Abstract image of a woman sitting on books and studying on a laptop

Drexel 2012 signal analysis using low cost tools - masint v3

W
warezjoe

The document discusses emerging threats in information security and introduces measurement and signature intelligence (MASINT). It proposes building low-cost MASINT capabilities using software-defined radios to collect radio frequency signatures of devices. This could help detect wireless attacks, identify equipment, and develop technical surveillance countermeasures. While promising, challenges include environmental factors impacting signatures and limitations of low-cost equipment. More development is needed to create signature databases and automated threat detection systems.

1 of 31
Downloaded 42 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Drexel 2012 signal analysis using low cost tools - masint v3
Agenda The Challenge Current Threat Landscape Emerging Threats What is MASINT/(TSCM) Low Cost MASINT Practical Applications What’s next Q&A
Drexel 2012 signal analysis using low cost tools - masint v3
Who am I  Manager Security Operations - Philadelphia Federal Reserve  Board Member & Officer for Philadelphia InfraGard Chapter  SANS Institute Instructor / Advisory Board / Content provider  2010 Gold Medal Recipient – Excellence in Government Service  Author / Writer / Presenter  Consultant – FBI, DCIS, DHS, USSS, MITRE  Numerous Certs - CISSP, GCIA, GCIH, GCFA, OSCP  I can sum things up for you in a word…..
Drexel 2012 signal analysis using low cost tools - masint v3
The Challenge
Business Plans Financial Data Corporate Trade Secrets Strategy Reputation Employee Mobile Devices Information Physical Security Customer (Personnel) Information & Credibility Wireless Financial Assets Networks Networks Workstations
The Current Threat Landscape
Current Threat Landscape  The information Security Industry is in the late stages of a complete paradigm shift.  Motives are shifting – Site defacements are a thing of the past  Compromises are more frequently driven by financial and/or political agenda  Hackers for hire are becoming more prevalent  0 day exploits and “Targeted” exploits earn real money  Exploit developers are selling to the highest bidder  Purchaser can take advantage of various developers exploits to develop unique and difficult to detect attacks  Exploits against varying types of technology and hardware
Current Threat Landscape  Nation states are becoming more brazen in their attacks  Corporate and Industrial espionage increasing rapidly  Scope and vector of attacks is shifting to more blended attack methodologies (hardware & software)  Real world examples and frameworks are being build  Teensy, FunCube, KillerBee, Bus Pirate, GoodFet, etc.  Attackers are more frequently using a blend of physical, embedded electronics and systems attacks to compromise their targets - Stuxnet a perfect example  We continue to see a proliferation of wireless technologies  Zigbee(802.15.4), Bluetooth(802.15.1), RF link devices, etc.  Medical, industrial, corporate, etc.
Drexel 2012 signal analysis using low cost tools - masint v3
Emerging Threats Cont…..  Traditional wireless attacks – Decreasing  Other types wireless attacks – Increasing (FAST)  Embedded devices – Everything has a computer in it!  Embedded devices control the physical world  Unique wireless solutions are become more common
Drexel 2012 signal analysis using low cost tools - masint v3
Drexel 2012 signal analysis using low cost tools - masint v3
MASINT - Primer  What is MASINT ?  Measurement & Signature Intelligence  Collection of unintended emissions or byproducts of devices  All devices generate unique unintended trans. artifacts  Discrete intelligence gathering process  DoD - Officially adopted as a Intelligence discipline in the 80s  Often aggregated with other intelligence sources  (ELINT, SIGINT, HUMINT, ETC.)  MASINT – (Tactical and Strategic Sensors)  Electro / Electronic  Nuclear / Explosives  Geospatial / Materials  Radio Frequency / Electromagnetic fields*
MASINT – What’s the concern  The cost and complexity of utilizing MASINT functionality in the corporate environment are dimensioning  Could be used by competitors for reverse engineering of products in certain industries  Could be used for corporate espionage and intelligence gathering by competing companies  There is a general lack of understanding of the risks associated with MASINT capabilities  Information Security Professionals are typically not trained or skilled in this area of Information Security  Other considerations  MASINT is being used today to support Law Enforcement  Legalities of the use of MASINT capabilities haven’t been challenged
How does it work  Traditional communications are frequently encrypted  Can’t easily be decrypted in real time  MASINT focuses on the information about a signal not it’s contents  Derive data from metadata & characteristics  Gather Actionable Intelligence
RF MASINT – What does it do? Cont…  Lots of passive Intelligence to be had!  Frequency, Origin and strength – (SOI)  Unique hardware / radio frequency signature  Characteristics of the signal  Track movements and habits via RDF  Other useful intelligence  Hardware capabilities / Transmission range / Frequencies  Identify patterns & Weakness  Naturally occurring / Very difficult to spoof*
MASINT – Practical Applications  Detection mechanism against emerging wireless (RF) attacks  Identify spurious transmissions  Identify and Isolation jamming activity  Add MASINT components to pen testing capabilities  Uniquely identify equipment by its RF signature  Tracking of RF emitting devices  Develop Technical Surveillance & Counter Measures Capabilities  Testing of reverse engineering counter measures  Perform reverse engineering of parts
RF MASINT – Lets Build It! Spectrum Analyzer Signal Collection Analysis & Signature Analysis, (SDR) Search Signature Tracking, Intel Receiver & Generation Antenna System
Let’s build it!!! – Equipment  Spectrum Analyzers – Lots of Choices but…..  Generally very expensive! ($10K-$60K)  Typically not designed to provide MASINT or TSCM functionality  Limited frequency range  Difficult to get data out of in raw form  Restrictive antenna capabilities  Some “friendly” models exist (SpecTran, Anritsu, TekTronix, etc.)  Device of choice – Signal Hound (USB-SA44B)  Software defined / USB connected / easily interfaced  Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)  API available / scripting friendly  Low cost $300 - $400 used  1Hz to 4.4GHz / fast sweep times*  Good Sensitivity / built-in Preamp / Attenuators*  Calibration capabilities
Let’s build it!!! – Spectral collection  Signatures structure  Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)  RF Signature recorded over (3) secs with a Span of 10Khz  Unique Signature created using Amplitude (Max & Min) per/Hz  Aprox. Distance 10ft – no faraday enclosure used Motorola XTS3000 model3 Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW) 445.994986 1.51E-09 1.51E-09 445.995015 1.53E-09 1.53E-09 445.995045 1.17E-09 1.17E-09 445.995075 7.27E-10 7.27E-10 445.995104 4.87E-10 4.87E-10 445.995134 1.91E-10 1.91E-10 445.995164 1.66E-10 1.66E-10 445.995193 2.63E-10 2.63E-10 445.995223 4.61E-10 4.61E-10 445.995253 5.80E-10 5.80E-10 445.995282 3.29E-10 3.29E-10 445.995312 1.12E-10 1.12E-10 445.995342 6.12E-10 6.12E-10
Let’s build it!!! – SOI Signature Collection  Finding unique RF characteristics  All electronic devices will generate unique “Artifacts” in near-field  Filtering Ambient noise with 10db attenuation  Measuring mW at the SRD antennas Attenuation to reduce ANF  Collecting Amplitude Signal of Interest (SOI) Max/Mins  RF span 10Khz  3+ sec measurement Unique Artifacts / (POIs)  340 Points of Interest  0.e-14 sensitivity  .CSV file output  User defined Max Amplitude Ambient Noise Floor (ANF)
Let’s build it!!! – SOI Signature Creation  Signature Creation Scripts – Python & .NET  Signature Generator & Signature Compare
Let’s build it!!! – SOI Signature Compare  Signature Comparing  No two signatures will come back 100% same  Script provides a configurable tolerance  Tolerance does not sway results significantly because of the ranges  Negative hits increase as you move away from center
Let’s build it!!! – Signature Compare Contin…
Caveats…..  Lots of things can throw off your Signals of Interest (SOI)  Changing antennas, RF noise, Physical structures, atmospheric, etc.  Spread spectrum signals can be missed in a simple full spectrum sweep  Lower output devices require a closer (near field) range  Some devices have too low of output in standby mode to detect cleanly  Antennas are extremely important  RDF – requires both attenuators and directional antennas (Yagi)  96” Discone and a collection of whip antenna worked well (YMMV)  Sweep speeds become really important when looking at TSCM  20secs is very fast for low cost units. OSCAR devices are probably better
What’s Next?  Lots more work to be done….  Develop database of manufacturer signatures  Develop traditional TSCM – capabilities  Automatic Discrete Signal Searching  Threat Detection Algorithm ( TDA)  VLF – digital recorders / other recording devices  Spread Spectrum and infrared detection  Infrared (between 850nm & 1070nm) Optical  MASINT / TSCM portal Antenna Array  Triangulation / Ranging capabilities  Programmatic Attenuation  Multiple Device Configuration / Triangulation
To Surmise…..  Information security is going through a paradigm shift  Blended hardware and software attacks are an emerging threat  Risks associated with Insider threats and espionage are driving the adoption of MASINT and TSCM capabilities  RF MASINT / TSCM capabilities can be developed using relatively low cost SDR equipment and code  Both offensive and defensive capabilities exist  Traditional Information Security and TSCM industries are overlapping and merging  Broader training is required for Information Security management and staff to mitigate emerging threats
Drexel 2012 signal analysis using low cost tools - masint v3
THANK YOU!!! Contact information : Brad Bowers BBowers@DigitalIntercept.com

More Related Content

PDF
TSCM-June15
Riaan Bellingan
 
PDF
TSCM - Technical Surveillance Counter Measures July 2017
Riaan Bellingan
 
PDF
TSCM : Bug-Sweeping
Paul Andrews
 
PPT
Nova Technical Services Tscm
mjbergstrom
 
PDF
Tscm Risk Management Presentation June 2012
knowtel
 
PDF
Importance & Value of Cyber TSCM To Corporations
J.D. LeaSure, CCISM, President. ComSec LLc
 
PPT
TSCM Overview for Stakeholders
kevinwetzel
 
PDF
The Bug Sweepers TSCM Guide
Charles Carter MBA AIPA
 
TSCM-June15
Riaan Bellingan
 
TSCM - Technical Surveillance Counter Measures July 2017
Riaan Bellingan
 
TSCM : Bug-Sweeping
Paul Andrews
 
Nova Technical Services Tscm
mjbergstrom
 
Tscm Risk Management Presentation June 2012
knowtel
 
Importance & Value of Cyber TSCM To Corporations
J.D. LeaSure, CCISM, President. ComSec LLc
 
TSCM Overview for Stakeholders
kevinwetzel
 
The Bug Sweepers TSCM Guide
Charles Carter MBA AIPA
 

What's hot (9)

PPTX
RC Presentation MSPCE 2016
Rick Cox
 
PDF
2015 ERII-CCISM
J.D. LeaSure, CCISM, President. ComSec LLc
 
PDF
Lenro Company Profile 2016.1 (1)
Xerxes Oosthuizen
 
PDF
karsof systems brochure
Colin Valencia
 
PDF
Bpg arc flash
Deal Point
 
PDF
Irm 5-malicious networkbehaviour
Kasper de Waard
 
DOCX
santoskumaarResume - updated
Santos Kumaar.S
 
PPTX
Matrix COMSEC Palm Vein Reader
lissapenas123
 
DOC
CV - Kamal Al-Sukhun new
Kamal Alsukhun
 
RC Presentation MSPCE 2016
Rick Cox
 
2015 ERII-CCISM
J.D. LeaSure, CCISM, President. ComSec LLc
 
Lenro Company Profile 2016.1 (1)
Xerxes Oosthuizen
 
karsof systems brochure
Colin Valencia
 
Bpg arc flash
Deal Point
 
Irm 5-malicious networkbehaviour
Kasper de Waard
 
santoskumaarResume - updated
Santos Kumaar.S
 
Matrix COMSEC Palm Vein Reader
lissapenas123
 
CV - Kamal Al-Sukhun new
Kamal Alsukhun
 
Ad

Similar to Drexel 2012 signal analysis using low cost tools - masint v3 (20)

PDF
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
warezjoe
 
PDF
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
NSConclave
 
PPTX
Intel_Intelligent Solutions for Military and Aerospace
Işınsu Akçetin
 
PDF
The Stuxnet Worm creation process
Ajay Ohri
 
PPT
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
PPTX
Exhibitor sessions: Khipu and Aruba, HPE
Jisc
 
PDF
SIEM evolution
Stijn Vande Casteele
 
PPTX
Wireless survey
ashrawi92
 
PDF
High Assurance Systems (Fisher)
Michael Scovetta
 
PPS
Stanford Cybersecurity January 2009
Jason Shen
 
PPTX
Microtech Systems
microtechsys
 
PDF
A Literature Survey on Security Management Policies used in Wireless Domain
ijtsrd
 
PDF
Radio Reconnaissance in Penetration Testing
Rochester Security Summit
 
PPT
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
PDF
Wireless in Process Manufacturing: Making Progress, with More on the Way
ARC Advisory Group
 
PPTX
Radio frequency identification
arionslideshare
 
PDF
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
datacentersummit
 
PDF
Cat5 To 10gig Convergence Makes Cabling An Asset
us056444
 
PPTX
Smart Grid Security by Falgun Rathod
ClubHack
 
PDF
SANS Log Management 1
laurenfortune
 
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
warezjoe
 
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
NSConclave
 
Intel_Intelligent Solutions for Military and Aerospace
Işınsu Akçetin
 
The Stuxnet Worm creation process
Ajay Ohri
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
Exhibitor sessions: Khipu and Aruba, HPE
Jisc
 
SIEM evolution
Stijn Vande Casteele
 
Wireless survey
ashrawi92
 
High Assurance Systems (Fisher)
Michael Scovetta
 
Stanford Cybersecurity January 2009
Jason Shen
 
Microtech Systems
microtechsys
 
A Literature Survey on Security Management Policies used in Wireless Domain
ijtsrd
 
Radio Reconnaissance in Penetration Testing
Rochester Security Summit
 
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
Wireless in Process Manufacturing: Making Progress, with More on the Way
ARC Advisory Group
 
Radio frequency identification
arionslideshare
 
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
datacentersummit
 
Cat5 To 10gig Convergence Makes Cabling An Asset
us056444
 
Smart Grid Security by Falgun Rathod
ClubHack
 
SANS Log Management 1
laurenfortune
 
Ad

Drexel 2012 signal analysis using low cost tools - masint v3

  • 2. Agenda The Challenge Current Threat Landscape Emerging Threats What is MASINT/(TSCM) Low Cost MASINT Practical Applications What’s next Q&A
  • 4. Who am I  Manager Security Operations - Philadelphia Federal Reserve  Board Member & Officer for Philadelphia InfraGard Chapter  SANS Institute Instructor / Advisory Board / Content provider  2010 Gold Medal Recipient – Excellence in Government Service  Author / Writer / Presenter  Consultant – FBI, DCIS, DHS, USSS, MITRE  Numerous Certs - CISSP, GCIA, GCIH, GCFA, OSCP  I can sum things up for you in a word…..
  • 7. Business Plans Financial Data Corporate Trade Secrets Strategy Reputation Employee Mobile Devices Information Physical Security Customer (Personnel) Information & Credibility Wireless Financial Assets Networks Networks Workstations
  • 8. The Current Threat Landscape
  • 9. Current Threat Landscape  The information Security Industry is in the late stages of a complete paradigm shift.  Motives are shifting – Site defacements are a thing of the past  Compromises are more frequently driven by financial and/or political agenda  Hackers for hire are becoming more prevalent  0 day exploits and “Targeted” exploits earn real money  Exploit developers are selling to the highest bidder  Purchaser can take advantage of various developers exploits to develop unique and difficult to detect attacks  Exploits against varying types of technology and hardware
  • 10. Current Threat Landscape  Nation states are becoming more brazen in their attacks  Corporate and Industrial espionage increasing rapidly  Scope and vector of attacks is shifting to more blended attack methodologies (hardware & software)  Real world examples and frameworks are being build  Teensy, FunCube, KillerBee, Bus Pirate, GoodFet, etc.  Attackers are more frequently using a blend of physical, embedded electronics and systems attacks to compromise their targets - Stuxnet a perfect example  We continue to see a proliferation of wireless technologies  Zigbee(802.15.4), Bluetooth(802.15.1), RF link devices, etc.  Medical, industrial, corporate, etc.
  • 12. Emerging Threats Cont…..  Traditional wireless attacks – Decreasing  Other types wireless attacks – Increasing (FAST)  Embedded devices – Everything has a computer in it!  Embedded devices control the physical world  Unique wireless solutions are become more common
  • 15. MASINT - Primer  What is MASINT ?  Measurement & Signature Intelligence  Collection of unintended emissions or byproducts of devices  All devices generate unique unintended trans. artifacts  Discrete intelligence gathering process  DoD - Officially adopted as a Intelligence discipline in the 80s  Often aggregated with other intelligence sources  (ELINT, SIGINT, HUMINT, ETC.)  MASINT – (Tactical and Strategic Sensors)  Electro / Electronic  Nuclear / Explosives  Geospatial / Materials  Radio Frequency / Electromagnetic fields*
  • 16. MASINT – What’s the concern  The cost and complexity of utilizing MASINT functionality in the corporate environment are dimensioning  Could be used by competitors for reverse engineering of products in certain industries  Could be used for corporate espionage and intelligence gathering by competing companies  There is a general lack of understanding of the risks associated with MASINT capabilities  Information Security Professionals are typically not trained or skilled in this area of Information Security  Other considerations  MASINT is being used today to support Law Enforcement  Legalities of the use of MASINT capabilities haven’t been challenged
  • 17. How does it work  Traditional communications are frequently encrypted  Can’t easily be decrypted in real time  MASINT focuses on the information about a signal not it’s contents  Derive data from metadata & characteristics  Gather Actionable Intelligence
  • 18. RF MASINT – What does it do? Cont…  Lots of passive Intelligence to be had!  Frequency, Origin and strength – (SOI)  Unique hardware / radio frequency signature  Characteristics of the signal  Track movements and habits via RDF  Other useful intelligence  Hardware capabilities / Transmission range / Frequencies  Identify patterns & Weakness  Naturally occurring / Very difficult to spoof*
  • 19. MASINT – Practical Applications  Detection mechanism against emerging wireless (RF) attacks  Identify spurious transmissions  Identify and Isolation jamming activity  Add MASINT components to pen testing capabilities  Uniquely identify equipment by its RF signature  Tracking of RF emitting devices  Develop Technical Surveillance & Counter Measures Capabilities  Testing of reverse engineering counter measures  Perform reverse engineering of parts
  • 20. RF MASINT – Lets Build It! Spectrum Analyzer Signal Collection Analysis & Signature Analysis, (SDR) Search Signature Tracking, Intel Receiver & Generation Antenna System
  • 21. Let’s build it!!! – Equipment  Spectrum Analyzers – Lots of Choices but…..  Generally very expensive! ($10K-$60K)  Typically not designed to provide MASINT or TSCM functionality  Limited frequency range  Difficult to get data out of in raw form  Restrictive antenna capabilities  Some “friendly” models exist (SpecTran, Anritsu, TekTronix, etc.)  Device of choice – Signal Hound (USB-SA44B)  Software defined / USB connected / easily interfaced  Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)  API available / scripting friendly  Low cost $300 - $400 used  1Hz to 4.4GHz / fast sweep times*  Good Sensitivity / built-in Preamp / Attenuators*  Calibration capabilities
  • 22. Let’s build it!!! – Spectral collection  Signatures structure  Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)  RF Signature recorded over (3) secs with a Span of 10Khz  Unique Signature created using Amplitude (Max & Min) per/Hz  Aprox. Distance 10ft – no faraday enclosure used Motorola XTS3000 model3 Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW) 445.994986 1.51E-09 1.51E-09 445.995015 1.53E-09 1.53E-09 445.995045 1.17E-09 1.17E-09 445.995075 7.27E-10 7.27E-10 445.995104 4.87E-10 4.87E-10 445.995134 1.91E-10 1.91E-10 445.995164 1.66E-10 1.66E-10 445.995193 2.63E-10 2.63E-10 445.995223 4.61E-10 4.61E-10 445.995253 5.80E-10 5.80E-10 445.995282 3.29E-10 3.29E-10 445.995312 1.12E-10 1.12E-10 445.995342 6.12E-10 6.12E-10
  • 23. Let’s build it!!! – SOI Signature Collection  Finding unique RF characteristics  All electronic devices will generate unique “Artifacts” in near-field  Filtering Ambient noise with 10db attenuation  Measuring mW at the SRD antennas Attenuation to reduce ANF  Collecting Amplitude Signal of Interest (SOI) Max/Mins  RF span 10Khz  3+ sec measurement Unique Artifacts / (POIs)  340 Points of Interest  0.e-14 sensitivity  .CSV file output  User defined Max Amplitude Ambient Noise Floor (ANF)
  • 24. Let’s build it!!! – SOI Signature Creation  Signature Creation Scripts – Python & .NET  Signature Generator & Signature Compare
  • 25. Let’s build it!!! – SOI Signature Compare  Signature Comparing  No two signatures will come back 100% same  Script provides a configurable tolerance  Tolerance does not sway results significantly because of the ranges  Negative hits increase as you move away from center
  • 26. Let’s build it!!! – Signature Compare Contin…
  • 27. Caveats…..  Lots of things can throw off your Signals of Interest (SOI)  Changing antennas, RF noise, Physical structures, atmospheric, etc.  Spread spectrum signals can be missed in a simple full spectrum sweep  Lower output devices require a closer (near field) range  Some devices have too low of output in standby mode to detect cleanly  Antennas are extremely important  RDF – requires both attenuators and directional antennas (Yagi)  96” Discone and a collection of whip antenna worked well (YMMV)  Sweep speeds become really important when looking at TSCM  20secs is very fast for low cost units. OSCAR devices are probably better
  • 28. What’s Next?  Lots more work to be done….  Develop database of manufacturer signatures  Develop traditional TSCM – capabilities  Automatic Discrete Signal Searching  Threat Detection Algorithm ( TDA)  VLF – digital recorders / other recording devices  Spread Spectrum and infrared detection  Infrared (between 850nm & 1070nm) Optical  MASINT / TSCM portal Antenna Array  Triangulation / Ranging capabilities  Programmatic Attenuation  Multiple Device Configuration / Triangulation
  • 29. To Surmise…..  Information security is going through a paradigm shift  Blended hardware and software attacks are an emerging threat  Risks associated with Insider threats and espionage are driving the adoption of MASINT and TSCM capabilities  RF MASINT / TSCM capabilities can be developed using relatively low cost SDR equipment and code  Both offensive and defensive capabilities exist  Traditional Information Security and TSCM industries are overlapping and merging  Broader training is required for Information Security management and staff to mitigate emerging threats
  • 31. THANK YOU!!! Contact information : Brad Bowers BBowers@DigitalIntercept.com