lan monitoring / packet sniffers / big brother

[pwalter672]

Background:

I am overseas and accessing www.aol.com via my LAN and sending and receiving e-mails.

Question:

Can somone see the content of the e-mails that I send and receive?


As I read about the "packet sniffer" programs they seem like a reactive vice proactive measure to accomplish this task. For example it would be virtually impossible to capture every network packet sent by every user on the LAN then decode it and read its content as this would take forever. Are there any other types of "big brother" monitoring software out there that could be installed somewhere on my LAN?

If someone could further explain the capabilities and limitations of these types of software and my situation I would be greatly appreciative.


-PW

[XychiX]

People that own a pc which is on the route between you and the recieving AOL mailserver can read your plaintext mail.

i think the biggest danger is the LAN you are in. If this lan consists out of hub's or "lazy" switches youre mail can be red by all the machines on this local lan, it can be done quite easy with program's like Ethereal sniffer.

The machines out on the internet can also read youre mail but there will be lot's of traffic there so it's quite hard to pick out the right mails (if they know you and filter at you're ip adress they can retrieve youre mail!!)

Solution:

Use PGP Pretty Good Privacy to sign and encrypt your mail!

[instronics]

Hi there.

For example it would be virtually impossible to capture every network packet sent by every user on the LAN then decode it and read its content as this would take forever.

Uhm, thats not true. It is possible to capture every network packet sent. A packet sniffer listens on a network and captures all packets send. The information on each packet is filtered out in a way where you can choose what you want to ignore of find. In this case it will take a long time to read/find the packages you are interested in, but its do-able. (LOL@my english here). A packet sniffer is an important tool for network administrators as it is used for the reasons that you believe are not possible. You can view the content of each packet along with alot of other information such as :

1 - Source/destination ip

2 - Source/destination port

3 - Protocol (tcp, udp, icmp etc...)

4 - The contents of a package.

5 - Size of a packet.

There is alot more info of what a good packet sniffer can find, that im not aware of right now (im not at home, so i cannot lookup my notes at this time, but feel free to send me a message and i will try to send you more detailed information).

Also be aware that what you call "big brother" are actuall nsa stations setup around the world called echelon stations. They filter out everybit of information going through WANS. A better way for you to understand this is to download your own packet snifer and see for yourself how it works and what information you can get using one. I would recomend you try "ethereal" as its a very good packet sniffer and the information is very accurate. One way of being safe from sniffers would be to use encryption. If the conversation between client and server is encrypted, then the sniffer would have a hard time reading the contents of a packet that is captured. Further more, if you plan on using encryption, then use strong encryption (not 64 or 128 bit, but higher like 1024 or 2048). Also be aware that there are laws on encrpytion depending on your location. France for example does not allow higher encryption than 64 bits, and germany does not allow higher encryption than 128 bits.

I hope this has helped you.

Good luck

[slarty]

As I read about the "packet sniffer" programs they seem like a reactive vice proactive measure to accomplish this task. For example it would be virtually impossible to capture every network packet sent by every user on the LAN then decode it and read its content as this would take forever.

Not at all, remember that the decoding and reading its content would almost certainly be done automatically. Software could piece together emails and other communications from the packets and present them to the snooper in an easy-to-read form, which can be grepped for keywords etc.

Are there any other types of "big brother" monitoring software out there that could be installed somewhere on my LAN?

Yes, countless ones.

The main things to be interested in is host-based spyware systems (keyloggers for example) and hardware ones (hardware keyloggers)

Both are extremely difficult to detect and could be placed on your machine by anyone with physical access. Any amount of encryption of network traffic will not protect you from host-based spyware, because it can intercept stuff before it is encrypted. The same goes for hardware keyloggers (although there are some measures which can be used to protect passwords, but not content)

I would suggest that protection against a well-funded adversary is both extremely awkward and largely unnecessary. Remember that someone who *really* wants to read your email can always find out what you were saying by kidnapping you and using truth drugs and/or torture

[pwalter672]

Thank you everyone for the prompt replies. Here's a follow-up question:

Could a packet sniffer be used to find out if someone is letting out company information?

For example say Company X has a new product they want to sell. An employee at Company X sent the info on this new product to someone on the outside using AOL or HOTMAIL or something like that when they were not supposed to.

What do I need to do to find out the following:

1. Find out WHO at Company X sent out the product information.

2. Put controls in place so it cannot happen again.


How could I go about accomplishig these tasks?


-PW

[instronics]

Uhm about the controls.....one way would be proxies (controlling of file types that pass the proxy server) and a firewall maybe (what kind of outgoing connections are possible, like destination ports 21 -ftp-, 22 - ssh-, maybe dcc send ports could be locked aswell.)

Its hard to find out which user send what, but its possible to see which host send what. It depends who has access to the computer they are sending from. I suppose a packet sniffer can see what files are being sent where, but it cannot tell you who the actual user is. Maybe im wrong on this one, so please correct me if i am. Also a keylogger can help you, but it will mean that you actually will have to go through large ammounts of logfiles to see what is going on. Another way is using software such as remote views (VNC), but that only helps if you are actually there the moment is happens and are actually viewing the users with that or similar software. For example, at work i use VNC to see what the users are doing on their computers if unauthorized use is suspected. Be sure to have warning banners on the computers so the users know that their actions are being monitored. For example, here every time a user logs on, they get a message like "Unauthorized use of this system is prohibited. By accessing this system you agree that your actions can/will be monitored if misuse is suspected" or something like that.

Cheers.

Cheers.

[KissCool]

It sounds to me like if you were a network administrator trying to control his users in a more efficient way.
If it's your situation, you also must be aware of the fact that such interceptions may not be legal.

I don't know the laws in the place were you work. But in the majority of situations and places (I think) you can't legally read the mails of someone. And even if you have signed an authorization, the law can consider that you are not able to drop out your own rights.

KC

[instronics]

Kiss cool, i disagree with you there. If its company computers and company work hours that we are talking about (which is the fact in my case), the users are not allowed to send private mails or any kind of package across our network. This is part of our security policy and our users are aware of that. They are not allowed to use the computers of non-work situations. Everything they do on company computers can and will be monitored. So in my situation i do have the rights to read any mail that crosses my router, where its in or out! It would be illegal if the users were not aware that all access is monitored, which is why we HAVE to make sure that they know this. Also in my case we are talking about a company that has very confidential data on our systems (security related buisiness). Therefore we have to be able to make sure that our data is secured by ANY means. Maybe thats exagerated in pwalter672 situation. But in my case, we have to control our users what they do on our systems. Also all our users when entering and leaving the company also have to pass a security checkpoint to make sure that nothing comes in or out that is against our policy. We are by no means government related or anything like that. We sell security (home security www.alarms.gr ), so our customer information is very confidential for their security, as in what security we have provided them with, what alarm codes they have, what times our security guards do checkups on customers goods/properties.

Cheers

[pwalter672]

We've already got the capability to screen company e-mails sent through normal channels.

What we don't have and need is the ability to do the same with web-based e-mail interfaces such as AOL and / or HOTMAIL etc...

-PW

[slarty]

Monitoring email through such channels would be fairly easy - you simply want to make a sniffer or proxy which logs the contents of any HTTP POSTs sent out at all - and you can scan for these ones.

You will, however, have to disable all HTTPS access by staff, as they can easily bypass any sniffers or proxy filters by using HTTPS - Not very many free email systems will support HTTPS, but paid-up ones typically do.

The easiest way to do this is by using a proxy.

However, I'd be very dubious about doing so, you will still have other channels through which staff can take confidential stuff out of the building.

You could of course, prevent all access to the internet by employees, except through the use of "dirty" non-networked machines which they would require special permission to use. These machines would not have any removeable media drives, nor be connected to any others.

All other internet connections would be removed, and staff would be routinely searched for removeable media when entering and leaving the building.

The posession of modems would be banned inside the building, and all laptops, PDAs etc would have to be left in a secure lockup when staff come in. (Of course you could have clean ones for use in the building only)

Mobile phones would be banned of course (although the radiation-preventing design of the building would make them useless anyway)

This does sound a bit draconian, this is the sort of thing that secure government facilities do to prevent unauthorised information leaks.

You probably also want to screen employees as well as governments do (which is basically impossible if you aren't a government)

You may be able to detect information leaks retrospectively with a sniffer, but you won't be able to prevent them. Prevention requires the large number of steps mentioned above, although that will still not stop a determined individual.

Bear in mind that email sent through normal channels may contain steganographically encrypted data which cannot be detected.