Monday, 20 January 2014

Avoiding the NSA, MI6, The man from U.N.C.L.E - Part 2 (Scope)

Scoping the Problem 

Two of the most ubiquitous technologies we have are the phone connection and the computer. These might take a number of forms, the phone connection could be a fixed line broadband, cable or fiber or a mobile connection, using a SIM card with or without a handset. The computer might be a desktop, laptop, netbook, tablet or handheld device. These might be using various networks, have a range of functions or be more limited. In context of our story here, we have an internet connection of some form and a device on which to access the internet. For clarity going ahead, let’s make the distinction between the internet and world wide web which sits on top of it.

Let’s start with assuming we’re sat at home, with our wireless router plugged into the wall, connected to the phone line. Our device is any device running windows and we’re working with a standard suite of software, browsers. We have a typical collection of social media, web based accounts of various types, email, maybe a video game or two and some handy software like Skype installed. Quite a nice little set up that lets us be ‘social’ and ‘productive’ and have our data available ‘on the go’, along with all the other befits touted by the service providers.

Test Analyst, System Analysts, Business Analyst hat on now and let’s think about the following questions:

  • How many components / systems / links / places / accounts, etc. are there that could be hacked or monitored by one of the security services?
  • What kind of data could be exposed at each of the above that would allow you to be identified, traced, tracked, monitored? 

Have a go at drawing up the architecture of your personal network, add in as many system and sub-system components as you can, identify / label as many unique elements that would identify you, that provide a signature that points back to you. Some will be obvious, “my email address”, some are a bit less obvious, “the MAC address of my computer” for example. See how much you can put down before having a look at the diagram I’ve put together or just cheat by looking at the next page.

Drawing yours up is just joining in, the puzzle is for you to send me your diagram by email. Make sure you have any PII data removed, don’t put your specific data, e.g just put “MAC address” not the actual address, etc. I’d like you to send me these so I can learn what you have in comparison to me and because of what I said in post 1. I’m not going to mark them or anything, I’ll collate them and at some point I’ll share them in a future post. For now drop it to me in an email, which one? You need to work that out, all the clues are in this post, hidden in plain sight as they say. Have a look over things closely and see what you can do. When I get your mail, you’re in the game, consider it a dot price for entry if you like.

Here’s my diagrams, let’s talk them over.

System Landscape

Exposure Risks

The first main component is my computer with its internet connection. I’ve got a laptop running windows 7, it’s connected via a wireless connection to the router, which in turn is plugged into the phone line, connecting to the local-loop and from the switch box on the corner, it vanishes into the wider telecoms system. At some point my connection emerges at my ISP’s web servers, where my eclectic mix of requests for donkey porn, cat videos, weight loss sites, internet forums, connections to Skype callers, online banking and god knows what else, are all sent on to the appropriate providers. It’s like magic, sprinkled with a host of protocols and a side of mixed scripts, all on a bed of the 7 layer OSI. Yum,  sounds like cake, no wonder we can’t get enough of it! The light option to this is maybe where you have a mobile connection, in which case you’re hopping to the local radio mast and then down into the cabled telecoms system, not a massive difference and in some ways even less secure.

The second thing, is all the stuff I access with this computer via the internet. Some of what I access sits partly on my computer and partly on the internet somewhere. Fully online may be things like the forums I visit and post on my Amazon or Ebay accounts. Things that are partly online might be my email client, that sends and receives email to and from the mail server of the email provider I use. Cloud storage where my stuff is backed up online but also on my computer. Online games where the game world is installed on my system but the events and character data are on the game servers. The other side is what’s fully off-line and if you think about it, that’s likely not the majority of items anymore. Paint, TextPad and other simple apps maybe. More complex, paid for applications, are likely phoning home with licence and subscription checks, background automatic updates, etc. Did you add all these to your diagram? I’ll be interested to see what you come up with.

By now, we should have had a good crack at defining the problem, of where snoopers may snoop, what kind of data they could access and what that might teach them about us. Send through your MindMaps and diagrams, join the fun.

In the next posts, let's see what we can do about protecting our anonymity.

Read More:

Part 1:
Part 3: