Death of Anonymous Travel DEFCON 2009 FINAL

Death of Anonymous Travel
http://magazine.carleton.ca/2006_Spring/photos/boiling-frog.jpg
Sherri Davidoff, Philosecurity

sherri@philosecurity.org
© 2009 Sherri Davidoff
Who am I?
• SANS “Network Forensics” (Sec558) class
coauthor (next in San Diego, 9/16-9/18)
• Philosecurity.org author
• Security/forensics consultant for many
industries
– health care, financial, manufacturing,
government, academia, law enforcement

Who Knows You’re Here?
• Who Knows You’re in Las Vegas?
• Who Knows You’re in this Hotel?
• Who Knows You’re at Defcon?
• Who Knows You’re in this Room, at
this moment?

Who Knows You're Here?
• Did you fly here? Did you rent a car?
• How did you check in to your hotel room? And
how will you pay for it?
• What have you bought while you were here? A
latte? A drink at the bar?
• Have you used an ATM? Gambled with your
debit card?
• Are you carrying a cell phone? A credit card with
an RFID chip? RFID passport?
Knowledge is Power
• Cell phones
• Credit Cards
• License Plates
• RFID Tracking
• Electronic Fares
• Traveler Registration Databases
• Surveillance Camera Networks
Think Like a Programmer!

– Detect & Prevent Error Conditions

Please Turn Off Your Cell
Phones…

Iran and You

Iran and You
Nokia-Siemens Networks sold Iran their “Monitoring
Center.” From the brochure:

Your Country Has Cooler Toys
At least, if you're in one of the 60 countries where
Nokia-Siemens has sold its “Intelligence Platform.”

Mass Analysis

Intelligence Platform

Your Personal, Mobile Bug
• The first step in
tracking people is
to get them to
voluntarily carry a
tracking device.
• "Can you find me
now?"

Cell Tracking
• 2005 - FCC-mandated
E911 (Phase 2)
• Carriers trace calls within
50-100 m
• Latitude & longitude
• Network
– Angle of Arrival
– Time Difference of Arrival
– Location signature
• GPS in handsets
“One Day of Cell Tower IDs”
http://reality.media.mit.edu/viz.php
Location-based Services
Verizon: “Your wireless device
can determine its (and your)
physical, geographical
location... Certain software
applications are capable of
accessing, collecting and
using Location Information
and disclosing the
information to the application
provider and other people.
• “Chaperone”
• “VZ Navigator”
http://products.vzw.com
Google
• Latitude
• Automatically
share your
location from
phone
• Look up
friends on
Google Maps
http://www.foxnews.com/story/0,2933,487629,00.html

Employers & Schools
• Montclair State
University
– Mandatory cell
phones
– Rave Guardian
• NY - John Halpin
fired http://www.ravewireless.com/products/raveguardian

MobileSpy
• Apple iPhone
• “Silent
Application”
• GPS location
• … & much more
Images: http://mobile-spy.com/
Skynet… er hook. Skyhook.
• iPhone
• Determine location
based on nearby:
– WiFi Networks
– Cell Towers
• “Self-healing”
– iPhone adds new APs
& towers to database
• AOL
• Eye-Fi memory cards
(digital cameras) New York Times, “Cellphone Locator System Needs
No Satellite” 06/2009
“Roving Bugs”
Genovese family investigation (2006)

– Nextel cell phones
– Audio Spyware
– “Functioned whether the phone was powered
on or off.”

ThorpeGlen

ThorpeGlen

Telstra BigPond

FBI Call Monitoring
• “Pasdar Affidavit”
– Verizon consultant
– 45Mbps DS-3 digital line
– FBI reportedly has
“unfettered access”
– voice, data, even physical
location
• Quantico Circuits
– Parties, times, locations,
etc
– Telco & Internet, Quantico,
40 FBI offices
http://www.slate.com/id/2186825/entry/2186832/

DCSNet “Instant Wiretaps”
• “Red Hook”
– pen trap/trace
• “Digital Storm”
– full wiretap
• Security Vulns
• Location data
• ACLU E911
FOIAs
http://www.wired.com/politics/security/news/2007/08/wiretap?currentPage=1

NSA “Overcollection”
Map of suspected NSA taps. (ACLU)

Mobile Phone Location Data
• Initially spurred by emergency regs
• Intelligence agencies’ mass analysis
– Telecoms profit!
• LE wiretaps
– Telecoms profit
• Location-based services
– Telecoms profit
– Data sold to/used by advertisers, 3rd parties
• Spyware
People Tracking
• Developing organically
• Two primary driving
factors:
– Cell Phones
– Payment systems
(Location data: secondary)
• Increasingly centralized
– Commercial
– National security
• Opaque
http://img.technospot.net/gps-tracking-buddyway.jpg
Payment Systems: Then
• Cash
• Company Scrip
• Subway tokens
• 2-party transactions
Images (left to right):

eBay, Wikipedia,
Wikipedia
Now: Credit/debit cards
• Linked to
identification
• Tracked by 3rd
parties
• Controlled by 3rd
parties
• Shared w/LE
© 2009 Sherri Davidoff Image: Wikipedia

Who Knows Where You Shop?
• You
• The Store (Best Buy,
pharmacy, grocery,
etc)
– Frequent shopper
• Anyone the Store
sells its list to
(advertisers)
• Bank/Credit card
company
• and...
Government - NSA
• Monitors:
– Travel & phone records
– “Huge volumes” of emails
& Internet traffic
– Bank transfers
– Credit-card transactions
• “Sophisticated software
programs analyze the
various transactions for
suspicious patterns” -WSJ http://www.youtube.com/watch?v=UUSZHC1Gu7U

Credit Only!
• Some companies have stopped accepting
cash
– JetBlue, United, American flights
– Texas toll road
– Is this legal?
• Coinage Act of 1965
– Creditors must accept US tender
– “public charges”
– Private businesses, not so much

AmEx “Consumer Trackers”
• "Method and System for
Facilitating a Shopping
Experience“
• 2007 Patent Application
– RFID tracking in stores
– ... or in a “school, shopping
center, bus station or other
place of public
accommodation”
• AmEx Blue – RFID http://www.guyvider.com/2007/07/i-been-turned-blue-by-american-
express.html

Cell phones: Shopping Centers
• UK Shoppers tracked
via cell
• Periodic Location
Update
• & Bursts during calls
http://technology.timesonline.co.uk/tol/news/tech_a
nd_web/article3945496.ece

FootPath Demo
http://www.pathintelligence.com/website-demo/ui-demo.html

Why is this Happening?
• Where you shop/ what you buy is valuable
• Advertising
• Credit decisions
• Law enforcement
– “predictive policing”
• Intelligence agencies- mass analysis
– Credit card companies profit

Tracking Commuters
• Boston 2006
• America’s first subway
• No more tokens
• Charlie Card
• RFID
• Charlie Ticket
– 30 cent surcharge
• Both unique serial number
• Tracked – location, date, time of each use
• Financial database...
“No Cash”

PII vs. Aggregate Information
• Personally Identifiable Information
– Name, address, financial, photo
• Aggregate Information:
– “Travel patterns of our customers”
– Location, date & time of each use is stored, linked to
card serial #
• MBTA says serial # is not “linked” to a
particular user
• ...and therefore not protected as PII
• (But MA laws say “identifying number” is PII)

Getting Access
• You can’t access “Aggregate Information”
• ...but other people can.
• MBTA “may share Aggregate Information with
third parties. Rest assured, though, that
Aggregate Information... will not allow anyone to
identify you, or determine anything personal”
• Except: “Persons...may be able to combine (i)
information they properly obtain from us... with (ii)
other information they independently possess
concerning you... we will not be responsible for
Proper Recipients' later use of this information.”

Employers
https://corporateprogram.mbta.com/WebUI/public/preview.html

Storage & “Linking”
• How Hard is it to “Link”?
– Easy
• Aggregate data stored “indefinitely”
– ie. travel histories
• PII stored for 14 months
• ...In “active” systems!
• Archived “for the retention period required by applicable
Public Records Laws of the Commonwealth”
• Even many years later, travel histories can be
mined

Seniors & Disabled People
• No option for privacy
• Must provide PII for benefits
• Photographs stored electronically

Why Does this Matter?
• Little legal protection
• Commuting histories can be sold
• Intelligence agencies – data mining
• Employers could track employees – often subway
cards obtained through employer
• Subway officials – track you wherever you go
• How well secured? How do we know?
• Law enforcement, court cases
• Even many years later, travel histories can be mined

Amtrak
• “Uniformed police officers”
• “Mobile security teams”
• “K-9 units”
• “Random passenger and
carry-on baggage
screening”
• “Identification checks”
• “Passengers failing to
consent to security
procedures will be denied
access to trains.”

TSA & Amtrak
Sept 23, 2008 – “largest joint, simultaneous Northeast rail
”security operation
http://www.nytimes.com/2008/09/24/nyregion/24sweep.html

“NYPD Security Camera in Area”
© 2009 Sherri Davidoff Philosecurity.org

Where are the Cameras?
There’s one! 
© 2009 Sherri Davidoff Philosecurity.org

CrimeEye
Philosecurity.org
Securing the Cities
• DHS
• $29 mil to NYC area
• Nuke detection
• LE partnerships
• Vehicle scanning &
tracking
• Routine checkpoints &
roadblocks on:
– Bridges
– Tunnels
– Boats http://www.washingtonpost.com/wp-
dyn/content/video/2008/01/11/VI2008011102994.html
– Waterways

Lower Manhattan Security Initiative
• Private/public partnership
• Modeled after London
“Ring of Steel”
• 3,000 cameras
– 2,000 private
• Video intelligence
• 100 License Plate Readers
– Plus roving scanners
– Automatically compare
to database
• ~$100 million
The Edge of Terrorism
• DHS: $10mil
http://www.thecuttingedgenews.com/index.php?
• NYC: $15 mil article=11442

Lower Manhattan Security Initiative
• New skyscrapers submit
blueprints
• Security designed in
• Eventually:
– Lights
– Air conditioning
– Internal cameras
– Access control
• ...Will be controllable from
LMSI Coordination Center
• 55 Broadway – 28th floor
– and a “secret backup location”
http://www.nyc-architecture.com/LM/LM084.htm
Domain Awareness System
• LPR Data – 5 year record
• Video – 30 days (prob. storage capacity)
• “Secondary use” – requires approval, but NOT
publication or documentation
• Sharing with 3rd parties – approval, not
publication
– “Stakeholders”
• Good attention to “differentiated access” &
privacy training
• But does not close the loop by making audit
results public or providing clear means for
citizens to check use of data
Operation Sentinel
• Combines strategies from
Securing the Cities & LMSI
• “Ring of Steel” – like London
• Every vehicle entering the city:
– Photograph (w/ time stamp)
– License plate info
– Radiological signature
• 80 fixed License-Plate readers
• 36 “roving” readers
• 7 vehicle crossings
– Ultimately all crossings
http://wcbstv.com
• Data sent to Coordination Center
“Sadly, it is a little bit of an infringement

on your rights," Bloomberg (2007)

Bus Surveillance
• Chicago Transit Authority
• IBM
• 2,100 buses
• 7 cameras each
• DVR onboard
• Wireless “hot-spot”
“Using laptops that are networked
through antennas, Metro transit
police and supervisor vehicles can
tap into real-time video from inside
the bus when they are within a range
of several blocks.”
http://swiftor.com
Operation Virtual Shield
• Chicago & IBM
• Thousands of video
surveillance “access
points”
– Currently ~600
• Mesh wireless
(Firetide)
• “Analytic software”
send out alerts
• License plate readers
IBM’s PeopleVision
• Now “Smart
Surveillance
System"
• Shenzen, China –
200,000
surveillance
cameras
• Disguised as
lampposts
• Nationwide
network
• Goal: 2mil
cameras
http://www.research.ibm.com/peoplevision/
Cars

Toll Booths
• Cash
• Token
Photo: MTA Museum, NYC

Cashless Toll Systems
• Fastlane, EZPass
– Violations – OCR
– EZ-Subpoenas
• Differential Pricing
• Court cases

No Cash!
• “Big Brother Highways”
• Texas Roads 183A & 45
– Either have an electronic pass
– Or get a bill in the mail
• (based on plate photo)
• $1 surcharge per bill; up to 65% more
• Louisiana 1
– Electronic pass
– Or one-time electronic pass (purchased at kiosk along
the way)
– All except one kiosk requires credit card
The Vehicle or the Person?
• Driver liable (ie. CA, CO, VA...)
• Owner liable (GA, DE, DC, NY, NC...)
• Minnesota Supreme Ct
– Minneapolis Red Light Camera program illegal
– Uniformity issue
– Local ordinance “in conflict”
• “Rebutable presumption"
• Due process

EZ-Pass Used to Monitor, Not Toll
• April 2009
• EZ-Pass transponders
deployed to “monitor
traffic”
– Brooklyn Bridge, NY
– Lower Manhattan
• “Calculates travel time &
routes”
• Can't read license plates
(would it need to? EZ
pass has identifier)
http://ny1.com

UK - ANPR
• Automatic Number Plate
Recognition
• 50mil plates a day
• >2000 cameras
• National ANPR Data
Centre
• Stored for 5 years
– date, time, location
• Intelligence and Evidence
– John & Linda Carr
• Also: fleet of vans w/ANPR
• Helicoptors
http://en.wikipedia.org/wiki/Police-enforced_ANPR_in_the_UK

UK – RFID Plates
• Active RFID
• > 300 ft
• ePlate
• 2005
http://www.wired.com/politics/security/multimedia/2005/08/68429?slide=3&slideView=3

Brazil – Tracking Devices
• Government-
mandated in all
new cars
• High auto theft
Police can shut
vehicle down
remotely
http://www.scambo.com.br

On-Star
• GPS location & speed
• Privacy exceptions
– “to protect our rights or
property or the safety of you or
others”
– “required by us to troubleshoot”
• CDMA-based (Verizon in
US)
– (...so the FBI already has your
data ;)
Batman OnStar Commercial
• “Stolen Vehicle Slowdown”
– Police can slow down your car
remotely!

What Could Go Wrong?
• Someone could shut down your car
against your will
• Accidents could be caused remotely
• Anyone with access to Onstar’s systems
or the Verizon network can track you
wherever you go.

Red-Light Cameras
• Exploding popularity
– est. 5000-6000 in USA
• “Cash machines” for
local gov
• Safety questionable
• Canadian Journalist
Stalked by Police
PhotoEnforced.com
National Surveillance
• Red-Light Camera companies moving into
“nationwide surveillance”
• Redflex & American Traffic Solutions
• Full video of passing motorists &
passengers
• License plate tracking
• Bypasses GPS tracking laws

Montana & Red Light Cameras
• Bozeman, MT
• Montana Bans Red
Light Cameras
(May 2009)

Concerns
• Redflex
• Your DMV data is being provided to a third
party
• Correlated w/driver videos and images
• Not well secured (as we will see)
• Could potentially be mined by anyone
• No accountability or public oversight
Vendor promptly removed publicly-accessible links

upon notification.
Redflex Traffic Systems
• 240 US Cities
• Largest Red Light & Speed Enforcement
provider in North America
• Cameras installed at intersections
• Digital stills & full-motion video
• SmartOps back-end center facilitates
violation & notice processing

SmartOps Citation Processing
• (What was that?
FTP?)
(Wait, what was that? FTP?)

SmartOps Citation Processing
• First Name, Middle Name, Last Name
• Birth Date
• Height, Weight, Hair Color, Eye Color
• Gender
• Address
• License Number
• Driver's License State
• Offense Description, Location, Date/Time
• License Plate
• Vehicle Description
• Driver Images/Video

International Justice and Public
Safety Information Sharing Network
(NLETS)

SmartOps: Observations
• A Google search
turned up this site
as the first hit

SmartOps: Observations
I am glad to know that these sites are “Secure.”

“Online Reports”
• Huh?
• SSL anyone?
(At least the other

page, “Violation
Authorization,”
uses SSL.)
“Violation Authorization”
Variable names in the publicly-accessibly page confirm that

SmartOps provides access to detailed driver (or registered owner)
info. © 2009 Sherri Davidoff
Photos & Offense Info
Based on the publicly-available source code, this site also

includes offense details, vehicle descriptions and images of
the car and driver.

Bare Naked SQL
• Build a SQL statement in a URL (revealing DB structure)

• Use it to get permissions.
• Store the permissions in an XML object on the client (?!)
As a private citizen, I am getting worried...

Client-side Authorization

Filtering? But I...
Awww, client-side input filtering.

Site-Specific Processes
Chicago is different.
(But a user could bypass that...)

Redflex: One of Many
• Many gov. contractors store sensitive
personal information
• Not subject to routine audits
• Do not have to publish summaries of
results
• Lack of accountability
• Protect citizens’ data

JetBlue Gives 5M Passenger Records
• 5 million
passenger
records
(itineraries)
• Given to gov
contractor
• Merged with
Acxiom data
• Used for Airline
Passenger Risk
Assessment
• Published on
the Internet Source: “Inside JetBlue’s Privacy Policy Violations”
Torch Project
• Demonstrate that Airline
Passenger and Reservation
Data Can Be
Clustered to Form Groups
of Conventional Travelers.
• Characterize Each Group
of Travelers.
• Show How This Type of
Characterization, When
Extended to a More
Complete and
Representative Data Base,
Can Be Used to Identify
High Risk Passengers.”
Torch Concepts: Airline Passenger Risk Assessment

Getting the Data in 2002 was Hard

Your Entire History

How Long You’ve Lived Someplace
(A “Passenger Stability Indicator”)

No-Fly List
• 9/11 – 16 people on FBI’s “no transport”
• 2001 – “No Fly” (594)
– “Selectee” (365)
• 2006 – 44,000 people on “No Fly”

– credit reports used to assess risk
• “Terrorist Watch List” – over 1mil names

• False positives
– Children
– Senator Ted Kennedy

SecureFlight
•August 15 – DoB & Gender to book travel
•Airlines must share info w/TSA:
• Full Name, Itinerary, Date of Birth, Gender
•Sent to SecureFlight upon booking
http://www.tsa.gov
SecureFlight Exemptions
• “Exemption from the Access and Amendment
Requirements” which “relate to an individual’s ability
to request access to and correction of records…”
• “Exemption from Requirement to Collect Only
Relevant and Necessary Information”
• “Exemption from the Requirement of Maintaining All
Records Used by the Agency in Making a
Determination about an Individual with Accuracy,
Relevance, Timeliness and Completeness”
• “Exemption from the Requirement of Judicial
Review”

“Terrorism”
Leading Causes of Death (United States, 2006) 2,426,24 100.0
1 Diseases of heart (I00-I09,I11,I13,I20-I51) 631,636 26.0
2 Malignant neoplasms (C00-C97) 559,888 23.1

8 Influenza and pneumonia (J10-J18) 56,326 2.3
11 Intentional self-harm (suicide) (*U03, X60-X84, Y87.0) 33,300 1.4
13 Essential hypertension and hypertensive renal disease 23,855 1.0
15 Assault (homicide) (*U01-*U02, X85-Y09, Y87.1) 18,573 0.8
U.S. citizens killed in plane crashes (2006): 142

U.S. citizens killed by lightening (2006): 47
U.S. citizens worldwide killed as a result of
incidents of terrorism (2006): 28
TSA Priorities?
•Influenza &
pneumonia: 56,326
•Terrorism: 28
Image: Tokyo Narita Airport

July 2009
Global Fatalities from “Terrorism”
Even taking a
global view,
terrorism statistics
are surprisingly
low.
Dying to Lose: Explaining the

Decline in Global Terrorism

FlyClear
• FlyClear is dead...
• Long live your PII.
• Biometrics, etc.
• “Will personally
identifiable
information be
sold?”

Verichip
• Implantable
passive RFID
• Unique 16-digit #
• FDA-approved
Image: http://cq.cx/verichip.pl

Tracked at Birth
• Xmark (aka Verichip)
• “Hugs” system
– Ankle-tags for babies
– 10-second RFID pulse
• “Kisses” – moms get wrist
tags
• “Halo” supervisory system
– staff tag
– automatic unlock
http://www.xmark.com/products/hugs/downloads.aspx#hugs6

RoamAlert
• “Wander Prevention”
• Track Grandma
– Centrally
– Tag Location Messages
• Automatically lock door
– ...or elevator
• “System components are
located out of sight”
• also by Verichip
http://www.xmark.com/products/roamalert
Travel Restriction Potential
•No access to public
transportation
•Pulled over on highway
•Not allowed to fly
•Locked out of offices
•Cell phone calls
blocked/monitored
•Bank accounts frozen
•Credit cards frozen
Rights
• Tracking systems should be well-
understood and transparent
• People should have control over what
personal information is tracked and shared
• Electronic payment/communications
systems should be capable of supporting
private transactions
• 0wn Your Data!

E Pluribus Unum
"Out of Many, One"
Sherri Davidoff - sherri@philosecurity.org


Death of Anonymous Travel DEFCON 2009 FINAL

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Death of Anonymous Travel DEFCON 2009 FINAL

Uploaded by

Copyright:

Available Formats

Death of Anonymous Travel

Sherri Davidoff, Philosecurity

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

Think Like a Programmer!

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

Genovese family investigation (2006)

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

Map of suspected NSA taps. (ACLU)

Images (left to right):

© 2009 Sherri Davidoff Image: Wikipedia

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff Philosecurity.org

© 2009 Sherri Davidoff Philosecurity.org

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

“Sadly, it is a little bit of an infringement

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

Photo: MTA Museum, NYC

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

© 2009 Sherri Davidoff

Vendor promptly removed publicly-accessible links

© 2009 Sherri Davidoff

(Wait, what was that? FTP?)