Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
Ars Technica recently conducted a test on personal data leaks. From their experiment with National Public Radio (NPR), they found that passive surveillance is still very powerful. Websites, services and apps continue to leak personal data. This is happening even though many users and companies have applied better encryption technologies. The report on the test shows what typical Internet users have to worry about.
The NPR Experiment
Passive data gathering means that there is no hacking, network penetration, or traffic sniffing on other networks. It is only watching the traffic that passes in and out of one network to the Internet. NPR reporter Steve Henn volunteered to be tracked by Sean Gallagher from Ars Technica. Henn would go about his usual activities while he did his research for a story. He is like most Internet users, connecting to the Internet via different devices and applications. Henn would also take the usual security measures and those to avoid spying, like most Internet users do nowadays. And Sean Gallagher was equipped with penetration testing hardware that would act as a WiFi access point. This hardware is not much different than the common hacking gear used by many Internet snoops. The experiment went on for a few days, covering the research period for one story. Henn later did a series on the experiment that summarizes what passive surveillance revealed about his activities.
The Pwnie Express Pwn Plug R2 was designed to help companies monitor and exploit their networks for better online security. But Sean Gallagher also calls it a miniature NSA when it is configured to scoop up Internet traffic. It would now serve to suck up and record all the traffic coming from Henn’s devices on a special server. The data collected from the traffic stream represents the data that the larger NSA surveillance model collects. The NSA uses Turbulence and XKeyscore for passive surveillance. Pwn Plug R2 would represent Turbulence and the server would be XKeyscore. Other tools were also use to simulate NSA data processing and analysis.
Just like most Internet users, Henn said that there was probably nothing that could really be taken from his traffic. But as soon as Henn plugged his iPhone into the Pwn Plug R2, the server was filled with thousands of pages of data. Henn did not launch any apps, but everything that was running in the background was serving up data like an open book. Safari was the worst culprit, showing Gallagher what he had been browsing the last time he went online. This was just one part of the preparation stage and already the profiling of Henn could begin.
Online Security VPNs
NPR uses a corporate online security VPN setup to encrypt their data and traffic. Henn also has other email and VoIP encryption tools on top of the VPN. Gallagher could see right away that the online security VPN and other encryption tools helped a lot in securing Henn’s company communications. But even with these tools, spying is possible because most online services and websites do not use the high grade encryption that online security VPNs do.
Discovered Personal Data Leaks
By looking at the collected data from the passive surveillance, Gallagher learned a lot. Henn’s Google searches revealed what he was researching. This data is now being encrypted, but Google cookies and data leaks can be manipulated to access the unencrypted data. The cookie that tracks users’ identities for advertising purposes is one of them. The NSA also uses this PREF cookie, and this data is not encrypted by Google. The cookie also reveals the connections made by Google when serving up ads. And searching for places causes Google to send requests to the Maps service. This data is likewise unencrypted and shows the search term used and the IP address that made the request. Moreover, the search results than Henn clicked on were also available. Gallagher did this by looking at the referrer tags for Google. When search terms were unavailable due to Google search result page encryption efforts, he used SEO URL keywords to guess. Henn confirmed that these guesses were almost identical to the actual terms he used.
Henn’s browser and the websites he visited revealed more. Browsers use unencrypted cookies and many websites do no encrypt their pages. Email services also do not encrypt the traffic that passes to and from their mail servers. Without an online security VPN, data from the traffic stream can be easily associated with a specific user through cookies and the IP address used. Phone numbers and email addresses can be picked up and also used to confirm identities and connect traffic to the user and other contacts. Documents taken from the stream can be analyzed for keywords to glean what a persona is doing.