I used to be a big fan of last.fm.  I have been a member for close to three years and have used them quite regularly  to stream music to our kitchen during meals, our living room, and my home office.  Even when I was at my employers office, I would often have it streaming from my laptop while I was working.  It was great.  It allowed me to hear new songs.  Songs that I liked, I would make note of the particulars and check the artist out.  If I liked the songs of the artist, I would sometimes purchase the songs via the Internet.

I was not impressed with the last.fm decision to charge €3.00 per month for anyone who is not geographically located in the U.S.A., Europe, or Germany.   It is not that I have an issue with the €3.00 per month I don’t.  I have issue with two things.  First the fact that they were not transparent about the reason for this change initially.  They announced the new change and did not explain why certain countries were exempt from the fee.  Finally, after five days and many subscriber queries and complaints, last.fm decided to come clean.  While I appreciate they did finally come clean and explain to their subscribers why, I dis-like their initial dishonestly.  It gives insight into the management and their ethics and priorities.  The second is the fact that it is long over due for the entertainment industry to stop clinging to old business models and change them.  The Internet is international not national.  The laws and business models have to change and I wish they would stop fighting it.  If last.fm had said everyone must now pay the €3.00 per month, I probably would have just signed up.

As such, I started looking around.  It was easly to quickly find an alternative.  I have been trying Imeem out over the last week.  It takes a while to get used to their interface, but once you do it is not too bad.  They have deals with major record labels and I have been able to find much of the same music I listened to on last.fm.  I encourage anyone that was a last.fm user that is on the fence to try it out first before making a decision to be a subscriber of last.fm.

2009-02-08 05:34:02.680383 IP 216.240.7.12.58684 > 208.67.222.222.53: 30554+ A? ap-1.sandvine.com. (35)
2009-02-08 05:34:03.037603 IP 208.67.222.222.53 > 216.240.7.12.58684: 30554 1/0/0 A 216.16.234.191 (51)

This query happened every 10-20 minutes.  Tracing it back I realized it was coming from my mobile phone.  This got me to thinking, could one determine when I was or was not home with just access to a DNS trace?  To answer that I did a bit of investigation of the address ap-1.sandvine.com.

mike@Janel:~/investigation/homeDns$ dig @ns1.domainmonger.com ap-1.sandvine.com

; <<>> DiG 9.5.0-P2 <<>> @ns1.domainmonger.com ap-1.sandvine.com

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36335

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; WARNING: recursion requested but not available

;; QUESTION SECTION:

;ap-1.sandvine.com. IN A

;; ANSWER SECTION:

ap-1.sandvine.com. 60 IN A 216.16.234.191

;; AUTHORITY SECTION:

sandvine.com. 60 IN NS ns1.domainmonger.com.

sandvine.com. 60 IN NS ns2.domainmonger.com.

;; Query time: 92 msec

;; SERVER: 216.98.150.33#53(216.98.150.33)

;; WHEN: Sun Apr 12 12:29:19 2009

;; MSG SIZE rcvd: 100

mike@Janel:~/investigation/homeDns$

From above the record, for ap-1.sandvine.com refreshes every 60 seconds.  That means that my mobile ignores the refresh request from the DNS.  While interesting to know, it doesn’t help answer my question.

I extracted all queries to ap-1.sandvine.com, the timestamp for each and quickly plotted them with gnuplot.  Next, I pulled my calendar and daily logs and added notes to the graph. The y-axis is irrelevant.  The red dots show when the queries were made and the green arrows and notes are my comments based on my calendar and logs.

A third party could easily determine when I was or was not home with a high degree of certainty.    With mobile phones now having wi-fi capabilities and connecting to the local wireless network it becomes trivial to use them as a vector to determine when someone is home or not.  I ran the same analysis on my wife’s mobile and got similar results (I didn’t add them to the chart here).

Obviously you could use other protocols and do a much more detailed analysis and correlation (or just execute standard physical surveillance), but DNS is good in that it is required for the Internet, a standard, and is not encrypted.  This was a relatively simple exercise and reasonably cost effective.   I am not a lawyer, but I suspect based on the ongoing privacy debate and  some recent court decisions that DNS queries executed by an individual or a business might be considered ‘public’ with no expectation of privacy.  I’d argue that with access to DNS information from a particular entity, one could glean interesting information from a competitive company.

My first ‘real job’ was at a major financial instituion in Canada.  My boss was a extremely smart man, who had been at the bank (and had some agreement in place with them to stay).  One of the duties of my new employment was to enable internet access for ‘approved individuals.’  I received these paper forms signed by the employee, their manager, and the managers VP.  I would then give that employee permission to access the internet.   The first thing my boss did  while explaining the ‘granting internet access’ part of the job was tell me a story that I have remembered to this day.  He was pretty much giggling at the stupidity as he told me the story.   It went like this.

When he started at the bank, there was not a telephone for each employee.  Rather there was a phone in each area that was shared by several employees.  Shortly after he had started at the bank, there was a project to upgrade the phone system.  This new system had the ability to give everyone a phone at their desk.  Many managers and executives were concerned that this would be the end of the employees working effectively.  After all, they would all be talking on the phone all the time, phoning long distance at the cost of the company and more.  Production would go down and costs would go up.  The phones were deployed to every desk, but special permission was needed to have the ability to dial long distance.  As with the internet above, forms were filled out if you wanted to have long distance access which had to be signed and approved by managers.  Logs were given monthly to staff where they were to identify the calls they placed that were personal and which were business related.  These were then signed off by their manager.  The administration of this became to time consuming and costly and eventually the company abondoned it,  giving everyone long distance and simply managing the abusers.  Most recently, the new ‘concern’ is blocking of social networking sites and personal email sites for fear that people will be distracted and productivity will decrease.  Does anyone see a pattern?  I sure do.  I am reminded of this story.

Personally my view is that my employer trusts me.   Several people interviewed me, they checked my references, my past work.  They did all they needed to do to make the decision that I am trustworthy.  By hiring me I assume that is the case.  You trust me to do the right thing, you trust me to use company resources wisely, you trust me to not steal, or otherwise harm the company, and based on that you will act appropriately towards me.  If you don’t, then we have a problem.  If you treat employees like children they will act like children or they will resent the fact they are being treated like children and not trusted.  Either way, it doesn’t help moral, doesn’t help them make the right decision to work the extra time to get that project done, or to think about the cost of a particular meeting, conference or expense to the company and if it is necessary or there is a cheaper alternative.   Doesn’t make them feel valued or trusted — all these are not good.  Fortunately for me, the company I work for has these values, trusts their employees, and treats them appropriately.   I only hope more companies start to figure this out.

image by wchulseiee (http://www.flickr.com/photos/wchulseiee/2427418216/)

My laptop is pretty secure. I am not silly enough to think that is is 100% secure or that no one could get into it, but relative to most laptops out there it’s not too bad. There are weaknesses due to time or software requirements, but I think I am aware of most of them. I don’t encrypt the operating system (yet), but all data partitions are encrypted. It has been configured with the goal that all sensitive data and metadata  (web browser, IM, video, audio, cache, bookmarks)  is encrypted.
once data is no longer ‘required it is stored on the servers at the office and then ‘wiped’ off the encrypted drives at regular intervals .    All metadata  is wiped from the encrypted drives each weekend, which gives at most one week of metadata, assuming an attacker can get into the encrypted drives to view it. The main reason for all this is to protect customer data. I like others in my industry work with institutions and their data.  In many cases that data can be politically, financially, or image ‘sensitive’ in nature if it was to get into the wrong hands.  Should my laptop ever be stolen, I want to at least make it difficult for an attacker to gain easy access to the data in a reasonable period of time.

Imagine my surprise when I was re-configuring my laptop and I discovered that my deleted file metadata had somehow been reset  to write to a different area, on an unencrypted area of my drive.  The following is a partial view of the files I discovered.  The files went back as far as November, 2008.

Trash Meta Directory on laptop

These are standard text files with information about each file that was deleted.   The information includes the original file location as well as a timestamp indicating when the file was deleted.

Trash meta data file details

Even though the actual data files were not present, there is a lot of information here.  Just from working with the data contained in the files above, one could easily determine names of files worked on, importance, directory structure of encrypted partitions, date file was deleted and more.  You could very easily put together a time line of a customer, projects being worked on, dates of project activity, useful information that can be sold, used to a competing company or party’s advantage in court, for a bid, or a competitive product or service.

There is a lot of ‘negativity’ with Anti-Forensics lately, especially in the forensics community.   Although I understand and appreciate the problems and concerns they have, I believe anti-forensics is necessary and a good thing.   It all depends on who is using it and why.  Needless to say, I have fixed the problem with my laptop, and ‘double checked’ my drive encryption and scripts to ensure correct execution.

My sister in law was down for the weekend for a visit.  Along with our weird discussions about PI day (which was yesterday), we had a discussion about iPods and DRM.  She is what I would classify as a ‘user only’ of technology.  She does not understand (and willingly admits no interest) in how the Internet works, or how her mobile phone makes a call.  She just wants the technology to work.  Her impression of DRM was that it was not a concern and didn’t affect her at all.  She uses iTunes, purchases her music, can listen to it on her computer and/or ipod.  If apple wants to put DRM on to protect them that is okay.  It doesn’t impact her.  This is not because she is naive or ‘stupid’, on the contrary she’s pretty bright.  Her interests, time and knowledge are elsewhere.

I believe this view is typical of many people and is unfortunate.  Everyone uses technology, most do not care or have the time to learn how it works.  As long as it works that is good enough.    However, I think (and hope) there may be a light at the end of the tunnel.  As DRM increases it’s touch points from data protection (music files, video files, software, etc.) to ‘tangible’ objects such as your headphones not being able to play in your ipod because they are not ‘apple approved’, I believe the ‘users only’ of technology will start to understand the implications of DRM much better and start to voice their opinions.  I can only imagine my sister in law’s reaction if she could no longer use her exisiting ear phones and had to purchase ‘special’ ear phones to listen to her ipod.

I heard that quote a few years ago, it is one that has always stuck with me.  Personally, I am a big proponent of respecting privacy, but secrecy is an entirely different thing.  Where the line is drawn depends on each individual unfortunately.

Previously, when doing security consulting for businesses, one of the common themes was the employers ability to access email, files, voice mail and even phone conversations of an employee if they felt it was necessary.   Taking email for example, most employers feel they have a right to read any email that enters or leaves their company network, regardless of whether it is private in nature or not.  I have been given arguments that the employer owns the equipment and the network and are ultimately responsible and must have the ability to do these types of activities if they feel it necessary.   I had a discussion with an individual that was a senior executive that felt very strongly in favour of this opinion.  I then gave him a scenario where he was collaborating with another company in a different province and the conversations were around some trade secrets or business that was sensitive in nature.  I asked him if it would it be okay if his upstream ISP or one of the ISPs along the path captured and read his email correspondence with this company.  His response was an absolute ‘no’ it would not be okay.  I then stated that it is the ISPs network, they are ultimately responsible for the security and integrity of it.  Two things happened.  First he didn’t like the conversation anymore, that became very obvious.  Second, he made some statement about it being ‘different’ and changed the topic.  This made me realize that  everyone wants secrecy for themselves, but do not want anyone to have secrets kept from them.  Yes, a very obvious statement, but I think it also comes down to that simple concept which drives all these debates, discussions, and laws or lack of laws.

So why am I bringing this up?   Michael Hyatt has a blog that I read regularly.  I don’t know him personally, but he seems like a good guy and has some insightful entries.  He recently commented on the idea of using Gmail for his business email. I completely understand why he is considering it, and would argue that if you are a small or medium size business it could make complete sense financially and logistically.   What about the privacy implications?  What if Google has a security breech and data is lost or stolen?  What if Google is late to apply a security patch? What if there is a security hole that Google isn’t aware of but a criminal is?   If there is a legal issue with a company in Germany that is using a cloud computing application who’s laws apply for data access?  Suppose you accept the terms of service and policies around Gmail and choose to use their service for email.  A year later, you change your mind and wish to have all your email transferred to a different server or service.  Can you do this?  Will all your data be erased from Gmail servers and their backup systems so they could never retrieve it again?  Do you care?

I think technology, innovation, and the internet are awesome.  But I also think it is very important that individuals and businesses realize and think seriously about the privacy implications.  Some suggest this is pointless.   With GoogleDocs, Gmail, online CRM systems, and the multitude of other cloud computing applications available and in use, we have already made this decision even if it is somewhat unconciously as a society.   I feel this statement may be right, and that makes me sad.

What can you learn from a visualization such as this?  Could you build a profile of the persons in this house just from their DNS queries?  And if you can, what does it tell you?  Twitter is obviously used in the house as the largest number of references are made to ‘twitter’. ‘Sandvine’ is also used often.  There are references to ‘mac’ and ‘apple’.  ‘facebook’ also is large relative to the others.  There are queries to ‘thepiratebay’. What do these all mean?  What can we infer from them, and are we accurate with our inferences?

Using the same dataset with full queries, here it is visualized as a bubble graph .

From this visualization, ‘twitter.com’ and ‘search.twitter.com’ receive most of the queries, making it safe to say there is probably at least an active twitter account with an individual in this residence.  The ‘DC-2.sandvine.com’ sheds light that someone reguarily looks up what is probably a ‘Domain controller’ for ‘Sandvine.com’.  If from this you were to infer an employee of Sandvine, well you’d be correct.  You can not actually get to any of those servers without using a VPN, but due to the way DNS works, it often leaks.

Over the next few weeks, I will be working with this data, the graphs above, with other tools and DNS vectors to determine what  else can be inferred from just DNS.

You can see in the server name in the SSL client hello packet.  The hello packet is the first part of the initial SSL handshake sequence when a application attempts to establish and SSL session.

Using Wireshark, and digging a little deeper, I found it is classified as an ‘Extension’ labeled ‘server_name’

It appears to be one of the acceptable extensions for SSL.  A quick check of the RFC revealed that it is an optional addition that applications such as a browser can add to the SSL negotiation process.

<snip>
.2. Extended Server Hello

The extended server hello message format MAY be sent in place of the
server hello message when the client has requested extended
functionality via the extended client hello message specified in
Section 2.1.

……

In order to provide the server name, clients MAY include an extension
of type “server_name” in the (extended) client hello.  The
“extension_data” field of this extension SHALL contain
“ServerNameList” where:

struct {
NameType name_type;
select (name_type) {
</snip>

As it turns out, this functionality was added to permit virtual hosting of SSL/TLS enabled sites.  Without it, every site requires a unique IP address.  With that reasoning, I expect it to become common place in the future.  One can argue that by having the destination IP address (which is not encrypted) of a network flow, determining which site a user is visiting when each IP address is mapped to a single SSL application is trivial.  Therefore adding this extended server_name option is no different and hence there is no added privacy concerns.   While I agree with this, it makes it much easier for the automation of statistics and monitoring of network flows.

The main point to keep in mind is that although you data is still encrypted, TLS/SSL still reveals the sites you visit.