You’ve probably heard of metadata – its the name given tot data about data and it is increasingly being targeted by cyber-criminals and law enforcement alike as a potential rich source of information.
Here are a couple of examples of metadata: a list of the phone calls you’ve made lately and how long they lasted; but not what you said during the call. A list of filenames on your hard disk, along with how big they are and when you last edited them; but not what’s inside any of the files.
In a recent article for Naked Security, Paul Ducklin addresses the complex world of Traffic Flow Analysis as he explores What Your Encrypted Data Says About You.
“As you can imagine, metadata is gold dust to law enforcement during a criminal investigation: it can help with chronology; it can establish connections amongst a group of suspects; it can confirm or break alibis; and much more.
But metadata doesn’t feel like quite as much of a privacy invasion as full-blooded surveillance, so many countries tolerate collecting and using it on much more liberal terms than collecting the data itself, such as the actual contents of your files, or transcripts of your phone calls.
Of course, metadata is just as golden to social engineers – crooks who try to trick you into giving away information you’d usually keep to yourself by seeming to know “just enough” about you, your activities and your lifestyle.
Crunching through metadata to do with network connections is usually called traffic analysis. You you might be surprised how much it gives away, even when the traffic itself is strongly encrypted.
Here’s an intriguing example from a bevy of security researchers in Israel, who eavesdropped on encrypted web traffic (on their own network, of course).
They monitored a range of measurements about the TLS traffic that passed by, even though they couldn’t monitor anything inside the packets:
Using various machine learning techniques, they claim to have been able to classify their packet captures to make surprisingly insightful estimates of which combination of operating system, browser and web service were in play.
For example, they could guess fairly reliably that “this user was watching YouTube using Safari on OS X,” while “that user was using Twitter from Internet Explorer on Windows.”
That might not sound like a terribly important or worrying result, but remember that TLS encryption is supposed to provide confidentiality.
In other words, anything that leaks out about what’s inside a TLS-protected data stream is information that an eavesdropper isn’t supposed to be able to figure out.”
Senetas High-Assurance Encryptors Protect Against Traffic Flow Analysis.
Even when sensitive network data is protected by encryption, network eavesdroppers may still obtain value from analysing network traffic flows and large volumes of metadata.
Although eavesdroppers cannot see the encrypted data itself, they may have the ability to analyse the traffic flows (traffic patterns) and large volumes of the metadata.
These traffic patterns and large volumes of metadata may reveal insights sought after by the eavesdroppers. To some organisations, these analyses pose a real security risk and must be prevented; making traffic flow analysis protection an important network security feature.
This is why Senetas high-assurance encryptors include traffic flow analysis protection, eliminating the dual threats of metadata and traffic flow analysis.
In some industries, such as government defence departments and the military, traffic flow analysis protection is a necessity. However, not all organisations requiring high-assurance network data encryption need to prevent traffic flow analyses.
In many cases, the traffic flows themselves may not reveal anything that may be harmful. Similarly, analysis of their metadata may not pose any security risks.
However, should circumstances change, the ability to activate this additional network security feature is important.
Senetas High-Assurance Security Comments
Naked Security’s author, Paul Ducklin, succeeds in simplifying what is a complex network data security topic; one that is often overlooked or underestimated.
He highlights the incorrect categorisation of metadata as non-information and explains what insights can be gained from analysis of large volumes of metadata.
So, while there is an increasing focus on the need to encrypt high-speed network traffic, due attention needs to be paid to the additional security risks that could arise from analysis of traffic patterns and metadata.
Not all organisations will consider their network metadata or their network traffic flow patterns to be of a sensitive or ‘risky’ nature. That’s fine, but they do need to have given it consideration in the first place.
The earliest instances of traffic flow analysis, and protection against it, are likely to be in defence and military applications. They are good illustrations of when and how traffic flow analysis protection is necessary. For instance, an increase in traffic volume is likely to indicate a heightened state of activity, such as might be expected before an engagement.
Within a commercial setting, it is the analysis of large volumes of metadata, and the insights that can be gleaned from this analysis, that is likely to be of greater concern. Ducklin does a good job here of illustrating the risks and the types of insights that can be extracted from a detailed analysis.