Internet Security: Now there is a mouthful!! Is there such a thing as internet security? Do you know how "secure" your internet connection and activities are? Why don't you start here: SecurityLogics. They will (after you fill out the free registration form) perform an "internet security" check of your computer and it's connections. It is a free service, so why not try it - I did! Here is something that I recently found to be very interesting. I suggest you check out SafeWeb - It is a site that allows for you to surf the internet in a secure and encrypted mode. That means that "Little Brother" and "Big Brother" will not be able to track your movements. Not only that, your ISP cannot track your movements either! I just saw this being talked to on TechTV which is a channel that anyone with DSS or Cable should consider checking out. Having clued you in on that, there are a number of issues that need to be considered when thinking of internet security. I will try to break it down for you here on this page. Internet Security Features Carnivore, the Fourth Amendment, and You As written in an article from Securius.com. "It is not possible to determine or reasonably estimate the chance that some unknown force or person acting possibly irrationally at some unknown future time is going to abuse or misuse some unknown information in some unknown way." � Don B. Parker Computer security is a tough game. You know that you're playing against someone, but it's often impossible to know who. You may have some notion of how your opponent will operate but often you're completely in the dark. Sometimes, however, you get a break. Last month, I discussed e-mail security, with the sweeping warning that unknown parties could be intercepting your confidential e-mail at will. This month, a potent and widespread threat to e-mail confidentiality has come to light: the Federal Bureau of Investigation's Carnivore system. Carnivore is a PC-based e-mail interception system that taps into an Internet Service Provider (ISP) network in order to capture the e-mail traffic of approved wiretap targets. The FBI provided some scant details about the systems during a Congressional hearing last week. Supposedly, the system is very discriminating about the traffic it intercepts (in contrast to an earlier design called Omnivore). Here's a description from the Congressional testimony of Tom Perrine, of the San Diego Supercomputer Center, who claims to have seen a Carnivore system: Physically, Carnivore is a personal computer with a network interface, and Zip or Jaz removable disk drive, running a version of the Microsoft Windows operating system, with the Carnivore software loaded. In order to use Carnivore, it must be physically attached to the network to be monitored. The Carnivore software has a Graphical User Interface (GUI) which presents the user with an easy-to-use way to describe the filters that are to be used in accepting (and recording) or rejecting network data seen by the system. You can view all the Congressional testimony at http://www.house.gov/judiciary/con07241.htm or read the sketchy details presented in the press: http://news.cnet.com/news/0-1005-200-2245549.html http://www.msnbc.com/news/438436.asp http://www.wired.com/news/politics/0,1283,37765,00.html Even after the flood of words about the system, nobody outside the FBI really knows squat. Carnivore is a secret system. It may do only what the FBI says it does, more than the FBI says it does, or less than the FBI says it does. It may be the tightest security system on the planet, or it may be just as bug-ridden and vulnerable as other Internet systems. Without complete system details and an opportunity to review the system's source code, there's no way to verify that the system meets the explicit requirements of the Fourth Amendment to the US Constitution: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Assuming it's telling the truth, the FBI could confirm compliance with the "particular description" mandate above by releasing the source code for Carnivore. Security gurus Matt Blaze and Steve Bellovin have argued persuasively that this should be done: http://www.crypto.com/papers/opentap.html Barring a complete public release of the Carnivore source code, the only way to assess the threat is by inference and speculation. Carnivore is purportedly built around a commercial packet sniffing program. Packet sniffers take advantage of the fact that the Internet and supporting technologies are a broadcast medium � every machine on a Local Area Network sees every packet addressed to every machine. If a machine's Ethernet interface is kicked into promiscuous mode, that machine can analyze (sniff) every packet on the network looking for specific sources or destinations, protocols (like e-mail), passwords, etc. It's difficult to imagine a packet sniffing design that can meet the Fourth Amendment's specificity requirement. In order to find a wiretapped target's e-mail, Carnivore must 1) inspect all packets for e-mail traffic, and 2) inspect all e-mail headers to determine if the mail is to or from the target. This kind of open-ended sniffing presents numerous risks to the e-mailing public. Your mail can be intercepted because: you correspond with a wiretap target you use the same ISP as wiretap target you correspond with someone at a target's ISP you received a dynamically-assigned IP address previously used by a wiretap target a bad actor has gained control of a Carnivore system Given that the above risks apply universally, you must work on the assumption that all your mail is subject to possibly illegal searches and seizures. To the extent that Carnivore raises public awareness of the ease and ubiquity of eavesdropping systems � and lessens the unknowns cited by Don B. Parker � it's performing a public service. Slowly and surely, the networking public is realizing that packet sniffing is easy. Anyone can do it. There are dozens of commercial and free packet sniffing programs available, dual-use programs used by crackers and network administrators alike. Take, for example, Trinux, one of the most effective tools for cracking or analyzing a LAN. Trinux is a portable Linux distribution that fits on a single floppy disk and contains precompiled versions of popular network security/monitoring tools such as nmap, tcpdump, iptraf, and ntop. Load a Trinux floppy into your typical corporate Windows PC, re-boot into Trinux, type "tcpdump" and all the traffic on the corporate LAN is yours (don't even think of trying this without authorization). You can find out more at http://www.trinux.org/ The scenario cited above � in which a bad actor gains control of Carnivore � is improbable because in many cases it'd be easier for bad actor to set up his/her own packet sniffer than to rely on the FBI's. In truth, the FBI is probably a lesser threat than 1) corporate spies, 2) disgruntled employees, or 3) nosy neighbors. The FBI has to stay within the bounds of the law (in theory). A corporate spy, on the other hand, may be dedicated to outing your information by any means possible. The disgruntled employee is just one re-boot away from your company's most confidential secrets. Your telecommuters won't know that their neighbor has set up a packet sniffer on the neighborhood's cable modem segment. Given the multiplicity of threats, it's fortunate that there's an inexpensive, easy, and legal way to beat a Carnivore tap and similar packet-sniffing shenanigans: encryption. Anyone who's read previous issues of this newsletter won't be surprised at this recommendation: you should encrypt confidential data anytime it traverses public and insecure Internet systems. There are dozens of inexpensive and free encryption programs and platforms that can render Carnivore and other packet sniffers harmless. PC Guardian, for example, offers an easy e-mail encryption plug-in for Microsoft Outlook and Lotus Notes: http://www.pcguardian.com/software/e-mail_s.html If you don't use Outlook or Notes, Encryption Plus(r) Secure Export will work: http://www.pcguardian.com/software/secure_s.html There's PGP, the granddaddy of e-mail encryption programs: http://www.pgp.com/ Secure Shell (SSH) encrypts a wide variety of Internet communications: http://www.ssh.com/ Open SSH is a free version of the Secure Shell technology, from the good folks who develop the OpenBSD operating system: http://www.openssh.com/ You can find additional encryption resources at http://www.securius.com/Links/Encryption/ There's always hope that the FBI will do the right thing and end speculation about Carnivore by publishing its source code. Until then, assume the worst and take the steps necessary to beat the packet snoops. – Seth Ross The above is as it appears at: Securius.com.

What is Cache? | What are Cookies? | Personal Computer Security | Risks Involved
Security Links | Grafix Links | Interesting Links
E-Mail Me
� MM, MMI, MMII and MMIII by SeaSwept
Not responsible for the contents herein!
Links contained herein may or may not be functional.
Last Updated: October 20, 2003

Hosted by www.Geocities.ws