Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan

Video thumbnail (Frame 0) Video thumbnail (Frame 2648) Video thumbnail (Frame 4223) Video thumbnail (Frame 5147) Video thumbnail (Frame 6200) Video thumbnail (Frame 7146) Video thumbnail (Frame 8098) Video thumbnail (Frame 9131) Video thumbnail (Frame 11941) Video thumbnail (Frame 13117) Video thumbnail (Frame 14178) Video thumbnail (Frame 15259) Video thumbnail (Frame 21654) Video thumbnail (Frame 24420) Video thumbnail (Frame 26347) Video thumbnail (Frame 29323) Video thumbnail (Frame 31425) Video thumbnail (Frame 33465) Video thumbnail (Frame 35331) Video thumbnail (Frame 36729) Video thumbnail (Frame 37731) Video thumbnail (Frame 38781) Video thumbnail (Frame 39682) Video thumbnail (Frame 41694) Video thumbnail (Frame 44333) Video thumbnail (Frame 46911) Video thumbnail (Frame 48879) Video thumbnail (Frame 50190) Video thumbnail (Frame 51522) Video thumbnail (Frame 52454) Video thumbnail (Frame 53751) Video thumbnail (Frame 56639) Video thumbnail (Frame 60659) Video thumbnail (Frame 64004) Video thumbnail (Frame 66508) Video thumbnail (Frame 67558) Video thumbnail (Frame 70062)
Video in TIB AV-Portal: Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan

Formal Metadata

Title
Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube, news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities. These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations. In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online). The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe. Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community - enabling them to build more secure systems and more effective, life-saving deployments. George Chamales has spent the last decade working in almost every legal permutation of employer / job the computer security field has to offer. His list of current and former government employers includes DOD, DOE, DHS, and DOI. In the private sector, he's worked as a security architect, member of the Honeynet Project, and corporate pen-tester targeting Fortune 500 companies. He is an active member of the crisis mapping community, where he develops new tools and capabilities, co-founded the Crisis Mappers Standby Task Force, and has served as the technical lead for numerous deployments including LibyaCrisisMap.net, Pakreport.org, and SudanVoteMonitor.com.

Related Material

Video is accompanying material for the following resource
Group action Variety (linguistics) Line (geometry) Information and communications technology 1 (number) Set (mathematics) Online help Water vapor Field (computer science) Twitter Facebook Different (Kate Ryan album) Software testing Series (mathematics) Traffic reporting Information security YouTube Form (programming) Area Dependent and independent variables Texture mapping Information Online help Line (geometry) Type theory Message passing Process (computing) Self-organization Quicksort Resultant
Addition Facebook Group action Uniform resource locator Message passing Texture mapping Internetworking Translation (relic) PRINCE2 Physical system
Message passing Goodness of fit Group action Shooting method Projective plane Self-organization Menu (computing) Denial-of-service attack Traffic reporting
Satellite Medical imaging Uniform resource locator Group action Building Electronic data interchange Voting Mapping Traffic reporting Field (computer science) Position operator Physical system
Uniform resource locator Hoax Mapping Internetworking Website Website Density of states Traffic reporting Computing platform Number Address space
Point (geometry) State observer Time zone Dependent and independent variables Group action Information Multiplication sign State observer Field (computer science) Entire function Number Twitter Process (computing) Internetworking Information Physical system
Goodness of fit Message passing Texture mapping Mapping Moment (mathematics) Password Information security Disk read-and-write head Information security Computer programming Twitter Number
Presentation of a group Feedback Multiplication sign System administrator 1 (number) Set (mathematics) Field (computer science) Medical imaging Goodness of fit Different (Kate Ryan album) Information security Computing platform Vulnerability (computing) Physical system Email Information Interface (computing) Feedback Content (media) Bit Process (computing) Website Quicksort Information security Identity management Resultant
Type theory Trail Mapping Software Internetworking Order (biology) Surface of revolution Surface of revolution
Point (geometry) Trail Type theory Group action Computer configuration Cellular automaton Range (statistics) Self-organization Bit Lattice (order) Physical system
Point (geometry) Trail Group action State of matter Texture mapping Multiplication sign Centralizer and normalizer Hypermedia Term (mathematics) Core dump Software testing Local ring Information security Traffic reporting Computing platform Physical system God Dependent and independent variables Touchscreen Texture mapping Mapping Building Information technology consulting Independence (probability theory) Plastikkarte Type theory Arithmetic mean Process (computing) Hypermedia Personal digital assistant Radio-frequency identification Computing platform Self-organization Right angle Moving average Energy level Local ring
Computer virus Group action Direction (geometry) Range (statistics) 1 (number) Password Likelihood function Neuroinformatik Operator (mathematics) Directed set Addressing mode Local ring Traffic reporting Information security Position operator Hydraulic jump Vulnerability (computing) Newton's law of universal gravitation Mapping Type theory Blog Computing platform Self-organization Information security Local ring
Standard deviation Trail Server (computing) Mobile app Open source Code Texture mapping Multiplication sign Open set Field (computer science) Computer programming Usability Hypermedia Computer configuration Netzwerkverwaltung Directed set Damping Process (computing) Message passing Traffic reporting Computing platform Mapping Open source Code Cartesian coordinate system File Transfer Protocol Message passing Operations support system Explosion Process (computing) Web service Right angle
Functional (mathematics) Mobile app Open source Code Patch (Unix) Multiplication sign Direction (geometry) Information privacy Number Software bug Goodness of fit Flag Traffic reporting Information security Vulnerability (computing) Physical system Dependent and independent variables Mapping Information Projective plane Electronic mailing list Leak Uniform resource locator Process (computing) Self-organization
Sensitivity analysis Trail Server (computing) Context awareness Link (knot theory) Heat transfer Hypermedia Internetworking Computer configuration Operator (mathematics) Traffic reporting Descriptive statistics Physical system Point cloud Authentication Dependent and independent variables Mapping Information Server (computing) Surface Mathematical analysis Physicalism Cloud computing Limit (category theory) Operations support system Process (computing) Internetworking Password Self-organization Point cloud Local ring
Execution unit Standard deviation Line (geometry) Cloud computing Interprozesskommunikation IP address Number Message passing Film editing Internetworking Web service Internet service provider Interrupt <Informatik> Website Interrupt <Informatik> Quicksort Gamma function Intercept theorem Message passing Traffic reporting
Sensitivity analysis Server (computing) Uniform resource locator Process (computing) Mapping Information Variety (linguistics) Different (Kate Ryan album) Point cloud Instance (computer science) Quicksort Physical system
Information Texture mapping Multiplication sign Word Type theory Word Message passing Voting Software Different (Kate Ryan album) Computer configuration Computing platform Energy level Communications protocol Information security
Dependent and independent variables Multiplication sign System call Equivalence relation Vector potential Number Twitter Message passing Facebook Self-organization Website Website Message passing Computing platform Physical system
Point (geometry) Mereology Attribute grammar Hypermedia Different (Kate Ryan album) Computer configuration Directed set Message passing Traffic reporting Computing platform Physical system Email Bit Limit (category theory) Entire function Message passing Word Uniform resource locator Process (computing) Hypermedia Software Password Internet service provider Interrupt <Informatik> Website Point cloud Quicksort Intercept theorem
Group action Texture mapping Multiplication sign 1 (number) Mathematical analysis Usability Goodness of fit Internetworking Term (mathematics) Process (computing) Local ring Information security Computing platform Physical system Task (computing) Dependent and independent variables Texture mapping Mapping Forcing (mathematics) Mathematical analysis Message passing Word Explosion Process (computing) Googol Personal digital assistant Point cloud Quicksort Automation Arithmetic progression
Mapping State of matter Texture mapping Mathematical analysis Information privacy System call Twitter Broadcasting (networking) Facebook Internetworking Intrusion detection system Self-organization Endliche Modelltheorie Automation Local ring Information security Physical system
Message passing Process (computing) Information Different (Kate Ryan album) Internet service provider Chain Queue (abstract data type) Morley's categoricity theorem Information privacy Lattice (order)
Scripting language Message passing Uniform resource locator Mapping Traffic reporting Physical system Vector potential
Group action Freeware Information Basis <Mathematik> Online help Streaming media Vector potential Medical imaging Message passing Explosion Process (computing) Blog Formal verification Video game Formal verification Software testing Traffic reporting Computing platform Physical system
Point (geometry) Open source Multiplication sign Similarity (geometry) Metadata Twitter Medical imaging Hypermedia Videoconferencing Utility software Traffic reporting Computing platform Physical system Domain name Presentation of a group Mapping Information Coordinate system Line (geometry) Data mining Word Message passing Explosion Process (computing) Personal digital assistant Blog Formal verification Right angle
Point (geometry) Time zone Dependent and independent variables Standard deviation Code Set (mathematics) Event horizon Rotation Revision control Type theory Word Operations support system Personal digital assistant Web service Synchronization Self-organization Software cracking Directed set Interrupt <Informatik> Information Message passing Information security Absolute value
Gateway (telecommunications) Trail Group action Code Java applet Variety (linguistics) Set (mathematics) Mereology Number Wiki Hypermedia Different (Kate Ryan album) Netzwerkverwaltung Area Dependent and independent variables Email Standard deviation Texture mapping Information Mapping Software developer Projective plane Electronic mailing list Entire function Equivalence relation Uniform resource locator Google Maps Local ring Spacetime
Email Presentation of a group Multiplication sign Online help Software testing
hi folks my name is George tomales I've been doing security for about ten plus years now and I started off doing work for the u.s. government pen testing critical infrastructure type of stuff then switched over into the private sector where you there's an actual bottom line and you could justify good ideas and worked in a variety of different things corporate pen testing that sort of thing then switched over into working independently and one of the really cool things about working independently is you can work on whatever you want and so I've been interested in humanitarian work for quite a while and so about two years ago I decided to start working in that field and I'm here today because the humanitarian technology community needs your help these these groups these organizations that are working in disasters and crises have all the same challenges that a normal IT infrastructure has but they have a whole bunch of new ones that come from the sort of work that they're doing and one of the things I'd like to talk to you about today is a new technology that's being used in the world of humanitarian response called crisis mapping and the way crisis mapping works is pretty straightforward when there's a crisis there's a set group of professional aid agencies and they provide aid in the form of medicine food water to people inside of the crisis and that's the way it's always been but now the people inside of the crisis have new technology communication technology like phones that can send out SMS messages and facebook accounts Twitter accounts and they can send out YouTube videos and as a result there's a huge amount of information that's coming out of the crisis areas and out of disaster areas and crisis mapping is the process of collecting that information processing it into a series of reports handing those off to the aid agencies so they can provide much more targeted aid to the people that are that are affected by these these disasters now the the
largest crisis mapping deployment that's taken place in about the two years since the technology has been around took place following the earthquake in Haiti where even though the city of port au prince was decimated when a massive earthquake struck a city that was made entirely out of unreinforced concrete a group of technologists were able to get the SMS infrastructure back online very quickly and another group of people were able to procure the SMS shortcode 4636 they broadcasted that SM
s code out to the population saying send us what is happening around you and this allowed people on the ground to send out SMS messages that could be picked up the first problem was they were all in Haitian Creole so a team of a thousand volunteers from the Haitian diaspora were contacted over Facebook and plugged into an online system that allowed them to provide translations for these messages so now we know what is actually being said but we don't know the location is remember this is port-au-prince there was no Google Streetview there were very few georeference databases so those same volunteers and additional volunteers from the internet provided geolocation
of the messages based on what was coming through on the SMS and then those reports were forwarded on to the aid organizations using georss it was a really fantastic project a lot of good work came of it lives were saved and it's an excellent example of how this technology can be really useful in a natural disaster the problem is that
natural disasters don't shoot back and now this same technology is being used in places where there are active hostile groups the first large-scale deployment
that I worked on was supporting a team on the ground in Pakistan who were responding to the nationwide flooding that took place last year in the middle of last year and things were going
fairly smoothly we brought a system online we had teams of volunteers that were geo-locating reports from from the ground as well as field reports coming in from the UN and then this happened so
now we're in a position where we were building a map and there is an active hostile group the Taliban who is said that they are going to target foreign aid workers and we have a giant map that contains the location of foreign aid workers we had to adapt accordingly the
next building that I worked on was in Sudan for voting a nationwide referendum voting referendum this is an image of what is believed to be mass grave in the South Cardiff unreason region that was picked up by a group called satellite Sentinel again we were working with a
local NGO on the ground in Sudan and had to deal with a number of issues we received obviously fake reports things like everything is fine at this polling location and everyone is voting for the ruling party stuff that we knew we couldn't trust we had our site blocked by the by the Internet companies inside the Sudan so people could not reach it initially and we had an inverted d OS based on the flaw in the platform we were using the most recent large-scale
deployment that I did was the Libya crisis map which we started when in early March when Libya was just beginning to see some basic civil unrest and we ran it as it turned into a
full-scale war the Libya crisis map was
unique for a number of reasons and one of which is that it was the first time that we worked without a team on the ground instead a group that I work with in this field was requested by the United Nations to set this system up so that they could have insight into what was happening on the ground both inside of Tripoli and the border towns where there was a significant refugee presence we had a number of things to deal with at that point things like protecting the observers the people who were reporting from the ground inside of the war zone verifying the information that was coming out because it was being fed directly to the response agencies allowing them to determine what to do and trusting all of the processing that was done because we use an entire group of volunteers from the internet what's
fascinating when you look at this technology is that the largest deployment took place in Haiti in a natural disaster and now it's being used in Libya in an active war zone in less than 18 months and it's an accelerating trend we now have active deployments taking place in Syria Bahrain and Egypt the good news is is that the the good
guys are catching on to this technology they're starting to recognize its value this is a tweet from the head of the World Food Program talking about how good Libya crisis map is the bad news is
the bad guys are also catching on this is a there was a team in Egypt that's done a number of these deployments and last year they were approached by the secret police who demanded back-end access to their system so that the secret police could see who was logging in and submitting messages to them and
so we all work in security we all know how this plays out when we start dealing with security of new technologies and
what I'm really concerned about is that we're about to go from the shiny to the oh moment in crisis mapping and and that's a definite concern because in this situation we have a lot of very
very significant consequences the most the most grievous of which and the one I'm most concerned about is that if something significantly bad enough happens to one of these deployments if it does get compromised and people do get hurt as a result of it the big agent eight agencies the ones who are best positioned to make use of this technology will just stop using it they'll label it as a liability and a risk and it won't matter that there's lots of people on the ground who are broadcasting useful information because there won't be anyone there to hear it so there's a couple of us who work in work in security and have security backgrounds that I've been working on this technology and we're in the process of trying to get ahead of the bad guys on this so what we're doing the reason I'm here today is I want to talk about what we've done so far what has happened over the last several years in this with this technology and get a little bit of feedback from the audience both inside the presentation and afterwards from what the things that I'm saying so i'll be discussing not only the bad things that can happen but some of the ways that we're looking to come up with a basic set of best practices so as i go through this presentation and the rest of the presentation and talk about things please pay attention if you there's something that I don't say something that I don't talk about an attack that you see a vulnerability that you see please remember it if there's a little bit of time at the end we'll try to take some questions I'll be back in the speaker's room afterwards or please contact me by email because it's entirely possible that you could come up with something that we aren't seen and as a result we could build that into these best practices and they could really help people out in the field and finally want to get some interest in the security community because this is really important technology there's a lot of good work to be done and we went
through a couple different ways to present this information realize the easiest way to do it would be to just walk through the steps that take place in an actual deployment I had planned to bring an online system that would allow people to go through and you'd be able to send attacks at it during the during the presentation the problem was is right before I flew out here I noticed there is a really awesome new feature that was inserted into the platform I was going to be letting everyone attack and that is the ability to add arbitrary JavaScript from the admin interface to the site which is an awesome feature you know you can do all sorts of great stuff and and then I thought about it happening at Def Con and so so yeah I've got I've got the images online and i'll talk about where you can grab those if you want to download them and you know you know javascript inject ourselves to your heart's content so the cool thing
about this is that the the approach that that's taken in these types of deployments all pretty much runs the same way you know there's just been a blank in the country of blank as from blank were responsible for deploying a crisis map in order to blank just to kind of speed things up let's say that there's been a revolution in the country of Taraka stan and if you've never heard of track of Stan it's because it doesn't actually exist let's
just assume it's somewhere around here ish and and the taraka stan has been ruled by a dictatorial government the Kim power in a military coup a very active secret police tendency to monitor the internet monitor the cell phone networks and arrest torture and kill people that disagree with them so not to
make things a little bit more interesting what I'd like to do is I'd like to have you guys play a certain role as we go through and be asking some questions about what do you want to see what do you think is a good idea for these types of deployments and over a black hat what I did is I split the audience up into the bad guys and the good guys but we're all devious bastards here so let's just say that you're the bad guys and you're also the bad guys so so as we go through and ask you a couple of questions and ask you if you guys are if you're the bad guys if you're the track is standing secret police the the local terrorist cell the local you know drug smugglers what do you want to see happen what is going to give you the best opportunity to compromise these deployments to screw things up to stop the people from succeeding and the first
question is as a team from the blank who is it that's going to be setting these things up and the the most important thing that that we found for these types of deployments is the people who's setting who are setting these things up and running them do need to be on the ground until we get to the point where all the aid agencies and all the aid organizations are no to connect into these systems it's imperative that there be advocates on the ground who can go to the meetings into the group meetings interact with the people that are actually doing the work and make them aware of what is happening and based on the experiences that we've seen these are going to your range of options for
who would be running this thing everyone from a group of individuals not affiliate with any particular organization a local NGO media organization and for this for this example let's assume that it's a member of the independent media organization not the track of standing state-run media in international NGO like the Red Cross or the UN or a military type organization an external military not the track us any military who's running this so what I'd like to do is take a second think about this picture yourself is a bad guy think about what you would do to each of these groups and who you would like to see running it to give you the greatest opportunity for for screen at the deployment I'm meticulous required all right i could get a show of hands who here wants this platform to be run by an individual all right who wants to be run by local NGO who wants to be run by an international NGO and he wants to be run by the military all right now one of the things that I'm concerned about as i go and through and you know talk about this is that when we go back to the crisis mapping community one of the first things is going to happen is I'm going to be accused of giving the bad guys ideas of listing the attacks that can take place and so I could try to go through and lecture that the people I'm talking to about security through obscurity why you must assume that's bad guys know the system but instead I'd like to make the point that I sit in front of a group of people at a security conference and presented this to them and knowing nothing about it they were able to spot x y&z attacks so can I get a cup one or two people to put their hand up and tell me what you picked and why yes that's a great point so she said an international NGO because they don't necessarily understand what's happening on the ground and they do have resources and supplies things that are the bad guys would want to pick up somebody else yes sir that's an excellent point so the ideas he wants to use an individual because he can corrupt the individual and then make use of the technology one more person yep so a local NGO because they can be worn down they're going to get exhausted that limited resources and when they when they start to get worn out you could take them out all excellent absolutely great at great points thank you very much I'm to ask that a couple more times and the cool thing about this is that this these are answers that seem like you know because duh to us but when you start talking to people who don't think like security people who don't think in terms of attacks and defense it's going to be things that they won't they won't immediately understand and so this is very helpful to be able to say we came up with this because it's just obvious to people who think this way and so you have to assume that somebody who is paid by a government by a state organization to be a devious bastard is going to come up with it as well so this is the breakdown it's going to my off-the-cuff breakdown of who's currently running these types of deployments what you see is by and large a lot of them are being done by individuals because people can just set this technology up they don't have to get approval there's a pit that's being picked up by local NGOs more and more there's been some tests by media organizations al Jazeera did a pilot in Oh God and is in Gaza algae to pilot in Gaza there's been some basic work by international NGO so the Libya crisis map and there's there's one or two groups that I am aware of it in the US military who are working with this technology the the issue is the first
issue is that there is no you no central organization who's responsible for doing this so the entire process for setting up is entirely ad-hoc this is a quote that came across one of the crisis mapping groups shortly after mumbai bomb blast asking if anybody knew of a mat that was online so that they could send volunteers to it the problem is there's there's this pervasive assumption inside the community that just because you have the skills to set up one of these systems means that you have the same skills needed to run it and in fact the the skills needed to actually set it up are tiny compared to the skills and the effort needed to run it think about the haiti response required over a thousand members of the the diaspora community to work for weeks on end and just because somebody set it up doesn't mean that they actually know what they're doing but because we're in the place where we don't know who's going to be setting these things up in any given crisis in the disaster we're at the point where we have to build trust on the fly with whoever's running them and what we found in doing this is there's kind of three core concepts that we can use for trying to determine trust on the fly first is corroboration I was contacted by the group in Egypt that was then contacted by the secret police and I had no idea who they were but I had a colleague that was working with them I trusted her and she could corroborate their story the next is reputation the individual who set up the deployment in Pakistan was was a guy who was a TED fellow and a tech CEO and so Ted the the smart people's conference they do vetting and he's a tech CEOs he has to have some kind of a skill still he knew nothing about crisis mapping but he seemed to be kind of a smart guy and then finally we have history of past experiences with a particular person and in this case the the the individual who set up the crisis map to help the mumbai bomb blast was somebody that we'd work together with on unpack report in pakistan so we had a background with him but the problem with any just anybody being able to set these things up on the ground is like you mentioned direct
attacks these are news reports about bloggers who have been arrested these are people who set up one website with just their opinion on it and into my mind that these these types of crisis maps are 1 website with potentially thousands and thousands of people's opinions and thoughts on it so the idea that they could be targeted in the same way as bloggers makes pretty seems like a pretty short jump to me and remember we're in a position where the secret
police were already contacting these groups so when you think about direct
attacks we've got it's kind of a range of vulnerabilities where the individuals local NGOs on the ground like you guys said are the ones who are most susceptible to attack the other concern is that we don't have to worry just about direct attacks we have to worry about in direct attacks infiltration of groups by a virus by hostile organizations and this could be something like someone who's picked up in their account is you know tortured out of them this could be somebody who is new paid by money this could be a computer that is hacked and our primary defense against that is isolation of operations is equivalent to the the need to know approach in the the government security community but what you see when you think about isolation of operations is that the smaller the organization the higher the likelihood that a compromise could lead to a compromise of the actual deployment another reason why they should not necessarily be done by individuals so we have our threats to
deployment managers but let's assume we've got somebody who's willing to do this the next question is they're responsible for deploying a crisis map and crisis maps have got to do a couple of things they've got to collect messages from the ground process them into reports and then present those out and right now you have two three up
three options for what your crisis map platform is going to be you can code it from scratch just hack it together they're fairly straightforward programs to run you gotta be able to pull things and put them on a map somehow you can kludge together existing geolocation services and social media services or there's all we're also beginning to see some open source applications that are being built specifically for this and used in the field so back to you guys at the track of Stan ease when someone wants to set one of these things up what do you want them to use think about it for a second all right who wants to who wants to see a platform that is coated from scratch all right who wants to see a existing services kludge together all right and who wants to see these of open source applications so by and large open open source applications why do you want to be an open source app is that what you want to do as a bad person there's a good person you're saying that it's a useful and transferable to other situations oh you're not a bad person i gave a winky guy i have somebody who is a bad person wants to tell me why they'd want it to be an open source app exactly you know so you have the code you can figure out your attacks ahead of time you know how to subvert it one more person show of hands gentleman in the blue shirt would you pick and why open source for the same reason yeah so what we're seeing a lot is actually this is being used primarily by open source
projects and the key from from the good person side for using open source projects is that they are adaptable we are dealing in very fast-paced situations where we need to we don't have time to go back and ask vendors for a patch if something goes wrong and we need to be able to add new features and new functionality on the fly as it's needed by our deployment by the response organizations but the downside of course to that is we are going to have code
vulnerabilities this is going to take place whenever you write something that's code the particular open source app that we use a lot is one called OSHA Headey and one of the great things about you shaheedi is you can make reports private until you decide to approve them these are the the three leaks that we found in this process so you could connect to the private reports by going directly to the URL for that report they're all labeled sequentially by ID number you could they showed up in the reports listing so just the public reports listing of reports they didn't think to check the privacy flag and they also leaked into the search system and this is this is kind of funny from a security standpoint so they kind of screwed it up just about every possible way you can the problem though is that we found the direct URL access bug during the Sudan deployment we found the reports listing bug during the Egyptian one of the Egyptian deployments and the search leakage during the Libya crisis map deployment all situations where we're dealing with sensitive information so so cold vulnerabilities are definitely a concern one of the ways
that we've gone around dealing with that is again an isolation of operations approach where we took the the actual data that was being collected that included you know personal and sensitive information and ran that on a completely private system so the Libya crisis map initially started off as a password-protected limited access deployment that was only given act that where access was only given to response organizations who contacted the UN and midway through the deployment the UN thought wow this is really great this is really useful this is really impressive impressive work these people are doing let's make it public so now all the the analysis the collection that we've done they were asking us to to make it publicly available to anyone on the world so what we did is a compromise on that is we kept our private password protected system where we had an ideally limited attack surface because everything was behind at least basic authentication and we set up the public Libya crisis map which is the thing that was promoted on the internet and that public crisis map did not receive any kind of sensitive information we stripped out all the analysis in the descriptions and left only just the title of the the report the location and if there are public links to media organizations we left those in as well and we put the entire Ridge the transfer process on a 24-hour delay so that there is a kind of limiting the usefulness of the data to people on the outside world the the next
thing we have to decide is where do you want to actually have this deployed so you have to run the system somewhere and your basic options again or a local server on the internet or hosted on the cloud so could I get a show of hands from the track is to any bad guys out there where do you want this system to be hosted do you want to be hosted on a local server in the country do you want it to be hosted on the Internet one hand and then you put it down really quickly do you want to be hosted on the cloud all right someone who said they wanted to host it on the cloud to tell me why sir okay so you can shut down the internet and then cloud providers have insecurities you get access to it how about somebody who said they wanted on a local server sir actually ma'am gain physical access yep yeah it's much easier to attack something that's local and it's inside your country so you're absolutely right the main concern for local servers are direct attacks fortunately we haven't had that happen that I'm aware of what we have had those
service interruption on the internet you know the bad guys have figured out the internet off switch not only to shut off internet for the entire country but also for specific sites so Egypt and Syria have just flat-out cut the internet brain is significantly up to the number of sites that they're blocking this is what happened to us we believe in Sudan fortunately we were on a cloud provider and so we were able to just switch ip's really quickly and they weren't able to catch up and catch on to the fact that our IP was had changed the site was back online the other thing we have to worry
about it is message interception we understand the network traffic can be can be compromised and we have different ways that we can deal with that this is a report from The Wall Street Journal talking about how that there's a belief that the various groups inside of the Middle East are using different tools to actually crack skype and this is something that's particularly concerning for us because skype is one it is like the de facto communication standard that's used for everybody who's doing this sort of work so what we're working
on and to deal with this is the concept of we know that the the local servers are potentially vulnerable to attack we know the cloud servers can be blocked there shut off so we're working on systems to synchronize and anonymize traffic back and forth so this is similar to what we were doing with Libya crisis map were you switching between a public and a private instance but we're also going to be doing it from the the the cloud back onto the ground so in the off chance that some of that the server is attacked that the server is compromised on the ground the the bad guys aren't gonna be able to find the sort of sensitive information they're going to want to get their going want to be able to use so we've gone through you know picking up a lot of these covering
a lot of these questions you know who are we where are we deploying what we deploying and the last question of course is you know what are we going to do this for and there's a huge variety of different things that can be done for doing things like tracking the location of people in need that have been affected by a crisis monitoring for war crimes and collected information that can be used in prosecution later directing it directing the people i mean directing directing aid and the the big concern though is that we've gone through all this work and all these different ideas and all this this different the thought process and looked at these different vulnerabilities but
we're still inside of that tiny little dot there's still a lot of work that has to be done around these types of deployments to actually make them successful and we have things like
spreading the word actually getting the message out to the populace to the people that we're going to be collecting information from about what it is that you know that we're looking for what we can provide we've got a couple of different options the first is you pass it on to no one just passively collect the data that's coming in use a private network pretend to ideally people that have been trained ahead of time this is what's being done in a lot of the vote monitoring types of deployments where it's been using a small set of vote monitors who already know protocols both for you reporting and ideally for security or you can just put the word out to absolutely totally everyone out there who will listen let me know hey this thing is online and send us your information the first concern with mess
with patching the message out is misinterpretation this is the equivalent of when you call your doctor and they say if this is an actual emergency please call 911 and in situations where the system that's being used to collect this data is not directly linked to the response organizations kind of indirectly linked there's people on the ground trying to promote it for use by the response organizations there's the possibility that they could be intercepting messages and the people on the ground could think that they're going to be getting an automated restore an automatic response from this and so they won't think to go out and contact the actual aid organizations who may be better positioned to give them aid another concern is message corruption
this is a tweet that went out during a during the Sudan not the Sudan deployment that I worked on but another one that was tracking violence inside of Khartoum basically saying hey don't go to this site it's been infiltrated by the the Sudanese the Sudanese government the problem with this there are a number of problems first is that it was actually a false message the the actual message had been sent out by the people running the platform people should not use SMS to contact the platform because they couldn't trust that it wasn't being intercepted but by the time it made it to Twitter the message had turned into don't go here it's been compromised by the government so the message is being passed out is liable to be it can be inadvertently corrupted but there's also the potential that it can be intentionally corrupted so the the next the next step is
collecting messages we've gotten the word out the platform is online people have heard about it they're now starting to send data back in and there are a couple of different options for the actual collection you have direct collection processes from things like SMS phone these are that are definitely coming from one person directly to your platform the other process is to use something like social media where it's being broadcast out to the world and we're just going to be collecting it from there and then the final one is to collect reports that are coming in through the media the the primary concern with the submission of messages is attribution the ability for people who are monitoring these systems to be able to I track the message back to an individual and when we're dealing with direct direct messages through an SMS email or people connecting to a particular site online at that point somebody who's mont monitoring the network has got both the end point where the system is going to where the messages are going to and they're able to track back the people who are actually sending them in in the case of social media that's a little bit more indirect because the message is kind of going up to some place in the cloud some some kind of service and it can be very challenging to hunt that that message down and then figure out who's behind it and who they're what the username and password is and then figure out who this actual person is however we do now have these platforms that are collecting these messages for people and presenting them online which could cut out at least the taunting down the message part for the bad guys and then we have protected attribution from the media where they have a far a much more limited scope and understanding of what's happening on the ground compared to the entire citizen population who's got phones and SMS capability but they do have a little bit of coverage because they are media and they're able to protect not only themselves but ideally they've got plus is in place to also protect the people that are reporting to them again with
any kind of collection process we do have to worry about service interruption and message interception these same sort of issues that are affect the the platform location are also going to affect the passing of messages the the next stage is we've
gone through we've collected and put the word out we've put the platform online things are going relatively smoothly people are now starting to send messages into the platform messages are being collected now those messages need to be processed and that processing is not necessarily that easy think about Haiti in Haiti they received over 50,000 SMS messages in the several weeks of during their deployment that all needed to be looked through and processed and so the the processing has to be done by somebody or some system and right now the the sort of groups that we have to do this are a local team on the ground which is what the the haiti deployment eventually transitioned over to that we're now seen in the crisis mapping community teams of individuals who are you know members of this community and willing to work for this work on these deployments and are aware of it and know the ropes they're still relatively small relative to the the online volunteers is anybody out there on the internet which was used initially in the pakistan deployment that we worked on there's also beginning to see the some initial work on automated analysis I like my internet clouds there some automated analysis systems to actually process these message on in an automated fashion the problem is those are still very experimental systems and in any case they're going to need to be fed good data by that's created by groups of people so at least for the for the immediate future we're going to have to rely on groups of people to process the message is one way or the other and right now the the primary technology
that people are using these groups are using or giant shared Google Doc they just take all the volunteers throw them into a shared google doc and give them kind of a basic workflow how they should go through and process these messages from a security standpoint it's terrifying that they're that they're doing this but from an actual usability standpoint it pains me to say that actually works halfway decently well because you can actually get groups of people online they can see everybody else is working on it they can see the progress is being made it's a very good morale builder at this particular this particular doc was one of ones that was used during the Libya Christ Matt by a group called the standby task force that I helped found last October to start standardizing some of the the processes in the response and organizing groups of individuals and teams to deal with each of these each of these efforts the the one issue with the standby task force that we have is it's designed for short term deployments and we started off the Libya crisis map with a relatively small group of people that were pulled from the community that we were already aware of and then when it came time for us to transition off we went back to the UN and said we're a short term solution here we'd either shut it down or you guys need to find people to work on it and they said oh that's no problem at all we've got a UN volunteer corps that we can put out
broadcast to the entire internet saying who wants to work on this stuff so we went from our relatively small closed community of people to an open call across the internet to say who wants to work on this system so all the operational security that we put in place around protecting people's privacy etc etc etc was going to be blown by the opportunity for infiltration and again
we're back at this concept that it could be somebody who is turned somebody was working directly for a state organization etc the the folks who let people in to the Libya crisis map through the UN they did do try to do some basic background checks on the people they asked for Facebook accounts skype ids of twitter accounts try to prove that they were like an actual person but but that's not actually real security what we're looking at instead as a potential model is to deal with the
political crowd-sourced micro tasking the idea that we can take the steps that are involved in the process into these messages and split them up into kind of siloed processes that only the people would only be able to work I can like an assembly line on one particular action be that in a geolocation or categorization or filtering so what we'd be able to do ideally is add at the front of this queue something for anonymization so we could take people that have an established trust inside an organization and focus their work on just stripping out you know personally identifiable information and then passing that on to other people further on down the chain to provide different pieces of work one of the concerns though is that we've now still got no we could have added in this this idea of privacy so we can strip out the the identifiable information but we now
have to worry about it things like accuracy the this the micro tasking system there was used last week for a deployment or an exercise that replayed some of the English translated hate and messages from Haiti and the the team involved with a team of volunteers went through using this this micro tasking system to do each of these steps including geolocation and it worked pretty well when you look at these this map you know seeing where these volunteers were able to identify where inside of Haiti the messages were coming from inside of Haiti Haiti Haiti where these messages were coming from this is
where the rest of the messages that they were processing ended up getting mapped because what we had was untrained volunteers going through taking the first thing that looked like a location slap it into google maps and then copying the latitude and longitude back into the report so we had things all over the place you see a big bump inside of France where the Haitian Creole is very similar to to French and so there's a lot of French names for towns my favorite personally is the one that they put in Alexandria Egypt which means that they not only didn't realize what they were doing but it didn't occur to them the Arabic script on top of the city names was unusual so we have to worry about worry about in accuracy in the system and this is people that are doing trying to do their best and it doesn't even take into account the potential for people who are trying to purposefully put in misleading information and so the
the solution that we have to that is more sophisticated crowd sourcing the the image here is from a crowdsourcing platform that was used during the Pakistan deployment that's run by a company called crowd flower and crowd flower has got a significantly ridged a really really cool infrastructure in place that lets you do something beyond just presenting the information you can actually track and score the people who are working on it so again we're starting to see this this concept of corroboration we're in in the Pakistan deployment we required that before a message was moved on through the geolocation stabbed multiple people had to agree that it was in the same place and this is multiple random people we also have the ability to get to scoring accuracy from the people that are working on these platforms this is done by inserting known good data and called gold data into the message stream and seeing where what answers people come up with based on that gold data so you kind of inserting tests into the process as they're working on the system and then finally places like crowd flower they have existing user basis because it's used similar to mechanical turk by a group of people who are familiar with the system and so you're able to see this kind of reputation where you can see like they've been they worked on this other thing they were pretty accurate and so we hope that systems like this will help us deal with the in accuracy and help minimize the the potential disruption from people who are just making honest mistakes or people who are inside the system trying to purposefully screw screw things up and so we've gone through this entire we've gone through this entire process we've set up the system we've put the word out we've collected the messages and now we're at the final step or the final step where we need to decide what we want to approve what we want to think is actually true and report verification is something that is the the primary question that we're always asked by the aid agencies kind of the big questions how can we trust this information how do we how do we verify this data and the answer is it's very very hard I don't
know how many of you are familiar with the gay girl and Damascus blogs show of hands how many people heard of that all right so for those of you that don't know the gay girl of Damascus blog was this blog in Syria that was drana chling the life of this this young girl who is living in Syria under this despotic regime and there was you know bad things happening to people who were homosexual and everyone was really concerned about it the problem was that the gay girl in Damascus was actually a married guy in
Ireland and the entire thing was completely and totally faked and he got away with it for months and months and months fooling everybody it was on CNN etc etc and this this is really really going to be a very difficult problem to deal with and there is no easy answer to it the the best the working on right now is again that concept of Robert corroborations reputation in history and the gay girl and Damascus blog is an excellent example of that where the the information was out there people people believed it was very accurate is very detailed but where the solid started to fall apart was when a reporter I believe from the from the UK who is widely known is kind of being an authoritative source of the mining of social media he received word from some people that he knew that there were certain certain things inside of these these messages inside of these blog posts that weren't adding up they couldn't find people inside of the gay community in Damascus who knew of this of this girl and then they started digging more and more and more into the actual electronic side of things and found things that that further didn't line up like where the domain was registered where the posts were coming from etc and so we see another use case for this concept of corroboration you the information couldn't be corroborated by people who are on the ground reputation where the word came out from from a reporter who was you know very very well established as being accurate for information in the Middle East and he in turn got that message from people who had a long history of trusted reports so from that are they were able to work this back we had a similar case during in Libya crisis the Libya crisis map where we received word that including images that that indicated there were white phosphorus attacks taking place which would been a very very serious escalation of hostilities and what the volunteers were able to do is they dug into the metadata for the reports as it was told to me by one of the coordinators and were able to pull out information that indicated to them that this was not this did not take place at the time that the the report was reporting that it came from and so they ultimately dismissed it there have not been to my knowledge any further reports indicating that that was actually true so so when we go through this this
entire this entire process we still end up back at this concept of corroboration reputation in history and then the final step you know when that once the reports are actually put online and they're there they're presented there's the possibility that it kind of it it's no longer in our hands what's actually going to happen to it the first concern is things like misinterpretation one of the one of the first deployments that I ever did just when I was starting to get used to this technology was tracking a night of rioting that took place in my hometown in Oakland I was just monitoring Twitter and pulling information from Twitter and from the the news reports about what was happening on the ground and at one point there is a woman who there was a cop car who was kind of starting to get closed in by by protesters and he was backing up I mean maybe 10 ish miles an hour and he he just brushed a woman that was that didn't see the cop car coming the woman went down my understanding is that she then got back up and was able to leave a nun walk away when we saw this happen we actually it's on video you can find live video from the helicopters of this happening and we were now faced the question like do we want to report this was was this actually news and we decided not to and then the next day I received an email from from of an acquaintance on the East Coast saying hey I saw your map it was really great but you didn't you didn't have the report about the woman who was murdered when she was run over by the cops and and that's a great example of how how these things can get away from you and then ever found it back to her no we didn't report that because it didn't happen etc the other thing we have to worry about is manipulation if something does get all the way through what can be done with purposefully forged reports and how can we detect those I really really liked Moxie's concept of trust agility and I think that's something that we're absolutely going to have to work in to our system going forward at every step in this process is the ability to retract who we trust in any given situation and finally the risk of utilization the possibility of these messages these platforms can be utilized by the bad guys and this is one of the reasons that we try to do things like keep them private not post them online unless we have to if we do have to present information prevent presenting information that is that is delay that is not as useful to an adversary and so
we've got all these problems all these potential issues all these things that can go wrong and the the the big
question is is it worth it you know as somebody who's working in security and and has had to deal with a lot of these deployments even with all the things that can go wrong all the potential attacks my opinion is yes it's
absolutely worth it this technology despite the shoes has got a huge amount of promise and the the challenges that come in are things that are expected there being this technology is being used in hostile conflict zones where there is an absolute need for security and it would be silly to think that for some reason the IT side of things would be exempt from that need for security and so the the approach that will be taking over the next months and years is going to be to develop a set of standards and best practices that can be used to allow people to do these types of the types of deployments safely and securely and identify the ways and going to get the word out so that people know about it and they're able to do these things at the beginning and the other reason is that eventually something is going to go wrong someone is not going to get the word something is going to slip through the cracks that we weren't that we weren't expecting a new attack is going to emerge and bad things will eventually happen and when that does it's going to be vitally important that we have something to show the the response agencies the the the large organizations who would be inclined to walk away from the technology at this point to be able to explain to them that this technology can be done securely there are things that can be done and unfortunately in this particular case you know something got through so we will have a response in the event that something does something bad does happen because this technology has got a lot of a lot of
things that can be used for not just inside of an actual disaster this is the what became of the the the haiti deployment it was initially set up for the response to the earthquake and is now run by a local company inside of haiti who is using it to track a significant amount of information not just about you know the actual disaster and it's become a resource to the entire community tracking everything from the location of hospitals and the cholera response and it's it's become established as a long-term ongoing support to to the the haitian country and and will be there in place for the the next disaster whenever whatever that is so that there are a couple of groups
that i'd like to specifically call out that are doing really great work in this area an excellent opportunity for people who are interested in working in this space the first is crisis mappers net which is the kind of the main one of the main mailing lists and main community groups for the the crisis mapping community that includes both members of the the volunteer community the the developer community and a growing significant group of professional responders who are taking part in this the next is the standby Task Force which is a group that's been responsible for providing volunteers for these large-scale deployments we're working on developing new standard tools technologies and workflows to make this possible and this was the team that worked on the Sudan referendum and the Libya crisis map and finally crisis Commons is Heather here so crisis Commons is a group that was started by a Heather blanchard whose a longtime member of the media goons and they do a number of a number of different projects from everything from setting up wikis during disasters to providing weekend hackathons where people can contribute code and profit and new tools for some of these deployments that are taking place and they do they do fantastic work on the right side on the right side there's a set of the tools that we're using shaheedi is the one that's been used in a lot of these deployments and a lot of the screenshots you so you saw frontline SMS is a very simple java based SMS gateway that's being used for a variety of things throughout impoverished countries Sahana is like your opens is like a Swiss Army knife or disaster managers and openstreetmap is an awesome awesome kind of wiki equivalent to google google maps so the
the final question I have for you guys is as I've gone through as I've talked about these things just based on how you think you've come up with things that weren't in the presentation you've come up with things that that I missed that I wasn't thinking about or didn't have time to talk about up here what I could really use your help in doing is coming up to me talking to me sending me an email I'll be back in the question-and-answer room about those things tell me what we aren't thinking about because we need your help in pen testing these ideas that's everything
I've got thank you very much
Feedback