BCIT COMP 7036 Research Proposal by Wesley Kenzie Nov 2009

COMP 7036 Applied Research Methods in Software Development Instructor Aman Abdulla Assignment Final Project – Research Proposal Due Date November 30, 2009 12:00 noon Student ID A00242330 Student Name Arthur (Wesley) Kenzie

No Surveillance: How, and how easily, can the privacy of Internet

access and usage be improved for desktop computers, laptops, and mobile devices?

PDF created with pdfFactory Pro trial version www.pdffactory.com

http://www.pdffactory.com


“No Surveillance” Research Proposal

page 2 of 37

Abstract .............................................................................. 3 Introduction ......................................................................... 4 Objectives ........................................................................... 7 Hypotheses ........................................................................... 7 Methodology and Process Stage 1 – Descriptive Study ........................................... 8 Stage 2 – Explanatory Study .......................................... 16 Results and Discussion .......................................................... 19 Conclusion ........................................................................... 19 Appendices .......................................................................... 20 References ........................................................................... 37





page 3 of 37

Abstract Almost all desktop, laptop and mobile device users of the Internet regularly and inadvertently compromise their privacy, and thus increase their risk to “security of person”. There is also a trend, both within Canada, and in many other countries throughout the world, to enable and to make legal the monitoring and recording of essentially all Internet access, usage, and content. This surveillance is an intrusion and violation of privacy, made under the guise of the utilitarian argument that our society needs protection from the illegal and dangerous activities that threaten us. One recent example of this trend in Canada is the introduction of Bills C-46 and C-47 by the Federal Government in June 2009. These proposed laws would require Internet Service Providers to keep details of all communications by all of their subscribers in case the police ever want this information. Legitimate and legal use of the Internet, however, deserves and needs greater protection of privacy and the corollary security of person. This research study proposes to quantify how, and how easily, the privacy of Internet access and usage can be improved for desktop computers, laptops, and mobile devices.





page 4 of 37

Introduction Almost all desktop, laptop and mobile device users of the Internet regularly and inadvertently compromise their privacy, and thus increase their risk to “security of person”. Security of person refers to the right to live in safety, free from violence, free from harassment, and free from abuse. There is also a trend, both within Canada, and in many other countries throughout the world, to enable and to make legal the monitoring and recording of essentially all Internet access, usage, and content. This surveillance is an intrusion and violation of privacy, made under the guise of the utilitarian argument that our society needs protection from the illegal and dangerous activities that threaten us. Child pornography is invariably held up as one of these threats, as is terrorism, organized crime gangs, and neo-Nazism. One recent example of this trend in Canada is the introduction of Bills C-46 and C-47 by the Federal Government in June 2009. These proposed laws, among other things, would require Internet Service Providers to keep details of all communications by all of their subscribers in case the police ever want this information. Legitimate and legal use of the Internet, however, deserves and needs greater protection of privacy and the corollary security of person. In fact, security of person and privacy are basic legal rights, enshrined in Sections 7 and 8 of the Canadian Charter of Rights and Freedoms. Privacy is also a fundamental right identified in article 12 of the Universal Declaration of Human Rights, in Article 8 of the European Convention on Human Rights, in the Fourth Amendment and the Fourteenth Amendment of the United States Constitution, and elsewhere. Security of person is a fundamental right identified in article 3 of the Universal Declaration on Human Rights, in Article 5 of the European Convention on Human Rights, in article 9 of the International Covenant on Civil and Political Rights, in section 12 of the South Africa Bill of Rights, and elsewhere.





page 5 of 37

There are many legitimate reasons for protecting privacy, as indicated on The Tor Project web site [1] and elsewhere:

• Normal people are concerned about unscrupulous marketers, identity thieves, irresponsible corporations, child predators, adoption anonymity, and oppressive governments.

• Activists and whistleblowers are concerned about their own and their

family’s safety and protection from repercussions. • Bloggers are concerned about anonymity to protect themselves from

frivolous and expensive lawsuits, and from losing their jobs for speaking their minds.

• Journalists and their audiences are concerned about freedom of

speech, safety of their writers and readers, and shining light on the complete and accurate truth.

• Business executives have a need to see their competition’s web

presence in the same way that the general public sees them, and about the confidentiality of outgoing web traffic patterns.

• Military personnel are concerned about protection of field agents,

location of command and control web sites, and anonymity of intelligence gathering.

• Law enforcement is concerned about the availability of anonymous

tip lines, the stealth of undercover and sting operations, and the ability to perform surveillance.

• Information Technology professionals are interested in testing IP

address firewall rules and security settings, and in having unfettered access to Internet resources without being limited themselves by these rules and security settings. This research study proposes to quantify how, and how easily, the privacy of Internet access and usage can be improved for desktop computers, laptops, and mobile devices. A search and review of existing literature [2,3,4,5] found a profound lack of data on this subject.





page 6 of 37

In the first, exploratory stage, a descriptive study will be done to investigate and measure the current state of privacy. Current vulnerabilities will be described and measured for each of the target hardware and software platforms, using a range of standard “Use Cases” that are cross-referenced against different categories of users. This first stage of study will also include an overview of the legal and regulatory environment as it pertains to Internet access and usage, in order to describe the broader, societal context and constraints. In the second stage, an explanatory study will be done with specific tests performed to measure the effectiveness and usability of different enhancements to improve or protect privacy. The same target Use Cases, target categories of users, and target hardware and software platforms will be studied as in the first stage. In fact, the first stage results will be used as the control group for the second stage results. The usability of these enhancements will be measured both subjectively and objectively. Subjective measurements will come by way of a web survey of users and potential users. Objective measurements will come from Timing measurements and Vulnerability Change measurements. Timing measurements will quantify how many seconds each of the Use Cases takes to complete on the Hardware and Software Platforms. Vulnerability Change measurements will specify whether each enhancement did or did not provide protection for each vulnerability. The enhancements to be tested for effectiveness and usability will first include only current tools, solutions, and procedures such as proxy servers, encryption, and anonymizing software. After this testing is completed, a variety of open source software customizations and customized software solutions will be developed and tested to measure their additional effects on privacy protection.





page 7 of 37

Objectives There are three primary objectives to this research study in the context of Internet access and usage. First, the current state of privacy will be extensively described and measured, so that, for example, users of each major browser will be shown what information they disclose to both passive and active observers when they browse the Internet. This objective will also be met by an enumeration of current laws and regulations that form the context and constraints of societies in a variety of countries around the world. The second objective is to extensively describe and measure the effectiveness and usability of existing privacy protection measures. Thirdly, additional privacy protection enhancements will be developed and tested to demonstrate how they could be put to use, where and when they would be useful or not useful, who could use them, who would not use them, why they work, and what they would do, or not do, to better protect privacy. Hypotheses This research study will show that users of desktop computers, laptops and mobile devices compromise their privacy when using the Internet, and that there are many ways to better protect this privacy. A secondary hypothesis is that privacy vulnerabilities vary in extent and in significance depending on the task that is being performed, and the tools being used.





page 8 of 37

Methodology and Process Stage 1 – Descriptive Study Investigate and measure the current state of privacy. Current vulnerabilities [Table 1] will be described and measured for each of the target hardware platforms [Table 3] and software platforms [Table 4] using a range of standard “Use Cases” [Table 2] that are cross-referenced against different categories of users [Table 5]. A non-probability, proportionate quota sampling of users is proposed, to ensure a minimum of 40 members in each of the 7 categories of users listed in Table 5 is included. Due to the significant amount of time required to perform each vulnerability test, and presuming that there are sufficient resources and time made available to undertake this part of the study, the Stage 1 samples will be taken from geographically close populations in Vancouver, Kelowna, and Whistler, British Columbia and from Seattle, Washington. An equal number of males and females from each category will be selected. This means that, for example, of the 40 “Youth” category users, 5 boys and 5 girls will be selected from each of the 4 geographic locations. The sample frames for the user categories are also listed in Table 5. In the case of the “Teen” category, for example, a list of students will be used from a randomly selected high school and college in each of the 4 geographic locations. The sample frame for the “Senior” category will be from a list of residential addresses on randomly selected streets in each of the locations. Due to the enormous number of possible Use Cases and Software Platform combinations, however, development of a set of “test, measure, and record” software applications is also proposed. These programs would be developed to ensure there is testing and measurement coverage for each hardware and software combination. These applications will be open source licensed, and distributed to anyone who will agree to run them on their own computer, laptop or mobile device for testing and research purposes. They will be known as the “No Surveillance” sampling test suite. This will greatly expand the sample size, improve the significance of results, and it is expected that additional insights into vulnerabilities will be discovered.





page 9 of 37

Participants in this self-administered part of the study will be provided with details of their own vulnerabilities along with aggregate vulnerability details from all other participants. The No Surveillance sampling test suite programs will initially be available with only an English interface, but support for additional languages will be added based on demand and availability of translation services. It is expected that translation to Spanish, Portuguese, German, Simplified Chinese, Japanese, Korean, Italian, Hindi, Russian, Arabic, and Swedish will be added. For our purposes in Stage 1, the No Surveillance sampling test suite will be made available for a period of no less than 12 months, after which the test results will be combined for analysis with data from the initial personal interviews. Individual participants will be asked to use the test suite software for at least one day, and will be allowed to end their participation at any time after that. In the case of software platforms, there are often multiple versions of operating systems and application software currently in use. For the purposes of this study only software versions released in the previous 6 years will be targeted for sampling, unless there is evidence found of a significant number of current users of software versions that are more than 6 years old. This first stage will also include an overview of the legal and regulatory environment as it pertains to Internet access and usage, in order to describe the broader, societal context and constraints. This overview will cover North America, Europe, Australia, Japan, India, Israel, and the 13 countries listed as “enemies of the Internet” by the Paris-based non-governmental organization “Reporters Without Borders” [6], which advocates for freedom of the press.





page 10 of 37

Definitions It is important to first clarify the definitions of concepts and constructs used throughout this research study. The tables at the end of this document provide details on the variables to be tested and measured.

(1) “Vulnerability” = weakness (also known as an “exploit”) which increases the potential for an attacker or other possible adversary to capture and analyze information about you. There are currently nearly 60,000 known vulnerabilities, spanning over 25,000 different software applications [8]. (see Table 1)

(2) “Use Case” = typical activity or task performed by computer, laptop or mobile device user. (see Table 2)

(3) “Hardware platform” = underlying hardware being used, including the computer or laptop or mobile device and any additional hardware used for making a connection to the Internet. (see Table 3)

(4) “Software platform” = underlying software being used, including the operating system, application software program, or any additional software used for making a connection to the Internet. (see Table 4)

(5) “User category” = semi-arbitrary grouping of computer, laptop and mobile device users into age, marital status, and parental status groups based on the premise that these are differentiating factors in a user’s attitude and aptitude. (see Table 5)

(6) “Attack” = targeted or purposive offensive behaviour intended to identify vulnerabilities and/or take advantage of previously known vulnerabilities.

(7) “Leak” = inadvertent or accidental disclosure of information or data.

(8) “Public IP address” = sequence of Internet Protocol numbers (and letters if referring to a version 6 IP Address) uniquely identifying all devices connected to the public Internet.

(9) “Private IP address” = similar to a “Public IP address” except is used to uniquely identify devices connected to a private network that is not accessible to or by the general public, and uses a limited, standard subset of all possible IP address numbers.





page 11 of 37

(10) “MAC address” = Media Access Control address, which is a globally unique identifier manufactured into all network interface cards.

(11) “DNS” = Domain Name System, which is an Internet directory system that performs lookups on domain names to determine which IP address they are associated with.

(12) “Router” = networking device whose hardware and software are designed to route and forward information between computers (and other devices) and the Internet. The connections between these computers (and other devices) and the router are either by wire or radio signals (“wireless”).

(13) “SSID” = Service Set Identifier, which is the name of an 802.11 wireless access point (usually a wireless router) used by all wireless devices connected to it as part of a Local Area Network (“LAN”).

(14) “Operating system” = software which runs as an interface between hardware and the application software run by a user of that hardware, usually to provide underlying functionality that is invisible to the user.

(15) “Application software” = software which runs as an interface between a user of a computer or device and the operating system, usually to perform certain tasks or activities for and by the user.

(16) “Encryption” = process of transforming information (referred to as “plaintext”) into encrypted information (referred to as “ciphertext”) that can only be understood by those who possess special knowledge (referred to as a “key”) about the algorithm used to do the transformation.

(17) “Decryption” = process of transforming ciphertext into plaintext using a key.

(18) “Personally identifiable information” = also known as “personal information” in some contexts, is information that can be used to uniquely identify, distinguish or trace a person.

(19) “Malware” = malicious software that performs tasks without the computer user’s or device user’s knowledge or informed consent.





page 12 of 37

The actual vulnerability testing will be done using a variety of testing tools, based on the specific vulnerability being tested. These testing tools are listed in Table 1 beside each of these vulnerabilities. This study proposes using multiple testing tools in order to not be limited or biased by any single testing tool. More importantly, none of these testing tools has been created to cover all possible situations. Testing Tools Packet capture works by sniffing the IP traffic between the computer, laptop, or mobile device and the router being used to connect to the Internet via the Internet Service Provider. Sniffing in this context refers to the capturing of Internet Protocol packets being sent and received. This packet capturing will be done using programs similar to or based on libpcap and tcpdump, such as Wireshark. Captured packets can potentially contain IP addresses, MAC addresses, and leaked personal data such as login names, passwords, and the actual contents of any correspondence or shared files. Wireshark can capture packets both on the wire, and wirelessly. Kismet will also be used for wireless sniffing. Both of these programs are open source licensed software applications that can be run on almost any version of Windows, Linux or Mac OS X. In this study, both will be used, along with Scapy, Ettercap, Dsniff, and Core Impact to compare results and ease of use. The packet capture software will be installed on a separate laptop that will be connected to the same subnet (and router) as the target computer, laptop or mobile device so that it can “listen” to all IP communications on that subnet. OS fingerprinting works by sending probe IP packets to the computer, laptop or mobile device and analyzing responses to these probes and other communications sent out by that machine. P0f, Nmap, Nessus and Core Impact software will be used for these purposes. Other vulnerability tests will be done using remote scanning software Nmap and Scapy, which can be run on almost any version of Windows, Linux or Mac OS X. Both Nmap and Scapy send raw IP packets over IP communication links to test ports, services, and other characteristics of a computer, laptop or mobile device. Remote scanning works similarly to OS fingerprinting, by sending probe IP packets to test for known exploits, or flaws, that exist in the operating system or application software being used.





page 13 of 37

These exploits are usually fixed by the software developer as soon as they are able to, but there is a failure in many cases - by the user - to ensure that these fixes are installed on their computer or device. Other vulnerability scans and exploit discovery will be done using Nessus, Metasploit Framework, Core Impact and Nbtscan. Password analysis works in a variety of ways, including packet sniffing and brute force. Dsniff, Cain and Abel, John the Ripper, Aircrack, AirSnort, L0phtCrack and THC Hydra will all be used as testing tools for this type of vulnerability. Like the packet capture programs, they will be installed on a separate laptop that will be connected to the same subnet (and router) as the target computer, laptop or mobile device so that they can “listen” to all IP communications on that subnet. WebScarab and Paros will be run as intercepting proxies on the same computer, laptop or mobile device, allowing detailed monitoring of http and https communications to and from the Internet. For wireless communications, Karmetasploit will be used as an intercepting proxy in the form of a spoofed access point to expose communications data that is otherwise hidden and safe. Keystroke logging (“keylogging”) works by recording the actual keystrokes entered by the user, and saving them in an encrypted file for later analysis. This logging has to be done on the same computer, laptop or mobile device being tested. Perfect Keylogger, Ghost Keylogger, Spector CNE Investigator and Invisible Keylogger Stealth are software-based keyloggers that will be installed and used on Windows desktops and laptops. PyKeylogger is an open source, Python-based keylogger that will be used to develop custom keylogging software for any operating system. KeyCarbon is a hardware-based keylogger that will be installed either into a PCI expansion slot in desktops and laptops, or into a USB connection if a USB-based keyboard is being used. Malware works by performing malicious or mischievous tasks, but it first has to be installed and run without the user’s consent. It is the intent of this study to use the Metasploit Framework [7] as a launch pad for malware, and to run tests for all known applicable exploits. Many of the Metasploit exploits are not applicable for this study, because they are related to Oracle databases, web servers, and other software not found on desktop computers, laptops or mobile devices.





page 14 of 37

Use Cases In terms of the Use Cases listed in Table 2, as many of these as is practical will be tested to determine which of the vulnerabilities listed in Table 1 are exposed. For example, for Use Case 2.1 “Power on hardware platform”, packet capture and intercepting proxy tests will be run to see if Vulnerability 1.1 “Own public IP address leak” occurs. As with most of the vulnerability tests, this measurement will give a true or false result – a nominal scale. For this same Use Case 2.1, packet capture and intercepting proxy tests would also be run to test Vulnerabilities 1.4 “Visited IP address leak”, 1.5 “DNS lookup leak”, 1.6, 1.7, 1.10, 1.11, 1.12, etc. Any Use Cases that cannot be run will be skipped. Sampling Presuming there will be sufficient time and resources made available, there will be 40 users selected from each User Category listed in Table 5, for a total of 280 users to be sampled. Geographically, this would mean 70 users selected from each of the four geographic locations. This works out to 10 users from each User Category in each geographic location. Candidates will be selected randomly from each of the sample frames listed in Table 5 until sufficient candidates have accepted the opportunity and agreed to participate. Each potential candidate must be capable of participating, and have access to at least one of the hardware and software platforms listed in Tables 3 and 4. When the candidate has access to more than one potential hardware and software platform, then they will be asked to participate based on a hardware and software platform not already selected for their geographic location and User Category. This will result in an uneven distribution of hardware and software platforms, but it is presumed that this bias will be reflective of the general population in these geographic locations. It is proposed that these 280 sample tests be done as personal interviews, with 10 tests each performed by 28 different researchers and assistants. A single test is expected to take approximately 4 hours, with an additional 4





page 15 of 37

hours required to prepare reports on the findings, other observations and unexpected results. Any bias amongst these 280 candidates will be made clear when compared to the larger, random sampling via the self-administered testing. Development of the No Surveillance software test suite is to be completed after the initial 280 sample results are compiled, in order to better understand the limitations and opportunities of self-administered testing. It is expected that 5-6 months of development effort will be required to complete development of this software, which will include a web site and web service to allow aggregation of the collected data. Individual participants in this part of the study will also be provided with their individual results, which will form part of the motivation for them to participate and to continue participating. Their ability to monitor their own vulnerabilities as they use the Internet is expected to be an attractive opportunity for them, although it is expected there will be a bias in this larger sample towards more sophisticated users who are more concerned about their privacy. The majority of Internet users who are less concerned about their privacy will be largely absent from this study, other than those randomly selected in the 280 personal interview testing phase. Any Hardware or Software Platform combinations or Use Cases that cannot be run will be skipped.





page 16 of 37

Stage 2 – Explanatory Study Investigate and measure the effectiveness and usability of different enhancements to improve or protect privacy. The same target Vulnerabilities, Use Cases, User Categories, Hardware Platforms, and Software Platforms will be studied as in Stage 1. In fact, the Stage 1 results will be used as the control group for Stage 2. The usability of these enhancements will be measured both subjectively and objectively. Subjective measurements will come by way of a web survey of users. This web survey will ask users to provide a ratio scale answer for each of the privacy protection measures listed in Table 6, in terms of how acceptable and usable they are, with 0 being no change in usability, -1 to -5 being impaired usability, and +1 to +5 being improved usability. Objective measurements of the usability of these enhancements will come from Timing measurements and Vulnerability Change measurements. Timing measurements will quantify how many seconds each of the Use Cases takes to complete on the Hardware and Software Platforms. Vulnerability Change measurements will specify whether each enhancement did or did not provide protection for each vulnerability. For example, using Tor, Vidalia and polipo (Existing Privacy Protection 6.1) to protect privacy will be measured in terms of how many seconds it takes to use Firefox (Software Platform 4.14) on a PC (Hardware Platform 3.1) running Microsoft Windows (Software Platform 4.1) to do a search on Google (Use Case 2.5). These Timing measurements will be compared to the same scenario without use of the privacy protection. In this same example, Vulnerability Change will be measured by seeing whether each applicable Vulnerability listed in Table 1 is eliminated - or not - by this privacy protection.





page 17 of 37

Existing Privacy Protection The enhancements to be tested for effectiveness and usability will include current tools, solutions, and procedures such as proxy servers, encryption, and anonymizing software [Table 6]. Testing Tools The same testing tools used in Stage 1 will be used in Stage 2 to test the same Vulnerabilities listed in Table 1. Sampling The subjective measurements of usability in Stage 2 will be done on a random sampling of Internet users by way of a web survey over a 3-4 month period. This web survey will be available translated into multiple languages in order to broaden the scope of the sample frame beyond English-speaking users. Participants will be limited to those who have personal experience using one or more of the Existing Privacy Protections listed in Table 6. This survey will ask about each Vulnerability, Use Case, Hardware Platform, and Software Platform they have recent personal experience with, as well as solicit participants for additional comments and other observations they wish to make. Objective measurements of effectiveness (Timing and Vulnerability Change) will be done in a controlled lab environment to reduce the effects of moderating and extraneous variables. There is no requirement for randomness in these samples, but rather a requirement for accurate measurement of effectiveness in a variety of configurations and combinations.





page 18 of 37

Customized Privacy Protection In addition to existing privacy protection, a variety of open source software customizations and customized software solutions will be developed and tested to measure their additional effects on privacy protection. It is expected that this development effort will take 12 additional months after the Existing Privacy Protection testing has been completed. These customized solutions will involve modifications to existing open source projects such as Mozilla Firefox and Thunderbird, Google Chrome and Android, OpenSSH, OpenVPN, stunnel, Tor and Vidalia, polipo, Qt, tcpdump, Wireshark, and others. The goal at this final stage of the study is to use the results found to date as the basis for designing and developing potentially better solutions to protect privacy. This customized privacy protection should address both the initially identified vulnerabilities and any others that may have been discovered along the way. In particular, one potential new class of vulnerabilities that might come to the surface at this point will be those associated with “cloud computing” platforms. Google Gmail and Google Docs are two current cloud computing services that are included as Software Platforms in this study, but not enough is currently known about this class of software to directly address all possible vulnerabilities they may enable. Objective measurement of the effectiveness of these custom solutions will be done in the same controlled lab environment. Any improvements over existing privacy protection measures will be made available for anyone to test for himself or herself in exchange for a commitment to provide their subjective feedback on usability.





page 19 of 37

Results and Discussion It is expected that a significant quantity of data will be compiled for this study. Details on current vulnerabilities will be correlated with specific User Categories, Use Cases, Hardware Platforms and Software Platforms. The intention is to provide an authoritative review that will better educate users of the Internet and increase awareness of the critical issue of privacy before this fundamental right is lost or given up for dead. Without awareness, new legal and regulatory frameworks are expected to continue their encroachment on privacy. It is hoped that software developers will also take note, and use the results of this study to provide better privacy protection for their customers and users. Conclusions Ultimately, it is only through education that we can make better choices. This study is about empowering citizens and organizations, about making them better informed, and helping them recognize how, and how easily, they can better protect themselves in a world of increasing surveillance and intrusion.





page 20 of 37

Appendices Table 1 Vulnerability Risk Testing Tools

1.1 Own public IP address leak

Can be used to learn the name of the Internet Service Provider (“ISP”) connecting this IP address to the Internet; the name of the Organization (“Org”) owning this IP address; the continent, country, state, city, latitude and longitude geographical location of this IP address; the Autonomous System Number (“ASN”) network this IP address is part of; and the domain name which this IP address resolves to.

Packet capture, intercepting proxy

1.2 Own private IP address leak

Can be used to identify the specific computer or device being used behind the public IP address.

Packet capture, remote scanning

1.3 Own MAC address leak

Same as “Own private IP address leak” vulnerability, and can be used to identify the unique network interface card (“NIC”) hardware being used.

Packet capture, remote scanning, malware

1.4 Visited IP address leak

Can be used to learn the Internet web site(s) and service(s) being used, or previously were used; and what software may be in use.


1.5 DNS lookup leak

Same as “Visited IP address leak” vulnerability.


1.6 User login leak or weak user login

Can be used to learn authentication credentials for access to controlled or restricted content or services.

Packet capture, password analysis, remote scanning, intercepting proxy, keylogging, malware





page 21 of 37

1.7 User password leak or weak password

Same as “User login leak” vulnerability. Packet capture, password analysis, intercepting proxy, keylogging, malware

1.8 Name leak Can be used to personally identify you, your employment, interests, place of residence, and other activities.

Packet capture, remote scanning, keylogging, malware

1.9 Alias leak Same as “Name leak” and “User login leak” vulnerability, though not with the same level of certainty.

Packet capture, remote scanning, password analysis, malware, keylogging

1.10 Email address leak

Same as “Name leak” vulnerability, though not with the same level of certainty.

Packet capture, intercepting proxy, keylogging

1.11 Home address or phone number leak

Same as “Name leak” vulnerability. Packet capture, intercepting proxy, keylogging

1.12 Employer name or address or phone number or email address leak

Can be used to learn about place of employment, job responsibilities, or employer’s business activities.

Packet capture, intercepting proxy, keylogging

1.13 Computer operating system leak

Can be used to learn what operating system may be in use; and possibly what hardware may be in use.

OS fingerprinting, remote scanning

1.14 Application software leak

Can be used to learn what software may be in use; and what tasks the software has been used for.

Packet capture, remote scanning, intercepting proxy

1.15 Router leak Can be used to learn about the identity of the router used to connect the computer or device to the Internet.






page 22 of 37

1.16 SSID leak Can be used to learn the name(s) of wireless routers that were previously being used or are currently being used.

Packet capture, malware

1.17 Mapped drive leak

Can be used to learn what remote systems were previously being used or are currently being used. Remote systems could identify an employer or school or client.

Packet capture, keylogging

1.18 Temporary files leak

Same as “Application software leak” vulnerability.

Malware

1.19 Clipboard data leak

Can be used to learn what data has previously been copied or cut and pasted.

Keylogging, malware

1.20 Recycle bin leak Can be used to learn what data files have previously been deleted.

Malware

1.21 Log file leak Same as “Application software leak” vulnerability.

Malware

1.22 Encrypted transmission discovery

Can be saved for future possible decryption, in which case the vulnerability would be the same as “Unencrypted communication leak” vulernability.

Packet capture, intercepting proxy, malware

1.23 Encrypted file discovery

Same as “Encrypted transmission discovery” vulnerability.

Keylogging, malware

1.24 Execution of malware

Execution of any untrusted software could perform malicious damage or disclosure.

Remote scanning, malware

1.25 Cookie leak Same as “Visited IP address leak” and “Alias leak” vulnerabilities but in addition can be used to identify when each web site or service was first or last visited.

Packet capture, remote scanning, intercepting proxy, malware

1.26 Cache leak Same as “Visited IP address leak”, “Application software leak” and “Cookie leak” vulnerabilities.

Malware





page 23 of 37

1.27 Download files leak

Same as “Application software leak” vulnerability.

Remote scaning, intercepting proxy, keylogging

1.28 Unencrypted communication leak

Arguably the highest risk vulnerability, since the content of communication can be used for a wide range of malicious purposes.

Packet capture, remote scanning, intercepting proxy, keylogging

1.29 Drive-by download or install

Downloads or installs of some software can be done by malicious web sites without knowledge or authorization by the user.


1.30 Known exploit Operating system software or application software with exploit that has not been patched can be used for malicious purposes.

Remote scanning, intercepting proxy, malware





page 24 of 37

Table 2 Use Case Details

2.1 Power on hardware platform

Turn power on and wait for starting sequence to finish. Auto startup programs should be kept to a minimum for initial testing and measurement, but then added to emulate a variety of standard configurations.

2.2 Connect to Internet

Initiate connection to Internet, if not already done as part of power on sequence.

2.3 Read email Start email client or other software and fetch email from POP or IMAP email server. This would include popular web-based email such as Gmail, Hotmail, and Yahoo!, as well as client-server email such as Outlook and Thunderbird.

2.4 Send email Send email message using email client or other software.

2.5 Use search engine

Start Internet browser software and perform search on Google, Bing, Yahoo!, and other search engines.

2.6 Download music

Start music client software and download song.

2.7 Receive file Receive file attachment from acquaintance.

2.8 Send local file Send file attachment to acquaintance.

2.9 Share local file Share local file for access by acquaintance.

2.10 Purchase software and then download

Make online purchase of software using credit card and then proceed to download to a local hard drive.

2.11 Install new program on local hard drive

Install operating system and application software programs from CD or DVD or ISO image. Testing and measurement of OS installations will be done by tools external to the computer, laptop or device. Testing and measurement of application software programs will be done by both external tools and tools running concurrently on the same computer, laptop or device.

2.12 Open email spam virus

Open file attachment received via email for testing and measurement purposes. This should be done only on a computer, laptop or mobile device that can be reformatted and reinstalled afterwards.





page 25 of 37

2.13 Install and use Internet browser add-ons, plugins and ActiveX controls

Thousands of third-party add-ons, plugins, and ActiveX controls extend the functionality of Internet Explorer, Firefox, and other browsers.

2.14 Run Java applet

Many Internet web sites make use of Java applets to perform special functions. There are also multiple Java Virtual Machines (“JVM”) used to run these applets.

2.15 Run Java application

Many software applications make use of Java running in a JVM on the client computer, laptop or device.

2.16 Run ECMA-262, edition 3 client-side scripts

Millions of different Javascript, Jscript, Actionscript, and other ECMA-262, edition 3 client-side scripts are used throughout the Internet.

2.17 Send Twitter update

Twitter.com is a micro blogging service, which allows up to 140 characters of text to be entered in response to the question “What’s happening?”

2.18 Receive Twitter update

Anyone with a twitter.com account can “follow” other twitter users, and receive updates on all new “What’s happening?” posts they make.

2.19 Update own Facebook page

Facebook.com is a “social networking” service, which allows subscribers to stay connected with others by sharing parts of their lives with pictures, stories and more.

2.20 Post to Facebook friend’s wall

Anyone with a facebook.com account can post comments on another subscriber’s “wall” if the two of them are “connected”, with the goal being to stay in touch and simultaneously let everyone else know what is current in your life.

2.21 Update own LinkedIn profile

LinkedIn.com is a business connections service, self-described as a professional network of trusted contacts.

2.22 Receive RSS update

RSS is a simple method of automatically receiving updates from any web site or Internet service that you are subscribed to.





page 26 of 37

2.23 Send instant message

Instant messaging (“IM”) is an Internet service to send immediate messages (usually text) to others on your “contact” list and learn about which of your contacts is currently available for chatting.

2.24 Receive instant message and SMS

Instant messages and SMS (“small message service”) can be received on a number of hardware platforms and software platforms.

2.25 View YouTube video

YouTube.com is a video sharing service.

2.26 Upload YouTube video

Subscribers to YouTube.com can upload their own videos for sharing with others.

2.27 Backup files on local hard to remote server

Making copies (“backups”) of data files from local hard drives to remote servers can be done with a wide variety of Internet backup services.

2.28 Enable auto update

Many software applications and operating systems now make use of “auto update” functionality in order to use the Internet for version checking, new version downloading, and patch installation. Each program with this capability enabled must be tested and measured.

2.29 Manual auto update

Rather than “auto update”, many software applications allow manually initiated update functionality for version checking, new version downloading, and patch installation. Each program with this capability must be tested and measured.

2.30 From home office

Where a home office exists, testing some of the Use Cases listed in this Table should be done from there.

2.31 From coffee shop

Testing some of the Use Cases listed in this Table should be done from a local coffee shop as well.

2.32 From workplace office

Where a user has a workplace office, and permission has been obtained from the employer, testing some of the Use Cases listed in this Table should be done from there.

2.33 From public transportation

Testing some of the Use Cases listed in this Table should be done from some form of local public transportation as well.





page 27 of 37

2.34 From grocery store or shopping centre

Testing some of the Use Cases listed in this Table should be done from a local grocery store or shopping centre as well.

2.35 From school library or public library

Where a user has access to a school library or public library, and permission has been obtained from the school or library operator, testing some of the Use Cases listed in this Table should be done from there.





page 28 of 37

Table 3 Hardware Platform

Details

3.1 PC Desktop personal computer running one of a variety of operating systems, and consisting of a separate keyboard and mouse, a monitor, and a case or housing that holds the RAM, hard drive, optical drive, processor, network interface card, and expansion slots.

3.2 Laptop Portable personal computer running one of a variety of operating systems, and made up of a single enclosure in a flip form to protect the keyboard and screen when closed.

3.3 Netbook Essentially a smaller, minimalist version of laptop, running one of a variety of operating systems, weighing about 2 pounds and having about a 7-inch display.

3.4 Portable multimedia player

Hand-held consumer electronics device, running one of a variety of operating systems, designed primarily to store and play digital media. The market leader in this category is the Apple iPod. Some portable multimedia players are also smartphones.

3.5 Smartphone Mobile, hand-held telephone device, running one of a variety of operating systems, and including support for Wi-Fi for access to the Internet. The current market leaders in this category are devices made by Apple, Research In Motion, HTC, Nokia, Motorola, Sony Ericsson and Palm. Some smartphones are also portable multimedia players.

3.6 Video game console

The Sony PlayStation 2, 3 and Portable, the Microsoft Xbox and Xbox 360, and the Nintendo Wii and DS are the only game consoles with the hardware and connectivity capable of consideration in this study.

3.7 Appliances and other

Some devices and appliances like the TiVo DVR access the Internet in order to provide enhanced services. These hardware platforms are varied and do not fit any of the other categories in this Table. Smart cards and RFID technology are not considered in this study.

3.8 USB storage devices

Removable USB storage devices can be plugged into many of the hardware platforms in this Table.





page 29 of 37

3.9 Optical storage devices

Removable optical storage discs like CD, DVD and Blu-ray can be used to transfer data between many of the hardware platforms in this Table.

3.10 Flash memory devices

Removable flash memory cards can be used to transfer data between many of the hardware platforms in this Table.





page 30 of 37

Table 4 Software Platform

Details

4.1 Microsoft Windows

Microsoft has produced a number of software platforms in the Windows “family”, running on computers and laptops, the major ones in current use being: Windows 7, Windows Vista, Windows XP, and Windows NT.

4.2 Microsoft Windows CE

Microsoft has developed a separate version of Windows for smartphones and portable media players called Windows CE. This is a real-time operating system, which is also the basis for Windows Mobile/Phone.

4.3 Apple Mac OS X

Apple has a single operating system, Mac OS X, which runs on all its computers and laptops.

4.4 Apple iPhone OS

This is the operating system based on Apple Mac OS X which runs on the iPhone and iPod devices.

4.5 Linux Linux OS is the poster child open source operating system that runs on almost all hardware platforms. It is at the core of a number of Linux “distributions” from Red Hat, Debian, Ubuntu, openSUSE, Gentoo, Oracle, and nearly 300 other organizations.

4.6 Android Android OS is an open source platform for smartphones developed by Google, and now owned by the Open Handset Alliance, which is a business alliance of 50 different hardware, software and wireless companies.

4.7 Symbian Symbian OS currently has the largest market share in the smartphone market, but its owner, Nokia, has announced that it will be replaced by Maemo. Both Symbian and Maemo are owned by Nokia.

4.8 Maemo Nokia runs the open source Maemo operating system on its high-end smartphones and its Internet tablet hardware platforms.

4.9 Palm webOS Operating system running on Palm smartphones.





page 31 of 37

4.10 Qt Nokia bought Trolltech in June 2008, the company that developed Qt, which is a widely used open source cross-platform application development framework. Qt runs on almost all hardware platforms listed in Table 3, and on most of the other software platforms listed in this Table.

4.11 Java Java is currently the most popular cross-platform software environment, and like Qt, runs on almost all hardware platforms listed in Table 3, and on most of the other software platforms listed in this Table.

4.12 Gears Gears is an open source, optional, enhancement technology developed by Google for some Internet browsers and web sites that allows local caching and data storage for offline (not connected to Internet) processing, as well as automatic client Geolocation identification.

4.13 Internet Explorer

The most popular Internet browser in use today. Runs only on Windows software platform.

4.14 Firefox The second most popular Internet browser in use today, and the most popular open source browser. Runs on most of the software OS platforms listed in this Table.

4.15 Chrome Relatively new Internet browser developed by Google. Runs on Windows, Linux and Mac OS X software platforms.

4.16 Safari Internet browser developed by Apple. Runs on many software platforms. Multiple versions of this software must be tested and measured.

4.17 Opera Popular Internet browser which runs on many software and hardware platforms. Multiple versions of this software must be tested and measured.

4.18 Computrace and LoJack

These software applications developed by Absolute Software allow computers, laptops, netbooks and smartphones to be tracked and recovered if stolen.

4.19 Google Toolbar for IE

Google has developed a useful toolbar that can be installed into Internet Explorer.

4.20 Yahoo Toolbar for IE

Yahoo has also developed a useful toolbar that can be installed into Internet Explorer.





page 32 of 37

4.21 Skype Skype is a Voice Over Internet Protocol (“VOIP”) software application that allows free voice calls over the Internet between Skype users.

4.22 Cerulean Studios Trillian

Trillian is a multi-protocol Instant Messaging software application that allows real-time chat and sharing between users of ICQ, AOL Instant Messenger, Windows Live Messenger, Yahoo! Messenger, Jabber, Google Talk, IRC, Twitter, Facebook, MySpaceIM, Bonjour, Skype, and Trillian.

4.23 Windows Live Messenger

Formerly MSN Messenger, Windows Live Messenger is Microsoft’s instant messaging software application for real-time chat and sharing.

4.24 Yahoo! Messenger

Yahoo! Messenger is Yahoo’s instant messaging software application for real-time chat and sharing.

4.25 AOL Instant Messenger

AIM is America Online’s instant messaging software application for real-time chat and sharing.

4.26 Adobe Portable Document Format (“PDF”)

PDF is a ubiquitous standard document format developed by Adobe.

4.27 Adobe Flash Flash is a ubiquitous standard interactive file format developed by Adobe.

4.28 Microsoft Silverlight

Silverlight is Microsoft’s competition to Adobe Flash in creating a standard interactive file format.

4.29 Facebook Facebook.com is more than a simple web site, since it is an extensive development platform as well, and according to Alexa.com is the second most popular web site on the Internet after Google.

4.30 MySpace Myspace.com competes in the same space as Facebook, and according to Alexa.com is the twelfth most popular web site on the Internet.

4.31 Google Gmail Google has a very popular and free email service that is web-based, rather than client-based or server-based.





page 33 of 37

4.32 Google Docs Google Docs is a suite of web-based applications that allow collaborative creation and use of document, spreadsheet, and presentation files.





page 34 of 37

Table 5 User Category Sample frame Casual user

Moderate user

Frequent user

5.1 Youth, 12 and younger

List of students in randomly selected elementary school

Less than 7 hours per week

7 to 15 hours per week

More than 15 hours per week

5.2 Teen, 13 to 19 List of students in randomly selected secondary school and college




5.3 Single Adult, 20 to 60, not married, no children

List of employees in randomly selected businesses from telephone directory




5.4 Married Family Adult, 20 to 60, 1 or more children





5.5 Adult Parent, 20 to 60, not married, 1 or more children





5.6 Married, no Children, 20 to 60





5.7 Senior, age 60+

List of residential addresses on randomly selected streets








page 35 of 37

Table 6 Existing Privacy Protection

Details

6.1 Tor, Vidalia, and polipo

This open source software application protects TCP protocol-based communications from traffic analysis. Vidalia functions as an optional controller application for the Tor software. Polipo functions as a caching proxy to allow faster access to repeated Internet resources.

6.2 JAP Anon Proxy

Software application which facilitates anonymous browsing of Internet web sites.

6.3 Stunnel Open source encryption software application to provide a secure SSL “wrapper” around an otherwise unencrypted IP communications connection, without requiring any modification of the target service.

6.4 OpenVPN Open source Virtual Private Network (“VPN”) software application.

6.5 OpenSSH Open source Secure Shell (“ssh”) software application.

6.6 TrueCrypt Open source disk encryption software application.

6.7 GNU Privacy Guard

Open source file and email encryption software application.

6.8 Anonymizer Total Net Shield

Commercial one-hop proxy service.

6.9 LogMeIn Hamachi2

Web-hosted VPN service with both free and commercial licenses.

6.10 F-Secure Internet Security and Mobile Security

Commercial security and privacy software suite.

6.11 Norton 360 and Internet Security

Commercial security and privacy software suite.





page 36 of 37

6.12 Internet Explorer InPrivate Browsing

Feature of Microsoft Internet Explorer browser introduced in version 8, which prevents storage of data which might compromise privacy.

6.13 Chrome InCognito mode

Feature of Google Chrome browser which prevents storage of data which might compromise privacy.

6.14 Safari Private Browsing

Feature of Apple Safari browser which prevents storage of data which might compromise privacy.





page 37 of 37

References [1] The Tor Project, Who uses Tor?, Reference found on November 25, 2009 at http://www.torproject.org/torusers.html.en [2] The Free Haven Project, Anonymity Bibliography, Reference found on November 27, 2009 at http://freehaven.net/anonbib/full/date.html [3] Electronic Frontier Foundation, Privacy, Reference found on November 27, 2009 at http://www.eff.org/issues/privacy [4] IBM Privacy Research Institute, Projects, Reference found on November 27, 2009 at http://www.zurich.ibm.com/pri/projects [5] Carnegie Mellon, Data Privacy Lab Research Results, Reference found on November 26, 2009 at http://privacy.cs.cmu.edu/dataprivacy/projects/index.html [6] Reporters Without Borders, Enemies of the Internet, Reference found on November 20, 2009 at http://www.rsf.org/IMG/pdf/Internet_enemies_2009_2_-3.pdf or at http://www.rsf.org/en-ennemi26134-China.html [7] Rapid7 LLC, The Metasploit Framework, Reference found on November 26, 2009 at http://www.metasploit.com/framework/ [8] The Open Security Foundation, Open Source Vulnerability Database, Reference found on November 28, 2009 at http://osvdb.org/


http://www.torproject.org/torusers.html.en

http://freehaven.net/anonbib/full/date.html

http://www.eff.org/issues/privacy

http://www.zurich.ibm.com/pri/projects

http://privacy.cs.cmu.edu/dataprivacy/projects/index.html

http://www.rsf.org/IMG/pdf/Internet_enemies_2009_2_-3.pdf

http://www.rsf.org/en-ennemi26134-China.html

http://www.metasploit.com/framework/

http://osvdb.org/



BCIT COMP 7036 Research Proposal by Wesley Kenzie Nov 2009

Documents

Transcript of BCIT COMP 7036 Research Proposal by Wesley Kenzie Nov 2009