Listen Too Closely and You May Be Confused
Among the most basic simplifying assumptions of modern communications security is the notion that most communication channels should, by their very nature, be considered vulnerable to interception. It has long been considered almost reckless to suggest depending on any supposed intrinsic security properties of the network itself, and especially foolish in complex, decentralized, heterogeneously-controlled networks such as the modern Internet. Orthodox doctrine is that any security must be either end-to-end (as with cryptography), or not considered to exist at all.
While this heuristic well serves cautious confidential communicators, it is unsatisfying from the point of view of the eavesdropper. Paradoxically, while end-to-end security may be a prerequisite to robust confidentiality in most networks, it does not follow that a lack of end-to-end security always makes it possible to eavesdrop.
KeywordsIntrusion Detection System Computer Crime Network Intrusion Detection Digital Evidence Network Intrusion Detection System
Unable to display preview. Download preview PDF.
- 1.NetIntercept. http://www.sandstorm.net/products/netintercept/
- 2.NetWitness. http://www.forensicsexplorers.com/
- 3.Electronic Crime Scene Investigation: A Guide for First Responders (July 2002), http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm
- 4.Bellovin, S.M.: Wiretapping the net. The Bridge 20(2), 21–26 (2002)Google Scholar
- 5.Blaze, M., Bellovin, S.M.: Inside RISKS: Tapping, tapping on my network door. Communications of the ACM 43(10) (December 2000)Google Scholar
- 6.Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2004)Google Scholar
- 7.Computer Crime and Intellectual Property Section. Criminal Division. United States Department of Justice. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (July 2002), http://www.cybercrime.gov/s&smanual2002.htm
- 8.Cronin, E., Sherr, M., Blaze, M.: On the reliability of Internet eavesdropping. (submitted for publication, February 2005)Google Scholar
- 9.Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proc. of the 13th Usenix Security Symposium, pp. 303–320 (August 2004)Google Scholar
- 10.Handley, M., Kreibich, C., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proc. of the 10th Usenix Security Symposium (August 2001)Google Scholar
- 11.Jacobson, V., Leres, C., McCanne, S.: tcpdump. http://www.tcpdump.org/
- 12.Lightfoot, C.: Driftnet. http://www.ex-parrot.com/~chris/driftnet/
- 13.Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks (Amsterdam, Netherlands: 1999) 31(23–24), 2435–2463 (1999)Google Scholar
- 14.Ptacek, T., Newsham, T.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc. (1998)Google Scholar
- 15.Reiter, M.K., Rubin, A.D.: Crowds: Anonymity for web transactions (1998)Google Scholar
- 16.Rivest, R.: Chaffing and winnowing: Confidentiality without encryption (March 1998), http://theory.lcs.mit.edu/~rivest/chaffing.txt
- 17.SANS. Intrusion detection FAQ: How does fragroute evade NIDS detection? (2002), http://www.sans.org/resources/idfaq/fragroute.php
- 18.Shankar, U., Paxson, V.: Active mapping: Resisting NIDS evasion without altering traffic. In: Proc. of the 2003 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
- 19.The Ethereal Project. Ethereal: A network protocol analyzer. http://www.ethereal.com/