Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Linux Security Software Brings Forth Privacy Issues

By in News
Mon Apr 24, 2000 at 06:20:36 PM EST
Tags: Security (all tags)
Security

A company called MimeStar has just released a network intrusion detection platform known as "SecureNet PRO". The software decodes network traffic, reconstructing individual user sessions in order to search for attacks. While it looks pretty interesting, and very powerful, the software seems to bring with it several serious privacy concerns, as outlined below.


It automatically decodes and logs the content of e-mail messages, IRC chat sessions, FTP and WWW transactions, and so on. This results in a high amount of extremely personal data being recovered for network users, virtually destroying all notions of privacy.

Is this the end of privacy on the Internet? The start of a "Digital 1984" ?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o MimeStar
o SecureNet PRO
o Also by


Display: Sort:
Linux Security Software Brings Forth Privacy Issues | 19 comments (19 topical, editorial, 0 hidden)
Decoding and logging traffic is not... (1.00 / 1) (#6)
by End on Mon Apr 24, 2000 at 04:04:32 PM EST

End voted 1 on this story.

Decoding and logging traffic is not new or revolutionary. I do it here at home ;-)

-JD

This has been an issue with network... (none / 0) (#7)
by bgp4 on Mon Apr 24, 2000 at 04:07:54 PM EST

bgp4 voted -1 on this story.

This has been an issue with network IDS systems for years. There are at least a half a dozen books which talk about this at length.
May all your salads be eaten out of black hats

interesting.... (1.00 / 1) (#9)
by jetpack on Mon Apr 24, 2000 at 04:34:28 PM EST

jetpack voted 1 on this story.

interesting.
--
/* The beatings will continue until morale improves */

Sadly, no. This is not the start o... (none / 0) (#3)
by eann on Mon Apr 24, 2000 at 04:40:33 PM EST

eann voted 1 on this story.

Sadly, no. This is not the start of a "Digital 1984". That started long ago. This new product is barely even a symptom; such software has been available for some time.

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.


Its just a sniffing program. It doe... (5.00 / 1) (#8)
by nicktamm on Mon Apr 24, 2000 at 05:03:03 PM EST

nicktamm voted -1 on this story.

Its just a sniffing program. It doesn't really do anything that sniffit doesn't do and I'm sure that there are several that are even more full-featured that are free as well. Perhaps this could be re-written as a general "What does everyone think of running a sniffer if you are looking for intrusions even if it means you can see your user's email?" or something along those lines, since the introduction of the specific product listed above is rather unimportant to the question of a "digital 1984". Its not as if this is the first commercial sniffer released either, since Network Associates aparrently even own the trademark of "sniffer". Well, after reading this it did remind me that I wanted to look into if/how sniffing works over switches, and I found this page: http://www.robertgraham.com/pubs/sniffing-faq.html which has lots of general sniffing information, and also a link to this page: http://www.robertgraham.com/pubs/network-intrusion-detection.html which deals specifically with using network sniffers for intrusion detection.
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org

Re: Its more than just a packet sniffer (none / 0) (#14)
by Anonymous Hero on Mon Apr 24, 2000 at 07:11:22 PM EST

Hmm, I was just looking at this company's web-site, and it seems that this thing is alot more than just some standard packet sniffer.

It actually emulates the TCP/IP stacks of machines on the network. In addition, it emulates the actual network CLIENT and SERVER applications which are engaging in communication. This means it actually emulates a SMTP (mail) or HTTP (web) server or FTP server, remembering things such as login state, and actually decoding individual commands/responses.

I havn't seen any other available sniffer program that does this. sniffit just allows you to monitor TCP streams.

[ Parent ]

Re: Its not much more than just a packet sniffer (none / 0) (#16)
by nicktamm on Mon Apr 24, 2000 at 09:01:09 PM EST

That is just a fancy method of recognizing common exploits. As I understand it, the most common way of detecting attempts at cracking computers is to look for somebody doing common exploit step 1 which looks like X followed by step 2 which looks like Y. This just checks if they are connected to an FTP server (which is part of the exploit), and, if they are, are they trying step 1 which looks like X. If they aren't are they trying step 2 (which is also a possible first step, but they have to be connected to an FTP server to do it). This makes it so that their NIDS can still find the exploit even if steps 2 and 3 are switched around. I think this is called "signature matching" and so they do "context-sensitive signature matching".

I haven't seen any other network intrusion detection programs that do that either, but then again I haven't looked and it isn't that huge of a deal. If you were really desperate for this functionality, you could whip something together with tcpdump.

Of course, it could be that it does more and I'm just misunderstanding their marketing-speak, but if it causes zero lag (as they say in their FAQ), then all that the "emulation" can be for is watching, and I assume all they could do that would be useful is network-grepping (unless it is maybe for showing the admins easy to understand summaries of what the crackers did). I don't know, this is just my take on what they say, but I have never really played with any NIDS's and am basing this just on what I have read and played with sniffer-wise.

As to my comment of sniffit being able to do the stuff mentioned in the article, I was refering to the ability to log all email sent to/from a server, etc. through simple filters. I meant that the "digital 1984" mentioned in the write-up was already possible, and that this program didn't make it any easier.
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org
[ Parent ]

No matter how much we don't li... (none / 0) (#13)
by Rasputin on Mon Apr 24, 2000 at 05:06:48 PM EST

Rasputin voted 1 on this story.

No matter how much we don't like the idea, as long as there are irresponsible people using computers there is a requirement to associate online activity with a specific person. For a company that depends on it's internet connections, tools such as this are quickly becoming a necessary part of doing business. Having said that, I also agree that some level of privacy (not to be confused with anonymity) is a fundamental requirement of the internet community. We can only hope these tools will be used to legitimately watch for script kiddies, not to find out which employees have been spending too much time on Kuro5hin or Advogato. Until such time as the people using the internet and the corporations providing the services can be trusted, we can expect more of this type of software.
Even if you win the rat race, you're still a rat.

Hmm.. it is rather interesting that... (none / 0) (#11)
by Camelot on Mon Apr 24, 2000 at 05:09:56 PM EST

Camelot voted 1 on this story.

Hmm.. it is rather interesting that such features are included in an IDS program, but you have to remember a couple of things: Logging traffic can already be easily done (via sniffers and such) - this product adds value by making it a whole lot easier. You also to remember that such features wouldn't be included if there wasn't demand for them. There are probably corporations out there that already do this sort thing. It may be possible that someone who might not do this kind of snooping, might start doing it with this product. But in any case - it isn't a new problem. Any unencrypted traffic can be snooped.

Re: While I'm not a sysop of any networ... (none / 0) (#18)
by Inferno on Mon Apr 24, 2000 at 09:38:21 PM EST

The ability to spy on users has been around since networking started. You don't even need root access to spy on people. Ethernet works in such a way that all users on the LAN can see everyone else's packets. (There are exceptions with switches and such, but we'll keep this simple) All one needs to do is put the ethernet card in promiscuous mode and run a sniffer to organize the packets into readable data. On systems like Win9x, anyone can switch the card's mode. You'll pick up all unencrypted traffic: email, passwords, anything you want. This is why strong encryption is so important. HTTPS and SSH work around these problems quite well, but unfortunately they aren't very popular. Oh, and if the admin has access to your private key, you're really screwed! :P

[ Parent ]
Re: While I'm not a sysop of any networ... (none / 0) (#19)
by Anonymous Hero on Tue Apr 25, 2000 at 04:12:21 AM EST

I wonder whether this new sniffer can also decode SSH and HTTPS connections...
After all root can always read your private keys.


[ Parent ]
It's still needed software. Yes, th... (none / 0) (#5)
by Ozymandias on Mon Apr 24, 2000 at 05:41:22 PM EST

Ozymandias voted 1 on this story.

It's still needed software. Yes, there are serious privacy concerns, but those should be handled on a case-by-case basis. I have no problem installing this software on MY gateway; my family and I are the only ones using it, and as the admin, I trust myself with the data. Any other network is another story, which depends entirely on the system involved.
- Ozymandias

I imagine that the market for this ... (none / 0) (#1)
by bmetzler on Mon Apr 24, 2000 at 05:41:55 PM EST

bmetzler voted 1 on this story.

I imagine that the market for this is in large corporations, where you really have no privacy anyways. So I don't see this as being a problem at all. Everything you do should be known be the appropriate people anyways, and they wouldn't let IS use a log tool, if you worked with classified information or something.
www.bmetzler.org - it's not just a personal weblog, it's so much more.

This kind of looks like just a crea... (none / 0) (#4)
by Velian on Mon Apr 24, 2000 at 06:01:10 PM EST

Velian voted -1 on this story.

This kind of looks like just a creative ad. I'm pretty sure it's not, but it's still information that is not very useful IMO.

When will we see the black hat vers... (none / 0) (#10)
by JumpSuit Boy on Mon Apr 24, 2000 at 06:10:53 PM EST

JumpSuit Boy voted 1 on this story.

When will we see the black hat version of it for free.
The Director disavows any knowledge of the preceding comment.

Interesting things to think about. ... (none / 0) (#2)
by fluffy grue on Mon Apr 24, 2000 at 06:20:36 PM EST

fluffy grue voted 1 on this story.

Interesting things to think about. I'm just glad that many sysadmins are, in general, ethical people, and often resist management trying to get them to get such personal stuff. Unfortunately, one of the sysadmins here at the NMSU CS department isn't so ethical (HI, IVAN, HOW ARE YOU?!) and this tool would likely make it even easier for him to know when I'm perusing various websites which he finds objectionable.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]

Re: Linux Security Software Brings Forth Privacy I (none / 0) (#15)
by Anonymous Hero on Mon Apr 24, 2000 at 08:48:22 PM EST

My god it is the beginning of a digital 1984! That being said, I'd love to get my hands on a copy.

Re: Linux Security Software Brings Forth Privacy I (none / 0) (#17)
by prevostjm on Mon Apr 24, 2000 at 09:19:06 PM EST

Packet sniffing is nothing new.  In my sophomore year at CMU, I built a program
out of tcpdump and perl that would reconstruct all sorts of TCP streams.  Is
this a problem?  No more now than it was then.

Here's a hint: nothing you send across any network without encryption will ever
be private.  You have two choices--you can either secure your privacy by
encrypting, or not worry about it.  I'm personally of the "don't worry about
it" camp--except for security's sake.  (I never type a password over the clear,
but since SMTP is in the clear, I don't expect it to truly be private. 
Sometimes, I encrypt that, too.)

On the good side, maybe this will raise consciousness about crypto.

Who knows?


Linux Security Software Brings Forth Privacy Issues | 19 comments (19 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!