=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== July 31, 2000 | Vol. 1, #08 | http://www.securius.com/ CONTENTS * Watching the Watchers * Carnivore * The Fourth Amendment * Protection through Encryption * Technical Note on Encryption Plus for Folders Lite FROM THE AUTHOR'S DESK This issue was going to be dedicated to the different computer security communities -- white hat, black hat, and gray hat. Instead, I've decided to cover the newly-publicized security and privacy threat posed by packet sniffing systems like the FBI's Carnivore. I'll double-back to community issues next month. In the meantime, I invite you to contemplate Carnivore, the Fourth Amendment to the Constitution, and the future of privacy in a world of data-sucking snoops. Thank you for your continuing support and readership. Yours, Seth Ross FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== WATCHING THE WATCHERS -- Carnivore, the Fourth Amendment, and You "It is not possible to determine or reasonably estimate the chance that some unknown force or person acting possibly irrationally at some unknown future time is going to abuse or misuse some unknown information in some unknown way." -- Donn B. Parker Computer security is a tough game. You know that you're playing against someone, but it's often impossible to know who. You may have some notion of how your opponent will operate but often you're completely in the dark. Sometimes, however, you get a break. Last month, I discussed email security, with the sweeping warning that unknown parties could be intercepting your confidential email at will. This month, a potent and widespread threat to email confidentiality has come to light: the Federal Bureau of Investigation's Carnivore system. Carnivore is a PC-based email interception system that taps into an Internet Service Provider (ISP) network in order to capture the email traffic of approved wiretap targets. The FBI provided some scant details about the systems during a Congressional hearing last week. Supposedly, the system is very discriminating about the traffic it intercepts (in contrast to an earlier design called Omnivore). Here's a description from the Congressional testimony of Tom Perrine, of the San Diego Supercomputer Center, who claims to have seen a Carnivore system: Physically, Carnivore is a personal computer with a network interface, and Zip or Jaz removable disk drive, running a version of the Microsoft Windows operating system, with the Carnivore software loaded. In order to use Carnivore, it must be physically attached to the network to be monitored. The Carnivore software has a Graphical User Interface (GUI) which presents the user with an easy-to-use way to describe the filters that are to be used in accepting (and recording) or rejecting network data seen by the system. You can view all the Congressional testimony at http://www.house.gov/judiciary/con07241.htm or read the sketchy details presented in the press: http://news.cnet.com/news/0-1005-200-2245549.html http://www.msnbc.com/news/438436.asp http://www.wired.com/news/politics/0,1283,37765,00.html Even after the flood of words about the system, nobody outside the FBI really knows squat. Carnivore is a secret system. It may do only what the FBI says it does, more than the FBI says it does, or less than the FBI says it does. It may be the tightest security system on the planet, or it may be just as bug-ridden and vulnerable as other Internet systems. Without complete system details and an opportunity to review the system's source code, there's no way to verify that the system meets the explicit requirements of the Fourth Amendment to the US Constitution: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Assuming it's telling the truth, the FBI could confirm compliance with the "particular description" mandate above by releasing the source code for Carnivore. Security gurus Matt Blaze and Steve Bellovin have argued persuasively that this should be done: http://www.crypto.com/papers/opentap.html Barring a complete public release of the Carnivore source code, the only way to assess the threat is by inference and speculation. Carnivore is purportedly built around a commercial packet sniffing program. Packet sniffers take advantage of the fact that the Internet and supporting technologies are a broadcast medium -- every machine on a Local Area Network sees every packet addressed to every machine. If a machine's Ethernet interface is kicked into promiscuous mode, that machine can analyze (sniff) every packet on the network looking for specific sources or destinations, protocols (like email), passwords, etc. It's difficult to imagine a packet sniffing design that can meet the Fourth Amendment's specificity requirement. In order to find a wiretapped target's email, Carnivore must 1) inspect all packets for email traffic, and 2) inspect all email headers to determine if the mail is to or from the target. This kind of open-ended sniffing presents numerous risks to the emailing public. Your mail can be intercepted because: * you correspond with a wiretap target * you use the same ISP as wiretap target * you correspond with someone at a target's ISP * you received a dynamically-assigned IP address previously used by a wiretap target * a bad actor has gained control of a Carnivore system Given that the above risks apply universally, you must work on the assumption that all your mail is subject to possibly illegal searches and seizures. To the extent that Carnivore raises public awareness of the ease and ubiquity of eavesdropping systems -- and lessens the unknowns cited by Donn B. Parker -- it's performing a public service. Slowly and surely, the networking public is realizing that packet sniffing is easy. Anyone can do it. There are dozens of commercial and free packet sniffing programs available, dual-use programs used by crackers and network administrators alike. Take, for example, Trinux, one of the most effective tools for cracking or analyzing a LAN. Trinux is a portable Linux distribution that fits on a single floppy disk and contains precompiled versions of popular network security/monitoring tools such as nmap, tcpdump, iptraf, and ntop. Load a Trinux floppy into your typical corporate Windows PC, re-boot into Trinux, type "tcpdump" and all the traffic on the corporate LAN is yours (don't even think of trying this without authorization). You can find out more at http://www.trinux.org/ The scenario cited above -- in which a bad actor gains control of Carnivore -- is improbable because in many cases it'd be easier for bad actor to set up his/her own packet sniffer than to rely on the FBI's. In truth, the FBI is probably a lesser threat than 1) corporate spies, 2) disgruntled employees, or 3) nosy neighbors. The FBI has to stay within the bounds of the law (in theory). A corporate spy, on the other hand, may be dedicated to outing your information by any means possible. The disgruntled employee is just one re-boot away from your company's most confidential secrets. Your telecommuters won't know that their neighbor has set up a packet sniffer on the neighborhood's cable modem segment. Given the multiplicity of threats, it's fortunate that there's an inexpensive, easy, and legal way to beat a Carnivore tap and similar packet-sniffing shenanigans: encryption. Anyone who's read previous issues of this newsletter won't be surprised at this recommendation: you should encrypt confidential data anytime it traverses public and insecure Internet systems. There are dozens of inexpensive and free encryption programs and platforms that can render Carnivore and other packet sniffers harmless. PC Guardian, for example, offers an easy email encryption plug-in for Microsoft Outlook and Lotus Notes: http://www.pcguardian.com/software/email_s.html If you don't use Outlook or Notes, Encryption Plus(r) Secure Export will work: http://www.pcguardian.com/software/secure_s.html There's PGP, the granddaddy of email encryption programs: http://www.pgp.com/ Secure Shell (SSH) encrypts a wide variety of Internet communications: http://www.ssh.com/ Open SSH is a free version of the Secure Shell technology, from the good folks who develop the OpenBSD operating system: http://www.openssh.com/ You can find additional encryption resources at http://www.securius.com/links/index.php3?&c_id=16&url=url There's always hope that the FBI will do the right thing and end speculation about Carnivore by publishing its source code. Until then, assume the worst and take the steps necessary to beat the packet snoops. NEXT MONTH: White Hats, Black Hats, Gray Hats -- Who are these people? 'Til then, keep your guard up. -------------------------------------------------------- TECHNICAL NOTE -- ENCRYPTION PLUS FOLDERS LITE -------------------------------------------------------- In issue #3 (http://www.securius.com/newsletter/archive/103.txt), I plugged the freeware version of our filesystem encryption product, Encryption Plus for Folders. If you downloaded and installed Encryption Plus for Folders Lite from September 1999 to May 31, 2000 (versions 1.0 through 2.10), you may experience problems when you uninstall/remove the program. PC Guardian has produced a patch that resolves this potential problem and updates the program. While most users won't encounter this problem, PC Guardian recommends that anyone who's running the affected versions download and run the patch. This takes about five minutes. You can find the patch at http://www.pcguardian.com/software/patches/epfl_062200.html Warning: Do NOT uninstall Encryption Plus for Folders before you run the patch! =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published monthly by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-security-outpost-news@lists.securityoutpost.com To subscribe to this newsletter, send an email to join-security-outpost-news@lists.securityoutpost.com =============================================================== FEEDBACK OR QUESTIONS Did you find this issue of the Securius Newsletter interesting? Insightful? Useful? Please let me know. Contact the author directly: Seth T. Ross Director of Security Publications & Resources PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 +1 415-459-0190 x143 sross@pcguardian.com =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2000 PC Guardian. All rights reserved. ===============================================================