Re: detecting sniffers is downright easy

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Perry E. Metzger: "Re: detecting sniffers is downright easy"
• Previous message: Dr. Frederick B. Cohen: "snooper detection"
• In reply to: Perry E. Metzger: "Re: detecting sniffers is downright easy"
• Next in thread: Christopher Klaus: "Re: detecting sniffers is downright easy"

> 
> 
> Dr. Frederick B. Cohen says:
> > I thought I would mention that detecting sniffers from a real-world
> > point of view is downright easy in almost all cases.
> 
> > The vast majority of real-world sniffers reported to date are software
> > sniffers of one of two varieties:
> > 
> > 	1 - DOS programs using the network interface in promiscuous mode.
> > 	2 - Unix programs modifying OS software to observe packets.
> > 
> > The total number of (1) programs in widespread use comes to only 10-20
> > and is certainly under 100.  Current virus scanning technology makes
> > detection of these cases trivial by simply adding patterns for them into
> > your existing virus scanning software.
> 
> What if it isn't your machine? What if the sniffer is running on a tap
> on your network? This is by far the case that my clients have to worry
> about the most.

This is not a subject for bugtraq, which is only related to Unix security.
> 
> > All current (2) programs can be detected by comparing the OS programs
> > with their original distribution versions using MD5 or a similar
> > cryptographic checksum technique.
> 
> Again, what if it isn't your machine?

This is not a subject for bugtraq, which is only related to Unix security.

> 
> As I've said, repeatedly, if you have three or four thousand machines
> in a dozen cities on three continents (a common enough situation)
> there are literally tens of thousands of miles of cabling that you do
> not control and have no way to physically secure. Cryptography is, in
> the real world, the only practical method to secure your lines -- you
> can't guarantee that the physical lines are secure in the real world.

This is not a subject for bugtraq, which is only related to Unix security.

> 
> Therefore, your initial comment:
> > I thought I would mention that detecting sniffers from a real-world
> > point of view is downright easy in almost all cases.
> is as bogus as everything else you say.

Well, of course there a lot of other ways to detect sniffers that are
both inexpensive and highly effective in the environment you describe,
but this is not a subject for bugtraq, which is only related to Unix
security.  So perhaps you should take this discussion elsewhere.

-- 
-----------------
\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities (1st time for free) at URL:
     \/Analytics| (scans deeper than SATAN or ISS)  http://all.net:8080
-----------------
   ASIS "Security Management" Articles and Information On-Line
   Read "Protection and Security on the Information Superhighway"
   John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95

• Next message: Perry E. Metzger: "Re: detecting sniffers is downright easy"
• Previous message: Dr. Frederick B. Cohen: "snooper detection"
• In reply to: Perry E. Metzger: "Re: detecting sniffers is downright easy"
• Next in thread: Christopher Klaus: "Re: detecting sniffers is downright easy"