November 2003
Tracking Terror
Online footprints lead cyber snoops to terror’s door
by Salman Siddiqui
Remember the Daniel Pearl incident? Pakistan police claimed that they had traced at least one of the suspected kidnappers via an e-mail. This was a startling aspect of the case. How on earth did our slack, unresponsive police force become so savvy as to trace the online fingerprints of a suspect, zeroing in on a cybercafé in Karachi? Do we finally have hi-tech intelligence officials who had a grasp of computer technology? Let’s hunt the trackers.When you surf, the logs of your online activities are maintained in cookies and other cache folders on a computer. ISPs keep detailed logs and so does PTCL’s PIE to which 98% of all the ISPs in Pakistan depend on for connectivity. Also if you use a LAN to log on, such as those implemented in cybercafés or cable networks, then it is quite possible that the system administrator of that network is maintaining logs as well. These logs serve as online fingerprints for the law enforcement agencies tracking a terrorist in cyberspace.
Intelligence Service Providers
The Internet Service Providers (ISP) also serve the role of providing intelligence information to government agencies. They have been issued directives by the PTA to maintain logs of the online activities of their clients. This espionage has been ordered under the banner of thwarting terrorism, pornography, fraud and exploitation online. In this context, an ISP can be labeled as an “Intelligence Service Provider”. An ISP is essentially a network which you dial and get connected with. In the case of always-on Internet connectivity (solutions such as DSL), you become part of the network as soon as you boot up your system. An ISP is in turn connected to the Internet backbone to which all the ISPs of the world are connected and by which all the computers can communicate. Since a user is wholly dependent on the ISP to provide Internet bandwidth, the logs maintained by the ISP can be extremely comprehensive which could include some or all of the following:l The exact log-in and log-off timings.l The IP address assigned by the ISP each time the user logs in. l The telephone number used to connect to the Internet.l All chat sessions, such as those done in Yahoo or MSN messenger, roaming around the network in plain text format can be easily monitored.l URLs of each website visited, buttons clicked on that site and the files, if any, downloaded.l E-mail headers and perhaps the entire contents of the e-mail as well.l The radio stations you listen to online, besides all streaming audio, video and Internet telephony events.l Details of the files which you downloaded from P2P softwares such as KaZaa etc.
All the logs are stored in a special area of an ISP called the caching box or the caching server. For a typically large ISP that has many clients, logs of huge sizes are generated each day. In one of the leading ISPs in Pakistan, the logs generated each day amount to around 2GB per day which is inclusive of the entire e-mail contents and chat sessions. After compressing a week’s content of these logs, it is burnt on a single CD for record purposes.In general, ISPs do not log the entire e-mail contents and the chat sessions for all of their clients because of the huge overhead involved in terms of a log size. It was found that logs for an entire e-mail content for all users would amount to anywhere from 4 to 5 GB per day making it impractical to maintain them for long. Normally, only the e-mail headers are logged. An ISP can keep a track of all browsing activities through typical browsers such as Internet Explorer, Opera etc. It cannot screen any pure IP traffic or home grown browsing software that does not employ standards such as HTTP. Using specific data packet filters, an ISP can monitor the online activities of a specific user. This method of targeting and copying full data packets of an individual at an ISP’s end has also been employed by the FBI of United States which uses a specially designed software called Carnivore for this purpose. At the Pakistan Internet Exchange (PIE), which comes under the umbrella of PTCL, Internet traffic comes from all ISPs connected to it. So if the logs are being maintained at PIE’s end, then logically their size should be too huge to be kept and burnt on CDs. However, when questioned on the issue a source in PIE insisted that not only do they maintain the logs but the log of one day is usually 1MB and never more than 2MB. When asked to explain how that is possible when the log maintained by each ISP is 2GB, the gentleman reiterated his 1MB stand before abruptly putting the phone down. Also it should be noted that the logs (if any) maintained on PTCL’s end don’t contain phone numbers and only the logs kept by the ISPs do. This is because an Internet account holder dials into an ISP to get Internet connectivity and not the PTCL directly.
Tracing an anonymous e-mailLet’s analyze a situation in which the authorities trace an anonymous e-mail back to the sender’s computer. Step-1 Assume that a suspect visits a cybercafé and creates an anonymous e-mail account from one of the many free web-based e-mail services available such as Hotmail. He then sends e-mail containing his organization’s agenda.Step-2 On intercepting the e-mail, the intelligence officials investigate its header which contains the name of the ISP whose account was used to connect to the Internet and to the IP address from which the e-mail originated. They then call up the ISP to ask for the log corresponding to that IP address.Step-3 The record of this IP is stored in the caching box of the ISP. But since this IP address is one of the pools of IP addresses, which the ISP has at its disposal to assign to different individuals at different login times, the ISP also needs to know the exact time at which the e-mail was sent. This information is also contained in the header of the e-mail. After both the time and IP address is given, the exact log that contains the user ID and the telephone number is given to the authorities.Step-4 From the telephone number the address is easily determined and the suspect is apprehended. From the confiscated computer, the cookies and other cache files are checked to make sure that the same machine was used by a terrorist.Even though the logs maintained at the PTCL’s end do not contain phone numbers, the intelligence officials (at times) still obtain those logs and verify them with the logs obtained from the ISP.Now it should be clear that the entire intelligence agency’s role in the sophistication part is to ask the question: “This is the IP, tell us the user ID and the telephone number”.
The LogsTo see how the logs are structured and in what format they are organized, consider the log example shown in an orange colored table on page 31. This sample contains actual log data taken from one of the leading ISPs in Pakistan.Let’s assume that an intelligence officer asks an ISP for the logging details of the IP 203.130.0.100 at the time 13/10/2003 6:30 AM. This corresponds to the highlighted area above by which the ISP can give the telephone number of the suspect computer 111-000-000. Also in response to the query the ISP might also give out details of the online activity of that suspect during that time:
1066007477.363 35 203.130.0.100 TCP_IMS_HIT/304 205 GET http://us.i1.yimg.com/us.yimg.com/i/msgr/webcam/viewer-startup-large.html - NONE/- text/html1066007609.098 16 203.130.0.100 TCP_IMS_HIT/304 244 GET http://us.a1.yimg.com/us.yimg.com/a/fo/fo_web2/kazza234x60.gif- NONE/- image/gif1066008521.488 1318 203.130.0.100 TCP_MISS/200 7499 GET http://windowsmedia.com/radiotuner/radiopresets.asp? - DIRECT/207.46.248.113 text/plain1066010000.873 3801 203.130.0.100 TCP_MISS/200 41595 GET http://f2.pg.briefcase.yahoo.com/bc/ss_tickers/lst? - DIRECT/66.218.87.10 text/html(Note: Only a part of the actual logs have been shown)
The first log shows that the suspect is viewing someone’s web cam on Yahoo Messenger, second shows that the P2P program KaZaA is running, a radio station is also tuned in to Windows Media Player and he is also accessing his Yahoo briefcase with the user ID ss_tickers@yahoo.com.
Tracing a cybercafé userAssume that the suspect used a cybercafé to send the e-mail. In this case, it would be easy to determine the suspect only if the cybercafé is small with three to five PCs. Then if the café has maintained its client’s check in or check out time, the suspect can be short-listed. However, if the café is populated with PCs and the terrorist is smart enough to send the e-mail during peak hours of the café then it can become increasingly difficult, maybe even impossible to determine the right culprit. Another point of concern to be noted is that logs are being kept and maintained only by the well-established ISPs. The smaller and newer ISPs don’t have the required infrastructure to maintain the logs and many of them are not bothered about it. So it would become impossible for the intelligence organization to track the terrorist if he went to a cybercafé that used an Internet connection from one of these newer ISPs, since the entry of the IP address would not be in the caching box of the ISP to start with.
Desi cable networksTracking someone on a cybercafé is simpler and easier as compared to a user on a desi cable network (DCN) since the user is visible to the system administrator. In a DCN, the administrator has no clue about users on his network. One can rent an apartment for a week, buy a cable connection and execute a terrorist plan. Most of the DCNs are in operation without a proper firewall protection making it easier for a tech savvy terrorist to hack another PC on the network and send e-mail through it. Since the DCNs use proxy servers extending connections to over 80 homes or more, the authorities may well find themselves helpless and unable to track the real suspect.
Formation of a central bodyMost of the ISPs have identified the following problems at their end.l The PTA and the many government agencies such as IB, FIA, CIA etc often ask information regarding the logs over the telephone. The ISPs cannot be sure whether they are talking to authorized personnel or not. l Currently, the ownership of the logs lies with the ISPs instead of the government.l No central system exists which contains the log data from all the ISPs of the country.l The ISPs are being asked to design and structure a database for the logs at their expense.One of the solutions to the above-identified problems is that instead of making an ISP answerable to the many government agencies, a single interface should be provided to them to whom only the queries should be answered. This can be achieved if the government forms a separate body specifically for the task of l Maintaining the logs obtained from all the ISPs of Pakistan. Also all these logs should be merged into one single database.l This body should keep the logs in a standard format by following the formats of other popular caching software. This format should also be known to all the ISPs. In any case, the ISPs have demanded that the responsibility of structuring of the logs (format considerations) so as to easily accommodate it in a well-designed database should be with the government.l Such a central system should provide an online interface to the ISPs so that they can upload their monthly or weekly logs directly to the database without having to deal with the government agencies.l The separate body should also conduct extensive data mining of the logs.
Regulation of cybercafes and cablewallasEver since the Daniel Pearl incident, the authorities have been urged to regulate cybercafes. PTA has issued directives to the ISPs to register cybercafé owners. The problem is that when an ISP deals with a client at one of its outlets, it doesn’t check whether the account is for individual use or for deploying a LAN as is the case at cybercafes. In its proposed cybercafé regulations, the PTA has further suggested that the cybercafé owners should maintain complete logs of its customers including national ID card numbers, addresses, telephone numbers besides the logs of customer time-in and time-out.In the present scenario, no logs either on paper or through the use of monitoring software are being kept by cybercafes. A visit to some of the small cybercafes revealed that the staff present weren’t even aware of monitoring software. An urgent campaign is needed to implement the cybercafé regulations drawn by the PTA if surveillance in the digital age will ensure our protection from future terrorist attacks.
Sites:
BBC: Tracing the kidnapper's email
news.bbc.co.uk/2/hi/science/nature/1805173.stm
FBI Carnivore
www.fbi.gov/hq/lab/carnivore/carnivore.htm
ISPAK
www.ispak.org
PTCL
www.ptcl.com.pk
PTA
www.pta.org
Online footprints lead cyber snoops to terror’s door
by Salman Siddiqui
Remember the Daniel Pearl incident? Pakistan police claimed that they had traced at least one of the suspected kidnappers via an e-mail. This was a startling aspect of the case. How on earth did our slack, unresponsive police force become so savvy as to trace the online fingerprints of a suspect, zeroing in on a cybercafé in Karachi? Do we finally have hi-tech intelligence officials who had a grasp of computer technology? Let’s hunt the trackers.When you surf, the logs of your online activities are maintained in cookies and other cache folders on a computer. ISPs keep detailed logs and so does PTCL’s PIE to which 98% of all the ISPs in Pakistan depend on for connectivity. Also if you use a LAN to log on, such as those implemented in cybercafés or cable networks, then it is quite possible that the system administrator of that network is maintaining logs as well. These logs serve as online fingerprints for the law enforcement agencies tracking a terrorist in cyberspace.
Intelligence Service Providers
The Internet Service Providers (ISP) also serve the role of providing intelligence information to government agencies. They have been issued directives by the PTA to maintain logs of the online activities of their clients. This espionage has been ordered under the banner of thwarting terrorism, pornography, fraud and exploitation online. In this context, an ISP can be labeled as an “Intelligence Service Provider”. An ISP is essentially a network which you dial and get connected with. In the case of always-on Internet connectivity (solutions such as DSL), you become part of the network as soon as you boot up your system. An ISP is in turn connected to the Internet backbone to which all the ISPs of the world are connected and by which all the computers can communicate. Since a user is wholly dependent on the ISP to provide Internet bandwidth, the logs maintained by the ISP can be extremely comprehensive which could include some or all of the following:l The exact log-in and log-off timings.l The IP address assigned by the ISP each time the user logs in. l The telephone number used to connect to the Internet.l All chat sessions, such as those done in Yahoo or MSN messenger, roaming around the network in plain text format can be easily monitored.l URLs of each website visited, buttons clicked on that site and the files, if any, downloaded.l E-mail headers and perhaps the entire contents of the e-mail as well.l The radio stations you listen to online, besides all streaming audio, video and Internet telephony events.l Details of the files which you downloaded from P2P softwares such as KaZaa etc.
All the logs are stored in a special area of an ISP called the caching box or the caching server. For a typically large ISP that has many clients, logs of huge sizes are generated each day. In one of the leading ISPs in Pakistan, the logs generated each day amount to around 2GB per day which is inclusive of the entire e-mail contents and chat sessions. After compressing a week’s content of these logs, it is burnt on a single CD for record purposes.In general, ISPs do not log the entire e-mail contents and the chat sessions for all of their clients because of the huge overhead involved in terms of a log size. It was found that logs for an entire e-mail content for all users would amount to anywhere from 4 to 5 GB per day making it impractical to maintain them for long. Normally, only the e-mail headers are logged. An ISP can keep a track of all browsing activities through typical browsers such as Internet Explorer, Opera etc. It cannot screen any pure IP traffic or home grown browsing software that does not employ standards such as HTTP. Using specific data packet filters, an ISP can monitor the online activities of a specific user. This method of targeting and copying full data packets of an individual at an ISP’s end has also been employed by the FBI of United States which uses a specially designed software called Carnivore for this purpose. At the Pakistan Internet Exchange (PIE), which comes under the umbrella of PTCL, Internet traffic comes from all ISPs connected to it. So if the logs are being maintained at PIE’s end, then logically their size should be too huge to be kept and burnt on CDs. However, when questioned on the issue a source in PIE insisted that not only do they maintain the logs but the log of one day is usually 1MB and never more than 2MB. When asked to explain how that is possible when the log maintained by each ISP is 2GB, the gentleman reiterated his 1MB stand before abruptly putting the phone down. Also it should be noted that the logs (if any) maintained on PTCL’s end don’t contain phone numbers and only the logs kept by the ISPs do. This is because an Internet account holder dials into an ISP to get Internet connectivity and not the PTCL directly.
Tracing an anonymous e-mailLet’s analyze a situation in which the authorities trace an anonymous e-mail back to the sender’s computer. Step-1 Assume that a suspect visits a cybercafé and creates an anonymous e-mail account from one of the many free web-based e-mail services available such as Hotmail. He then sends e-mail containing his organization’s agenda.Step-2 On intercepting the e-mail, the intelligence officials investigate its header which contains the name of the ISP whose account was used to connect to the Internet and to the IP address from which the e-mail originated. They then call up the ISP to ask for the log corresponding to that IP address.Step-3 The record of this IP is stored in the caching box of the ISP. But since this IP address is one of the pools of IP addresses, which the ISP has at its disposal to assign to different individuals at different login times, the ISP also needs to know the exact time at which the e-mail was sent. This information is also contained in the header of the e-mail. After both the time and IP address is given, the exact log that contains the user ID and the telephone number is given to the authorities.Step-4 From the telephone number the address is easily determined and the suspect is apprehended. From the confiscated computer, the cookies and other cache files are checked to make sure that the same machine was used by a terrorist.Even though the logs maintained at the PTCL’s end do not contain phone numbers, the intelligence officials (at times) still obtain those logs and verify them with the logs obtained from the ISP.Now it should be clear that the entire intelligence agency’s role in the sophistication part is to ask the question: “This is the IP, tell us the user ID and the telephone number”.
The LogsTo see how the logs are structured and in what format they are organized, consider the log example shown in an orange colored table on page 31. This sample contains actual log data taken from one of the leading ISPs in Pakistan.Let’s assume that an intelligence officer asks an ISP for the logging details of the IP 203.130.0.100 at the time 13/10/2003 6:30 AM. This corresponds to the highlighted area above by which the ISP can give the telephone number of the suspect computer 111-000-000. Also in response to the query the ISP might also give out details of the online activity of that suspect during that time:
1066007477.363 35 203.130.0.100 TCP_IMS_HIT/304 205 GET http://us.i1.yimg.com/us.yimg.com/i/msgr/webcam/viewer-startup-large.html - NONE/- text/html1066007609.098 16 203.130.0.100 TCP_IMS_HIT/304 244 GET http://us.a1.yimg.com/us.yimg.com/a/fo/fo_web2/kazza234x60.gif- NONE/- image/gif1066008521.488 1318 203.130.0.100 TCP_MISS/200 7499 GET http://windowsmedia.com/radiotuner/radiopresets.asp? - DIRECT/207.46.248.113 text/plain1066010000.873 3801 203.130.0.100 TCP_MISS/200 41595 GET http://f2.pg.briefcase.yahoo.com/bc/ss_tickers/lst? - DIRECT/66.218.87.10 text/html(Note: Only a part of the actual logs have been shown)
The first log shows that the suspect is viewing someone’s web cam on Yahoo Messenger, second shows that the P2P program KaZaA is running, a radio station is also tuned in to Windows Media Player and he is also accessing his Yahoo briefcase with the user ID ss_tickers@yahoo.com.
Tracing a cybercafé userAssume that the suspect used a cybercafé to send the e-mail. In this case, it would be easy to determine the suspect only if the cybercafé is small with three to five PCs. Then if the café has maintained its client’s check in or check out time, the suspect can be short-listed. However, if the café is populated with PCs and the terrorist is smart enough to send the e-mail during peak hours of the café then it can become increasingly difficult, maybe even impossible to determine the right culprit. Another point of concern to be noted is that logs are being kept and maintained only by the well-established ISPs. The smaller and newer ISPs don’t have the required infrastructure to maintain the logs and many of them are not bothered about it. So it would become impossible for the intelligence organization to track the terrorist if he went to a cybercafé that used an Internet connection from one of these newer ISPs, since the entry of the IP address would not be in the caching box of the ISP to start with.
Desi cable networksTracking someone on a cybercafé is simpler and easier as compared to a user on a desi cable network (DCN) since the user is visible to the system administrator. In a DCN, the administrator has no clue about users on his network. One can rent an apartment for a week, buy a cable connection and execute a terrorist plan. Most of the DCNs are in operation without a proper firewall protection making it easier for a tech savvy terrorist to hack another PC on the network and send e-mail through it. Since the DCNs use proxy servers extending connections to over 80 homes or more, the authorities may well find themselves helpless and unable to track the real suspect.
Formation of a central bodyMost of the ISPs have identified the following problems at their end.l The PTA and the many government agencies such as IB, FIA, CIA etc often ask information regarding the logs over the telephone. The ISPs cannot be sure whether they are talking to authorized personnel or not. l Currently, the ownership of the logs lies with the ISPs instead of the government.l No central system exists which contains the log data from all the ISPs of the country.l The ISPs are being asked to design and structure a database for the logs at their expense.One of the solutions to the above-identified problems is that instead of making an ISP answerable to the many government agencies, a single interface should be provided to them to whom only the queries should be answered. This can be achieved if the government forms a separate body specifically for the task of l Maintaining the logs obtained from all the ISPs of Pakistan. Also all these logs should be merged into one single database.l This body should keep the logs in a standard format by following the formats of other popular caching software. This format should also be known to all the ISPs. In any case, the ISPs have demanded that the responsibility of structuring of the logs (format considerations) so as to easily accommodate it in a well-designed database should be with the government.l Such a central system should provide an online interface to the ISPs so that they can upload their monthly or weekly logs directly to the database without having to deal with the government agencies.l The separate body should also conduct extensive data mining of the logs.
Regulation of cybercafes and cablewallasEver since the Daniel Pearl incident, the authorities have been urged to regulate cybercafes. PTA has issued directives to the ISPs to register cybercafé owners. The problem is that when an ISP deals with a client at one of its outlets, it doesn’t check whether the account is for individual use or for deploying a LAN as is the case at cybercafes. In its proposed cybercafé regulations, the PTA has further suggested that the cybercafé owners should maintain complete logs of its customers including national ID card numbers, addresses, telephone numbers besides the logs of customer time-in and time-out.In the present scenario, no logs either on paper or through the use of monitoring software are being kept by cybercafes. A visit to some of the small cybercafes revealed that the staff present weren’t even aware of monitoring software. An urgent campaign is needed to implement the cybercafé regulations drawn by the PTA if surveillance in the digital age will ensure our protection from future terrorist attacks.
Sites:
BBC: Tracing the kidnapper's email
news.bbc.co.uk/2/hi/science/nature/1805173.stm
FBI Carnivore
www.fbi.gov/hq/lab/carnivore/carnivore.htm
ISPAK
www.ispak.org
PTCL
www.ptcl.com.pk
PTA
www.pta.org
posted by Salman Siddiqui | 8:08 AM
0 Comments:
Post a Comment
<< Home