Internet users have been left reeling in the wake of the National Security Agency files released by Edward Snowden to The Guardian newspaper. Suddenly the big, digital universe that promised anonymity to those who wanted it was turned on its head and seems like the most pervasive surveillance device any government could want.
PRISM, and other programs run by the NSA, seem to confirm the worst fears of conspiracy theorists – the government compiling meta-data based profiles of Americans and squirrelling it away in massive secret data centres in the desert. Most would despair at this scenario, but not Kellman Meghu, head of security engineering for central U.S. and Canada region at Check Point Software Technologies. Instead, Meghu refuses to let the NSA have all the surveillance fun. He’s taken years of IT security experience and used it to weaponize his home firewall into a sort of mini-PRISM program that tracks his family members – and his neighbours stupid enough to login to his guest WiFi network and agree to the Orwellian terms of service.
Sharing his methods and showcasing his firewall’s reach at Toronto’s Sector security conference this week, Meghu demonstrated just how much information you can glean from someone’s Web surfing activity. Plus, he shows how you can set up your own ‘PRISM at home’ program – if you’re willing to put a lot of time and effort into it. Meghu used software firewall products from Check Point Software.
Uncover clandestine online meetings
Using simple URL filtering to block his young daughter and son from visiting unsavoury Web sites wasn’t enough for Meghu. He set up a system that would alert him every time his daughter went to a new Web site that wasn’t part of her usual browsing – via a SMS message to his cell phone.
That’s how he spotted his daughter visiting an inappropriate Web site after being told to go there by a friend from school. Even though he wasn’t at home at the time, he was able to call his wife and have her intervene. But Meghu’s system, making use of Check Point’s SmartEvent, also uncovered some interesting social networking habits for high school students.
While he noticed his daughter visited the expected social networking sites of Twitter, Facebook, etc. he also noticed she’d use several other different sites in an average week and treat them as disposable – she’d visit a few times and then never go back. In one particularly odd week, she was regularly visiting the site of an Arizona real estate message board. Meghu asked his daughter why she didn’t just use Facebook.
“Facebook is for old people” was her response, he says. High school students preferred to take on fake identifies and go on to some random message board. They’d whisper the secret chat venue to their close friends and build up the network… until it was too popular. Then it’s time to move on to the next secret location.
“My daughter, without ever intending to, had created privacy for herself from site to site,” Meghu says. “She would create a new e-mail address and a new username.”
See what conversations people are having
You might think Meghu is a nice guy for setting up a free WiFi hotspot on his home Internet. But then you might read his terms of service – which he adapted from Facebook and Google for his own purposes – and change your mind.
“If you use the service, your data is mine and if you don’t like it, don’t use the service,” he explains.
Using Check Point Software’s features to put notifications in front of users and require actions from them, Meghu passes along his TOS. Then with the software’s detailed device profiling capability, he can track exactly what those guests are doing on his WiFi network. Take Mitch for example.
Mitch, a guest in Meghu’s home for a few days, liked to talk to his girlfriend on Facebook. Meghu could glean that from the user ID embedded in the URL details that were captured during instant message conversations Mitch was conducting. He also had a weird fascination with looking up Freddy Krueger photos on the Web. Mitch also used Skype and had several unpatched Java vulnerabilities on his laptop.
“How hard would it be to go after Mitch?” Meghu asks. “We can all laugh at Mitch, but what if we’re connected to him and then we’re at risk?”
Get insights into neighbour’s dating life
House guests weren’t the only ones to brave Meghu’s TOS for free Internet. Some neighbours tried it out too. When Meghu noticed this, he was curious as to what sort of things his neighbours were up to on his network. So he took Check Point’s data loss prevention feature and used it in an unusual way. By feeding it a file containing the 1,000 most-used words in the English language, he was sure to capture all messages being sent back and forth over his network.
“The data that came flooding in was unbelievable,” he says.
Neighbour Ronnie was spending a lot of time on Plenty of Fish looking for dates. Not only did he give away his username – “if you like what you see, don’t be afraid of it,” he declares on his profile – by logging in to the network, but his lame attempts at pickup lines were also revealed.
To one lucky lady, Ronnie types “your look so simple but so darn hot.”
To another, the Casanova in the making writes “you look hot for 32 years old.”
We’re all Mitch
“In case you haven’t figured it out, we’re all Mitch,” Meghu says. The NSA is running similar technology to track all Americans, and at an even deeper level. Meghu’s home system doesn’t tamper with SSL layer security, for example, but revealed documents show the NSA is willing to break that.
A few years ago most people would have been reliant on software locally installed on their hard drives. But with the cloud technology trend, we are all storing information on the Internet, constantly streaming data back and forth between our computers and mobile devices. It’s hard to secure against something embedded in all of those devices, he says.
“Who watches the watchmen? These are some powerful tools,” Meghu says. “There’s a whole lot more someone could be doing with this, like targeting someone.”
He makes the point that Snowden likely isn’t the first person to take information out of the NSA’s system. So even if government isn’t misusing the data, there’s a threat that others will.
That’s part of the reason Meghu built a 12 terabyte network-attached storage server in his home – to avoid using the public cloud as much as possible and remain out of Big Brother’s eye. He’d like to see more people do the same.
“We could start to build little communities of local networks,” he says. “I honestly believe that’s what we’re being driven towards if we want a free and open Internet.”
Here is a video of Meghu giving the same presentation at a different conference: