DOCSLIB.ORG

Appendix A: Hiding Data in Network Traffic

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Appendix A: Hiding Data in Network Traffic Appendix A: Hiding Data in Network Traffic Various network protocols have characteristics that can be used to hide information [23, 34, 69]. TCP/IP packets are used to transport information and an uncountable number of packets are transmitted daily over the Internet. Any of these packets can provide a covert communication channel. The packet headers have unused space or other values that can be manipulated to hide information. However, filters can be set to detect information in the "unused" or reserved spaces. One way to circumvent this detection is to take advantage of information in the headers that typically go unchecked by most systems. Such information includes the values for sequence and identification numbers. Covert-tcp is a steganography tool that takes advantage of TCPIIP headers to pass hidden messages in apparently innocent network traffic [69]. The packets being sent may appear as initial connection requests, established data streams, or other intermediate steps in transmission. The data is embedded in the IP packet identification and TCP sequence number fields. These fields are less likely to be distorted due to network routing or filtering. Hiding in the Header - Identification Field Figure 67 illustrates the layout of the IP packet headers. The IP identification (IPID) field assists with the re-assembly of packet data by remote routers and host systems. The value of the field provides a unique number so if packets get fragmented along a route, they can be reassembled in the proper order. Encoding information in the IPID involves replacing the 112 Appendicies 16-bit numerical value with a value that contains the representation of the encoded information (a 16-bit numerical value may be as large as 65,535). IP Header Bits ~ o 4 8 16 19 24 32 IVERS HLEN I Service Type Total Length I Identification I Flags I Fragment Offset ------------------------------------------------------------------------ I Source IP Address Destination IP Address I IP Options Padding ------------------------------------------------------------------------ I Data Figure 67. Sample IP Header Simply substituting an ASCII value in place of the IPID will work, but results in identification values from 0 through 255; too small to be realistic. An option is to base the IPID on a function of the ASCII values. A solution is to make the IPID the product of the ASCII value and some fixed "key." In this example the key is 256 (the size of the ASCII set). This key provides a range of values from 0 through 65,280. Dividing the IPID value by 256 results in the decoding of the embedded ASCII value. Table 5 illustrates hiding the word "Neil" (ASCII values 78, 101, 105 108) in the IPID field of four IP packets as viewed from a TCP Dump. (Two bytes can be sent using the same technique. The characters Ne can be represented with the IPID value of 20069 and il can be represented as the value 26988). Appendix A: Hiding Data in Network Traffic 113 Table 5. Encoding "Neil" in the IP Identification Field Encoding (view from TCPDump) Decoding Packet One: Packet One: 18:50:13.551117 ... (ttl 64, id 19968/256) sender.mydomain.com.7180> [ASCII: 78 (N) ) receiver.mydomain.com.www:S537657344: 537657344(0) win 512 (ttl 64, id 19968) Packet Two: Packet Two: 18:50:14.551117 ... (ttl 64, id 25856/256) sender.mydomain.com.51727 > [ASCII: 101(e») receiver.mydomain.com.www:S1393295360 :1393295360(0) win 512 (ttl 64, id 25856) Packet Three: Packet Three: 18:50:15.551117 ... (ttl 64, id 26880/256) sender.mydomain.com.9473 > [ASCII: 105 (i») receiver.mydomain.com.www:S3994419200 :3994419200(0) win 512 (ttl 64, id 26880) Packet Four: Packet Four: 18:50:16.551117 .,. (ttl 64, id 27648/256) sender.mydomain.com.41727 > [ASCII: 108(1») receiver.mydomain.com.www:S1393295360 :1393295360(0) win 512 (ttl 64, id 27648) Hiding in the TCP Header - Sequence Number Field Figure 68 illustrates the layout of the TCP packet headers. The sequence number (SEQ) field is a 32-bit number that enables a client to establish a reliable protocol negotiation with a remote server. A 32-bit number can range in values from 0 to 4,294,967,295 (quite a bit if information can be hidden in this value). 114 Appendicies 'l'CP Header f­ Bits -7 o 4 8 16 19 24 32 Source Port Destination Port I ------------------------------------------------------------------------- Sequence NUmber I Acknowledgment Number IHLEN Reserved I Code Bits Window Checksum Urgent Pointer Options Padding Data Figure 68. Sample TCP Header Table 6 illustrates hiding the word "Neil" (ASCn values 78, 101, 105 108) in the SEQ field of four IP packets as viewed from a TCP Dump. Like in the previous example, simply using the ASCn values 0 through 255 produces SEQ numbers that are too small to produce realistic values for the sequence numbers. Table 6. Encoding "Neil" in the TCP Sequence Number Field Encoding (view from 'l'CPDump) Decoding Packet One: Packet One: 18: 50: 29.071117 ... S 1303511040/16711680 sender.mydomain.com.45321 > [ASCII: 78 (N) ] receiver.mydomain.com.www:S1303511040 :1303511040(O} win 512 (ttl 64, id 49408) Packet Two: Packet Two: 18:50:30.071117 ... S 1687879680/16711680 sender.mydomain.com.65292 > [ASCII: 101 (e) ] receiver.mydomain.com.www:S1687879680 :1687879680(O} win 512 (ttl 64, id 47616) Packet Three: Packet Three: 18: 50: 31. 071117 ... S 1754726400/16711680 sender.mydomain.com.25120 > [ASCII: 105 (i) ] receiver.mydomain.com.www:S1754726400 :1754726400(O} win 512 (ttl 64, id 41984) Packet Four: Packet Four: 18: 50: 32.071117 . .. S 1804861440/16711680 sender.mydomain.com.37291 > [ASCII: 108(l}] receiver.mydomain.com.www:S1804861440 :1804861440(O} win 512 (ttl 64, id 37315) Appendix A: Hiding Data in Network Traffic 115 Since the values for a SEQ can be as large as 4,294,967,295, a larger multiplier (16,711,680 = 65,280*256) is used. This provides values ranging from 0 to 4,261,478,400 when multiplied by the appropriate ASCII values. Since the SEQ is such a large value, four bytes of information can easily be passed in a single packet header. For example, Neil can be sent as the single value 1,340,352,872. Dividing the SEQ value by 16,711,680 will result in the decoding the embedded ASCII value. The process selected in these two examples is simple and straightforward. Any function can be used in selecting values for these fields as long as the result complies with the restrictions of the carrier. Appendix B: Glossary of Methods to Distort Stego­ Images These descriptions and definitions are based on the processing instructions and descriptions from the software used to perform the manual image processing test for distortion in Chapter 3. This appendix has the definitions ordered in three sections. This appendix defines processes for image conversions, image processing techniques, and methods and options for image color reduction. IMAGE CONVERSIONS 24-bit color to 8-bit color Converting 24-bit color images to 8-bit color image format. For options used in color reduction, (see the subsection Color Reduction Options, Methods, and Dithering below). 24-bit color to 8-bit grayscale Converting 24-bit color images to 8-bit grayscale image format. 8-bit color to 8-bit grayscale Converting 8-bit color images to 8-bit grayscale image format. This test is only applied to images surviving the 24-bit color to 8-bit color conversion. JPEG Compression Joint Photographic Experts Group compression is a compression technique that supports 24-bit images and can reduce a file size by as much as 96%. It removes some color information while retaining the brightness data. At higher compressions it can result in a visible loss of quality. It does not support transparency or layers. JPEG is best for photographs and for images that contain a variety of tonal values. 118 Appendicies IMAGE PROCESSING Blur Blurring smoothes transitions and decreases contrast by averaging the pixels next to hard edges of defined lines and areas where there are significant color transitions. Add noise Adding noise to an image reduces the amount of detail in an image and creates a grainy texture. Two types of noise insertion are Random and Uniform. Random Noise Inserts random colored pixels to an image. Uniform Noise Inserts pixels and colors that more closely resemble the original pixels. Noise Reduction Reduces noise by adjusting colors and averaging pixel values. Two filters for noise reduction are Despeckle and Median Cut. DespeckJe The Despecke filter blurs an image except at its edges and areas of contrast. Median Cut The Median Cut filter removes noise by averaging the colors in an image one pixel at a time. It calculates the median of a block of pixels around the pixel in question and then sets the pixel's value to the median. Sharpen Sharpen filters produce the opposite effect of the Blur filters by increasing the contrast between adjacent pixels where there are significant color contrasts, usually at the edges of objects. Edge Enhancement Enhance Edge Filter increases the contrast along the edges in the image. Rotate Moves an image around its center point in a given plane. Scale and Resize Scaling and resizing include ways to increase or decrease an image's dimensions. Scaling or resizing involves duplicating or removing pixels as necessary to achieve the selected width and height of an image. It produces better results than the resampling methods when used with hard-edged images. Appendix B: Glossary of Methods to Distort Stego-Images 119 Resample Resampling involves an interpolation process to minimize the "raggedness" normally associated with expanding an image. As applied here, interpolation smoothes out rough spots by estimating how the "missing" pixels should appear, and then filling them with the appropriate color.
Load more

Recommended publications
  • Threat Defense: Cyber Deception Approach and Education for Resilience in Hybrid Threats Model
    S S symmetry Article Threat Defense: Cyber Deception Approach and Education for Resilience in Hybrid Threats Model William Steingartner 1,* , Darko Galinec 2 and Andrija Kozina 3 1 Faculty of Electrical Engineering and Informatics, Technical University of Košice, Letná 9, 042 00 Košice, Slovakia 2 Department of Informatics and Computing, Zagreb University of Applied Sciences, Vrbik 8, 10000 Zagreb, Croatia; [email protected] 3 Dr. Franjo Tudman¯ Croatian Defence Academy, 256b Ilica Street, 10000 Zagreb, Croatia; [email protected] * Correspondence: [email protected] Abstract: This paper aims to explore the cyber-deception-based approach and to design a novel conceptual model of hybrid threats that includes deception methods. Security programs primarily focus on prevention-based strategies aimed at stopping attackers from getting into the network. These programs attempt to use hardened perimeters and endpoint defenses by recognizing and blocking malicious activities to detect and stop attackers before they can get in. Most organizations implement such a strategy by fortifying their networks with defense-in-depth through layered prevention controls. Detection controls are usually placed to augment prevention at the perimeter, and not as consistently deployed for in-network threat detection. This architecture leaves detection gaps that are difficult to fill with existing security controls not specifically designed for that role. Rather than using prevention alone, a strategy that attackers have consistently succeeded against, defenders Citation: Steingartner, W.; are adopting a more balanced strategy that includes detection and response. Most organizations Galinec, D.; Kozina, A. Threat Defense: Cyber Deception Approach deploy an intrusion detection system (IDS) or next-generation firewall that picks up known attacks and Education for Resilience in or attempts to pattern match for identification.
    [Show full text]
  • Trend Micro Incorporated Research Paper 2012
    Trend Micro Incorporated Research Paper 2012 Detecting APT Activity with Network Traffic Analysis Nart Villeneuve and James Bennett Contents About This Paper .................................................................................................................................. 1 Introduction ........................................................................................................................................... 1 Detecting Remote Access Trojans ................................................................................................... 3 GhostNet......................................................................................................................................... 3 Nitro and RSA Breach .................................................................................................................4 Detecting Ongoing Campaigns .........................................................................................................5 Taidoor ............................................................................................................................................5 IXESHE ............................................................................................................................................5 Enfal aka Lurid ..............................................................................................................................6 Sykipot ...........................................................................................................................................
    [Show full text]
  • Introducing Traffic Analysis
    Introducing Traffic Analysis George Danezis and Richard Clayton January 26, 2007 1 Introduction In the Second World War, traffic analysis was used by the British at Bletchley Park to assess the size of Germany's air-force, and Japanese traffic analysis countermeasures contributed to the surprise of their 1941 attack on Pearl Harbour. Nowadays, Google uses the incidence of links to assess the relative importance of web pages, credit card companies examine transactions to spot fraudulent patterns of spending, and amateur plane-spotters revealed the CIA's `extraordinary rendition' programme. Diffie and Landau, in their book on wiretapping, went so far as to say that “traffic analysis, not cryptanalysis, is the backbone of communications intelligence" [1]. However, until recently the topic has been neglected by Computer Science academics. A rich literature discusses how to secure the confidentiality, integrity and availability of communication content, but very little work has considered the information leaked from communications ‘traffic data' and how these compromises might be minimised. Traffic data records the time and duration of a communication, and traffic analysis examines this data to determine the detailed shape of the communication streams, the identities of the parties communicating, and what can be established about their locations. The data may even be sketchy or incomplete { simply knowing what `typical' communication patterns look like can be used to infer information about a particular observed communication. Civilian infrastructures, on which state and economic actors are increasingly reliant, are ever more vulnerable to traffic analysis: wireless and GSM telephony are replacing traditional systems, routing is transparent and protocols are overlaid over others { giving plenty of opportunity to observe, and take advantage of the traffic data.
    [Show full text]
  • Mass Surveillance
    Mass Surveillance Mass Surveillance What are the risks for the citizens and the opportunities for the European Information Society? What are the possible mitigation strategies? Part 1 - Risks and opportunities raised by the current generation of network services and applications Study IP/G/STOA/FWC-2013-1/LOT 9/C5/SC1 January 2015 PE 527.409 STOA - Science and Technology Options Assessment The STOA project “Mass Surveillance Part 1 – Risks, Opportunities and Mitigation Strategies” was carried out by TECNALIA Research and Investigation in Spain. AUTHORS Arkaitz Gamino Garcia Concepción Cortes Velasco Eider Iturbe Zamalloa Erkuden Rios Velasco Iñaki Eguía Elejabarrieta Javier Herrera Lotero Jason Mansell (Linguistic Review) José Javier Larrañeta Ibañez Stefan Schuster (Editor) The authors acknowledge and would like to thank the following experts for their contributions to this report: Prof. Nigel Smart, University of Bristol; Matteo E. Bonfanti PhD, Research Fellow in International Law and Security, Scuola Superiore Sant’Anna Pisa; Prof. Fred Piper, University of London; Caspar Bowden, independent privacy researcher; Maria Pilar Torres Bruna, Head of Cybersecurity, Everis Aerospace, Defense and Security; Prof. Kenny Paterson, University of London; Agustín Martin and Luis Hernández Encinas, Tenured Scientists, Department of Information Processing and Cryptography (Cryptology and Information Security Group), CSIC; Alessandro Zanasi, Zanasi & Partners; Fernando Acero, Expert on Open Source Software; Luigi Coppolino,Università degli Studi di Napoli; Marcello Antonucci, EZNESS srl; Rachel Oldroyd, Managing Editor of The Bureau of Investigative Journalism; Peter Kruse, Founder of CSIS Security Group A/S; Ryan Gallagher, investigative Reporter of The Intercept; Capitán Alberto Redondo, Guardia Civil; Prof. Bart Preneel, KU Leuven; Raoul Chiesa, Security Brokers SCpA, CyberDefcon Ltd.; Prof.
    [Show full text]
  • The Origination and Evolution of Radio Traffic Analysis: the World War I Era
    UNCLASSI Fl ED The Origination and Evolution of Radio Traffic Analysis: The World War I Era (b )(3)-P. L. 86-36 Not unlike the telegraph and ita influence on the American Civil War, the invention of radio had a profound affect on World War I military operations and in all conflicts since 1901. Signals intelligence, a new form. of intelligence produced from. the intercept of radio traffic, developed on a parallel course with radio during the early years of the twentieth century. Although signals intelligence was identified as a method to produce useful and critical information during war, it did not mature as a significant tool until after the ,.War to End All Wars." Radio traffic analysis, a branch of signals intelligence, was not even recognized as a separate technique until long after the First World War ended. Nevertheless, traffic analysis, or TIA, existed as a function in that era and made significant contributions to military operations and to the development ofsignals intelligence. For the American signals intelligence service, radio traffic analysis originated as a technique in the codebreaking section and with the clerks in the goniometric or Direction Finding (DF) service of the American Expeditionary Force. The early cryptanalysts developed TIA techniques to identify the originator and receiver of radio messages and to determine the more important encoded or enciphered messages to attack. TIA also evolved in the DF service with the clerks who discovered ways to produce intelligence from analysis of the externals of messages and from the location ofthe radio transmitters. The increasingly more complex communications systems which defied cryptanalytic attack provided the impetus for these developments.
    [Show full text]
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense
    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
    [Show full text]
  • New Directions in Automated Traffic Analysis
    New Directions in Automated Traffic Analysis Jordan Holland1, Paul Schmitt1, Nick Feamster2, Prateek Mittal1 1 Princeton University 2 University of Chicago https://nprint.github.io/nprint ABSTRACT This paper reconsiders long-held norms in applying machine Despite the use of machine learning for many network traffic anal- learning to network traffic analysis; namely, we seek to reduce ysis tasks in security, from application identification to intrusion reliance upon human-driven feature engineering. To do so, we detection, the aspects of the machine learning pipeline that ulti- explore whether and how a single, standard representation of a mately determine the performance of the model—feature selection network packet can serve as a building block for the automation of and representation, model selection, and parameter tuning—remain many common traffic analysis tasks. Our goal is not to retread any manual and painstaking. This paper presents a method to auto- specific network classification problem, but rather to argue that mate many aspects of traffic analysis, making it easier to apply many of these problems can be made easier—and in some cases, machine learning techniques to a wider variety of traffic analysis completely automated—with a unified representation of traffic that tasks. We introduce nPrint, a tool that generates a unified packet is amenable for input to existing automated machine learning (Au- representation that is amenable for representation learning and toML) pipelines [14]. To demonstrate this capability, we designed a model training. We integrate nPrint with automated machine learn- standard packet representation, nPrint, that encodes each packet in ing (AutoML), resulting in nPrintML, a public system that largely an inherently normalized, binary representation while preserving eliminates feature extraction and model tuning for a wide variety the underlying semantics of each packet.
    [Show full text]
  • Detecting Malicious Iot Network Activity Using Online Traffic Analysis
    1 IoT-KEEPER: Detecting Malicious IoT Network Activity using Online Traffic Analysis at the Edge Ibbad Hafeez*, Markku Antikainenz, Aaron Yi Dingy, Sasu Tarkoma* *University of Helsinki, Finland, zAalto University, Finland, yDelft University of Technology, Netherlands Abstract—IoT devices are notoriously vulnerable even to trivial able to compromise IoT devices installed deep inside SOHO attacks and can be easily compromised. In addition, resource networks, to launch extremely large scale attacks [10], [11] as constraints and heterogeneity of IoT devices make it impractical these devices have no security in place except for the network to secure IoT installations using traditional endpoint and network security solutions. To address this problem, we present IOT- address translation (NAT), which is done on the gateway. KEEPER, a lightweight system which secures the communication To address the sorry state of IoT security, our goal in of IoT. IOT-KEEPER uses our proposed anomaly detection this paper is to develop a system capable of securing the technique to perform traffic analysis at edge gateways. It uses a communication of IoT in edge networks. Such a system should combination of fuzzy C-means clustering and fuzzy interpolation be able to detect and isolate malicious IoT devices, with scheme to analyze network traffic and detect malicious net- high sensitivity and minimal false alarms. This system should work activity. Once malicious activity is detected, IOT-KEEPER automatically enforces network access restrictions against IoT also be lightweight enough to operate efficiently using limited device generating this activity, and prevents it from attacking resources available at network gateways, typically used to set other devices or services.
    [Show full text]
  • Going Dark: Impact to Intelligence and Law Enforcement and Threat Mitigation
    GOING DARK: IMPACT TO INTELLIGENCE AND LAW ENFORCEMENT AND THREAT MITIGATION Bonnie Mitchell Krystle Kaul G. S. McNamara Michelle Tucker Jacqueline Hicks Colin Bliss Rhonda Ober Danell Castro Amber Wells Catalina Reguerin Cindy Green-Ortiz Ken Stavinoha ACKNOWLEDGEMENTS We would like to first thank the Office of the Director of National Intelligence (ODNI) for its generous funding and support for our study and learning journey to the DEFCON hacking conference. We are also very grateful to the Department of Homeland Security (DHS) for its support during the duration of the program. We could not have completed this study without the unwavering support and dedication of Ms. Bonnie Mitchell, ODNI Deputy National Intelligence Manager for the Western Hemisphere and the Homeland, our devoted Team Champion who steered us throughout this study and helped turn an idea into a product. We would like to acknowledge and thank each member of our public-private sector working group for their tireless efforts from around the U.S., which includes Krystle Kaul, G. S. McNamara, Michelle Tucker, Jacqueline Hicks, Colin Bliss, Rhonda Ober, Danell Castro, Amber Wells, Catalina Reguerin, Cindy Green- Ortiz and Ken Stavinoha. We are very thankful for all the unique insight we received from interviewees who contributed to this report by educating our group on the many aspects of ‘going dark,’ and we take full responsibility for any and all errors of fact or interpretation implied or explicit in this paper. Our interviewees include the Village sponsors at DEF CON, private sector industry experts and government officials. We are thankful for the interesting and diverse perspectives particularly from senior government officials and private sector experts.
    [Show full text]
  • Development of Surveillance Technology and Risk of Abuse of Economic Information
    ∋(9(/230(172)6859(,//∃1&( 7(&+12/2∗<∃1∋5,6.2)∃%86( 2)(&2120,&,1)250∃7,21 9ΡΟ 7ΚΗςΗΡΙΚΗΥΛΘΦΡΠΠΞΘΛΦΛΡΘς ,ΘΗΟΟΛϑΗΘΦΗ&20,17ΡΙΞΡΠ∆ΗΓΣΥΡΦΗςςΛΘϑΙΡΥΛΘΗΟΟΛϑΗΘΦΗΣΞΥΣΡςΗς ΡΙΛΘΗΥΦΗΣΗΓΕΥΡΓΕΘΓΠΞΟΛΟΘϑΞϑΗΟΗςΗΓΡΥΦΡΠΠΡΘΦΥΥΛΗΥ ς∴ςΗΠςΘΓΛςΣΣΟΛΦΕΛΟΛ∴Ρ&20,17ΥϑΗΛΘϑΘΓςΗΟΗΦΛΡΘ ΛΘΦΟΞΓΛΘϑςΣΗΗΦΚΥΗΦΡϑΘΛΛΡΘ :ΡΥΝΛΘϑΓΡΦΞΠΗΘΙΡΥΚΗ672∃3ΘΗΟ /Ξ[ΗΠΕΡΞΥϑ2ΦΡΕΗΥ 3(9ΡΟ &ΟΡϑΞΛΘϑΓ 7ΛΟΗ 3∆Υ7ΚΗςΗΡΙΚΗΥΛΘΦΡΠΠΞΘΛΦΛΡΘς ,ΘΗΟΟΛϑΗΘΦΗ&20,17ΡΙΞΡΠ∆ΗΓΣΥΡΦΗςςΛΘϑΙΡΥ ΛΘΗΟΟΛϑΗΘΦΗΣΞΥΣΡςΗςΡΙΛΘΗΥΦΗΣΗΓΕΥΡΓΕΘΓΞΟΛ ΟΘϑΞϑΗΟΗςΗΓΡΥΦΡΠΠΡΘΦΥΥΛΗΥς∴ςΗΠςΘΓΛς ΣΣΟΛΦΕΛΟΛ∴Ρ&20,17ΥϑΗΛΘϑΘΓςΗΟΗΦΛΡΘ ΛΘΦΟΞΓΛΘϑςΣΗΗΦΚΥΗΦΡϑΘΛΛΡΘ :ΡΥΝΣΟΘ5ΗΙ (3,9%672∃ 3ΞΕΟΛςΚΗΥ (ΞΥΡΣΗΘ3ΥΟΛΠΗΘ ∋ΛΥΗΦΡΥΗ∗ΗΘΗΥΟΙΡΥ5ΗςΗΥΦΚ ∋ΛΥΗΦΡΥΗ∃ 7ΚΗ672∃3ΥΡϑΥ∆ΠΠΗ ∃ΞΚΡΥ ∋ΞΘΦΘ&ΠΣΕΗΟΟ,379/ΩΓ(ΓΛΘΕΞΥϑΚ (ΓΛΡΥ 0Υ∋ΛΦΝ+2/∋6:257+ +ΗΓΡΙ672∃8ΘΛ ∋Η 2ΦΡΕΗΥ 3(ΘΞΠΕΗΥ 3(9ΡΟ 7ΚΛςΓΡΦΞΠΗΘΛςΖΡΥΝΛΘϑ∋ΡΦΞΠΗΘΙΡΥΚΗ672∃3ΘΗΟ,ΛςΘΡΘΡΙΙΛΦΛΟΣΞΕΟΛΦΛΡΘΡΙ672∃ 7ΚΛςΓΡΦΞΠΗΘΓΡΗςΘΡΘΗΦΗςςΥΛΟ∴ΥΗΣΥΗςΗΘΚΗΨΛΗΖςΡΙΚΗ(ΞΥΡΣΗΘ3ΥΟΛΠΗΘ I nterception Capabilities 2000 Report to the Director General for Research of the European Parliament (Scientific and Technical Options Assessment programme office) on the development of surveillance technology and risk of abuse of economic information. This study considers the state of the art in Communications intelligence (Comint) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to Comint targeting and selection, including speech recognition. I nterception Capabilities 2000 Cont ent s SUMMARY .............................................................................................................................................................................................
    [Show full text]
  • How Intelligence Agencies Are Adapting to Cyber
    http://researchcommons.waikato.ac.nz/ Research Commons at the University of Waikato Copyright Statement: The digital copy of this thesis is protected by the Copyright Act 1994 (New Zealand). The thesis may be consulted by you, provided you comply with the provisions of the Act and the following conditions of use: Any use you make of these documents or images must be for research or private study purposes only, and you may not make them available to any other person. Authors control the copyright of their thesis. You will recognise the author’s right to be identified as the author of the thesis, and due acknowledgement will be made to the author where appropriate. You will obtain the author’s permission before publishing any material from the thesis. Intelligence Agencies in Cyberspace: Adapting the Intelligence Cycle to Cyber Threats and Opportunities A thesis submitted in partial fulfilment of the requirements for the degree of Master of Social Sciences at The University of Waikato by Jedediah Warwick Greenwood 2020 1 Abstract Intelligence has grown and changed dramatically over the past hundred years with the advent of cyberspace. This thesis will begin by examining how the intelligence cycle has adapted to accommodate cyber threats and opportunities, before conducting three national case studies examining the organisational changes in the signals intelligence agencies in New Zealand, the United Kingdom, and the United States of America. It will utilise the analysis of how the intelligence cycle and States have grown to accommodate cyber phenomenon and will conduct two case studies on the recent events concerning Huawei and the hacking of the 2016 US Election.
    [Show full text]
  • Encrypted Traffic Analysis
    Encrypted Traffic Analysis The data privacy-preserving way to regain visibility into encrypted communication Whitepaper by Artur Kane, Tomas Vlach and Roman Luks Executive Summary Encryption is considered as security by design. It undoubtedly helps to avoid risks such as communication interception and misuse. Therefore it is natural that all responsible organizations adopt encryption as an im- portant way of protecting business critical applications and services. Ac- cording to Gartner 80 % of web traffic will be encrypted in 2019. Ironically, encryption as a security measure created a grey zone of traffic with unlimited space for attackers to hide their activity. And when the volume of encrypted traffic grows year by year, this is a challenge for security professionals to keep their assets secure. Unfortunately, traditional packet analysis based network measuring solu- tions for obvious reasons cannot understand what’s inside such traffic. Consequently, effective troubleshooting, security monitoring and compli- ance enforcement are paralyzed. Flowmon overcomes the inability of getting actionable network insights by introducing the concept of Encrypted Traffic Analysis, the only pri- vacy-preserving and ultimately scalable way of understanding modern encrypted communication. Given such functionality of the Flowmon solution to automatically filter genuinely relevant data, tremendously streamlines malware and data exfiltration detection, vulnerability assess- ment and troubleshooting. This approach is much less privacy invasive and more cost efficient than the legacy solution of using SSL proxies to decrypt traffic, analyse it and then encrypt again. 50% of all known cyber attacks use encryption to evade detection. In 2013 the number was below 5 %. 2/3 of organizations can’t detect malicious SSL traffic.
    [Show full text]