Hello, I'm going to send this message to bugtraq, comp.security.*, and alt.security, so I apologize if you see it more than once. Bugtraq WAS first on my list, so I deserve some credit for that. :-) My company has written a program called "Watcher" which allows a system administrator to monitor all login and mail connections on his network, in real-time. The administrator can log data to either a text file or a raw packet file which can later be replayed through Watcher. Most importantly, Watcher allows the admin to CONTROL network users by instantly terminating any connection, setting up makeshift firewalls, or even TAKING OVER (hijacking) any connection. Watcher has a graphical (and text) interface which displays a list of every network login session. The admin can select from this list which brings up a terminal emulator window. The admin then sees EXACTLY what the user is seeing, and what the user is typing. On this window there're also controls to log the connection, as well as to use the active countermeasures as described above. Watcher is an extremely valuable tool for monitoring network activity in real-time. Aside from the obvious security applications, Watcher could also be used to debug network problems, or even to assist users of machines who need help. As with any security program, Watcher can be seriously abused to the point of rendering firewalls, and all one-time authentication systems worthless (including smartcards, challenge/response schemes, pre-arranged password sequences, default unencrypted kerberos, etc). For a description of Watcher, as well as a screenshot and a discussion of the features (both defensive and offensive) Watcher offers, take a look at: http://www.c3.lanl.gov/~mcn/watcher.htm NOTE: Watcher has NOTHING to do with LANL.GOV! If you have questions or complaints, come to me and my company. Watcher is not yet available commercially. We haven't decided what to do with it yet (commercial or free?). Until now, we've been using it primarily for our penetration testing and network security consulting for our clients. I'm only making this announcement because the existance and availability of such technology needs to be considered. In addition, since I put up the page yesterday (and made NO announcements), over 60 people have accessed it (out of the usual 2 or 3 who access my home page daily). In order to prevent confusion, I thought I would announce this publicly. A paper on the Watcher is being submitted to the Computer Security Applications Conference (CFP is due in 2 days). I will be putting a copy of this paper up as soon as possible (assuming CSAC has no objections). Feel free to contact us if you have any questions or comments. -Mike -- Mike Neuman (mcn@EnGarde.com) - EN GARDE SYSTEMS - Computer Security Consulting http://www.c3.lanl.gov/~mcn - http://www.cec.wustl.edu/~dmm2/egs/egs.htm =============================================================================== "Most of these should be 'void', but the people who defined the STREAMS data structures for S[ystem] 5 didn't understand data types." - Solaris source