could be if your bosses was curious what you’re up to at any given moment:
This is why it’s very important to use VPN when using TOR. When you use VPN, surveillance methods can’t be used to drill down to this level of detail, and instead all they will see is on session on TCP 500 (standard IPsec port). Besides, firewalls and network security are becoming more granular and intrusive. I have recently installed a firewall that won’t only showing me that you are using http to view Facebook, but it can tell me that you are playing Cnady Crush (or whatever the hell it’s called). This is the future of security, monitoring and surveillance online. The same tools that are used to protect a company’s internal network, will be leveraged to monitor your online activities and possibly even used to hack your network sessions. As this article has briefly demonstrated: there are eyes and ears scanning on all networks waiting for you to slip up, so always remember to wear a hood, use a VPN and support your local TOR nodes!