MIT Geospatial Data Center 1 Geospatial Exclusion Mechanism for Cyber Security

MIT Geospatial Data Center1

Geospatial Exclusion Mechanism for Cyber Security



Pervasive Computing is flooding the Geospatial Grid:

Source: MIT EPROM

Source: Quake Catcher Network



Source: MIT Senseable City Laboratory

Pervasive Computing is flooding the Geospatial Grid:



The mobile device is now a mainstream item:

―Mobile devices are increasingly being used in the same way as personal computers (PCs).

―Mobile devices (e.g. Apple iPhone, Google Android, Research in Motion [RIM] Blackberry, Symbian) have ever-increasing functionality and more accessible architectures.

―Mobile devices offer the convenience of anywhere banking, social networking, emailing, calendaring, et al.

―Mobile devices introduce other features not typically available on a PC, such as global positioning system (GPS) functionality, Bluetooth, Multimedia Messaging Service (MMS), and Short Message Service (SMS).

―Mobile devices are often synchronized with PCs.

―Synchronization, SMS, MMS, Bluetooth, and GPS comprise an extended set of attack vectors against mobile devices.

Source: Lulea University of Technology



There are many exploits against mobile device users:

―Mobile device users are unlikely to show full headers with such a reduced screen size as compared to their desktop displays.

―Vishing: exploits Voice over Internet Protocol (VoIP); VoIP allows caller identity (ID) to be readily spoofed.

―Smishing: exploits SMS or text messages; these text messages contain links to webpages, phone numbers, etc.

Source: Compufreaks



The greatest increase in mobile device usage is in Africa:

―300 million of the world‘s 3.5 billion mobile phones are in Africa.

―Mobile phone usage is increasing at twice the rate in Africa as compared to any other continent.

―For the first time in telecommunications technology history, there are more users of mobile phones in the developing world than in the developed world.

―Many people in Africa assert that a smartphone will do a lot more than a $100 laptop.

Source: MIT EPROMSource: One Laptop Per Child



* MIT GDC chose Africa (ideal honeypot) as its case study region: *―In Africa, the mobile device is the primary means to connect to the

Internet.

―There are 47 countries on the continent of Africa. Counting the island nations that are listed as African, there are 53 countries comprising Africa.

―Currently, only 1 African country, Tunisia, or 1.9% of the African countries has a national Computer Emergency Response Team (CERT); in North America, many cities and towns have their own CERTs. Think pressure sensitivities!

Source: Netizen, Kayak, Paul English



The mobile device is much harder to defend than a PC:

―Most mobile devices have no anti-viral software. Even those that do can only assist in protecting against known threat signatures.

―Encrypting and decrypting consumes a great deal of the energy supplied by the mobile device battery.

―Many mobile users would rather have extended battery life and sacrifice the security of constantly encrypting and decrypting.

Source: p2pon.com



Overseas hacking networks are targeting mobile devices:

―An ever-increasing number of tech-savvy consumers are now using mobile devices for much more than phone calls: Banking, Shopping, Calendaring, etc.

Source: Bank of AmericaSource: Google



MIT, SANS, Trend Micro, Webroot, and other studies show:

―54% submit credit card information, via mobile devices.

―60% store their banking login information, via mobile devices.

―97% store all their contacts on their mobile devices.

―86% don‘t scan for malware on their mobile devices.

―76% click a link sent or posted by a friend on social network sites.

―31% accept friend requests from strangers.

―39% use geolocation on their mobile devices.

―29% share geolocation with people other than their friends.



We have become addicted to mobile applications:

―An increasing number of mobile device users are accessing the Internet for software installations and updates.

―Each installation/update poses a security risk (e.g. viruses), and can be equated to an ongoing game of Russian Roulette.

―Mobile viruses, malformed SMS messages, Personal Digital Assistant (PDA ) email viruses, and spam all pose threats.

Source: Volker HirschSource: Mobile Marketing Watch



Mobile devices have many exploitable features:

―Camera

―Microphone

―GPS

Source: AutomationBites



GPS is not needed to determine your location:

―Internet Protocol (IP)

―Global System for Mobile Communications (GSM) / Universal Mobile Telecommunications System (UMTS)

―Wireless Access Points

―(1) Lure mobile device user to a website, which extracts the Media Access Control (MAC) address and reports this unique identifier to the hacker.

―(2) Feed the unique identifying MAC address into Google Location Services, which can pinpoint the location of the mobile device.

Source: Black Hat Source: Def Con

―Samy Kamkar‘s How I Met Your Girlfriend at Black Hat USA 2010 July 24-29 and Defcon 18



* MIT GDC chose the mobile device/smartphone for it‘s geospatial cyber security study: *

Source: Mondo TechBlogSource: Gigaom.com



We live in the era of Graham Cluley‘s World Where Web, which is replete with geolocation services and mapping apps:

Source: Stuart Foster



―What is the significance of Facebook Places, et al? Even if you don‘t engage in checking-in, when you‘re with friends, and they are checking-in, they can also tag you, just as in a status update or photo, with your current geolocation!

We live in the world of Facebook Places, Foursquare, and Twitter Location Support:



We are in the world of location check-in:

―Locate Me feature on iPhone

―GPS photo-tagging feature found on most smartphones

Source: MIT Senseable City Lab Source: iPhone



It‘s Little Brother, not Big Brother that we should worry about.

―Who is Little Brother? The people you don‘t know or don‘t want to know (i.e. the ex-significant other, the creepy people, et al.)

Source: Patti Digh

Little brother can glean where you are not.

―45% of people are very concerned about about revealing when they are away from home.

Little brother can determine where you are.

―What are the implications? Targeted attacks, via WiPhishing, a phishing tactic that fakes a wireless access point (a.k.a. Evil Twin Attack), et al.



* MIT GDC chose Little Brother as the red team adversary: *

―Defending Against Targeted Attacks with Your Name on Them!

Source: ACME GPS

Source: Online Spy Shop



―You are now part of the Internet of Things (IOT).

―You are now part of the Internet of Things (IOT).

MIT GDC envisions Outdoor/Indoor || Positive / (Negative |Active/Passive) Geolocation as a robust security credential:

―You can provide ground truth geolocation information (i.e. provenance/pedigree information).



Outdoor/Indoor Geolocation can be a powerful explicit and implicit authenticator:

―Your movements and actions (e.g. using the wifi at the library, taking a picture with your mobile device, et al) are part of your personal supply chain.

Source: MIT Senseable Cities Lab

Source: iPhoneTunes

Source: Starbucks



MIT GDC Matrix as guidance for implicit/explicit authentication:

―After all, a study conducted by the Palo Alto Research Center found that most mobile device users find password entry (with a 10% mistype rate) more annoying than lack of coverage, small screen size, or poor voice quality.



―The HTML5 Geolocation API provides a way to ascertain the location of your mobile devices in a discoverability-agnostic fashion. Parameters include latitude, longitude, altitude, altitudeAccuracy (this will allow you to distinguish Z-depth), timestamp, maximumAge, enableHighAccuracy.

Source: Commscope.com

―You can have an IP likely/unlikely (e.g. you are unlikely to be in the basement of your office building) list, as compared to an IP deny list.

Indoor || Negative | Active Geolocation can be very granular and providently call for explicit re-authentication:



―You can defend against targeted attacks by personal engagement in security through IOT obscurity!

―It‘s the classic security through obscurity by engaging in EMCON, via an APP that turns off your GPS. Source: James Parra

Non-GPS Indoor || Negative | Passive Geolocation can be excellent security through IOT obscurity:



Software computes each photo’s viewpoint

and a sparse 3D model of the scene

Software stitches photos together

programmatically

MIT Application Server

How MIT‘s non-GPS Indoor || Negative | Passive Geolocation System is designed:

IBM Big Iron

Software matchesimage



―Software collects image actively.

―Software transmits images to the MIT application server.

―Software matches image geometry with the pre-indexed image library on the digital media archival server (e.g. IBM Big Iron, which, for each segment of memory, has a storage protection key).

―Software informs mobile device user of current location and nearby points of interest (POI).

IBM Big Iron

MIT Application Server

How MIT‘s non-GPS Indoor || Negative | Passive Geolocation System works:



Source: MIT Senseable Cities Lab

How MIT‘s non-GPS Indoor || Negative | Passive Geolocation System can be effective EMCON, while still informing you:



(Negative |Active/Passive) Geolocation Functionality built onIBM Big Iron for species diversification to avoid transitive closure:



So, we found a triumvirate solution to make it more difficult for Little Brother to target us constantly:―Geolocation emissions control

(EMCON), via an APP that turns off your GPS and an indoor geolocation paradigm shift towards image geometry matching.

―(Negative |Active/Passive) Geolocation as a robust security credential.

―Pre-indexed trusted image library, for image geometry matching, on IBM Big Iron for species diversification to avoid transitive closure.

L1Cache 32 KB

2-4 cycles

L2Cache 512KB

~7 cycles

L3Cache48 MB

14 cycles

RAM64 GB

70 cycles

Disk 10ms10 million cycles

CrossMachine

1-10 ms10 million cycles



Source: IM2GPS: 3D Reconstruction and Geolocation of Internet Photo Collections

Is this triumvirate solution readily implementable? Yes!



Probabilistic Spatiotemporal Model

Support Vector Machine Classifier (Machine Learning, via Pattern Recognition)

Earthquake CyberAttack

Event Detection

Traffic Jam

QRCQRC

Treatment of Geolocated Social Media Information as Sensory Data

Geospatial Data Geospatial Data

Arc

hite

cted

to

addr

ess

the

Big

Dat

a P

robl

em

Crowd-sourced Classifiers (Focused upon Unstudied Signatures and Patterns)

Ba

d R

ea

din

g

Dis

info

rma

tion

CompsComps



Source: S Miles of the MIT Senseable City Laboratory & MIT Geospatial Data Center

Can visualizing big data help detect abnomalies? Yes!



Source: Geosimulation


Source: Ekahau

Source: Xirrus















On behalf of the entire MIT team, thank you for the privilege of providing this brief at the UoM/FIT Cyber Security Expo 2010!

Documents

MIT Geospatial Data Center 1 Geospatial Exclusion Mechanism for Cyber Security