Bugtraq mailing list archives

Re: snooper watchers

From: bent () snm com (Ben Taylor)
Date: Fri, 24 Feb 1995 11:33:18 -0500 (EST)


On Thu, 23 Feb 1995, John Adams wrote:

If you're at the point where you're worried about someone placing an
interface in promiscuous mode, it's probably too late for the rest 
of your system. A greater emphasis needs to be placed on securing the
machine itself, and not creating workarounds that monitor the interfaces.


Thanks for the tip.  However, since I am working with a client who 
has already had an initial scan, and are trying to fulfill all the
suggestions the tiger team made, I am trying to follow the clients
wishes.  They are paying my tab.  You are correct that if someone can
put a sniffer on your net, you're pretty screwed, but at least you
can reduce the ammount of damage that could be done.  However, my
job has been to review what has been done, recommend what else can
be done, and test.

Are you going to write a program that checks to see if root's cronjob has
been modified? Probably not, and if someone has access to /dev/nit, they're
going to have access to root's cronjob as well.


I suppose if you really wanted to make sure that crontab entries couldn't
be changed is to put them on a write protected floppy, mounted at boot.
It would provide a pretty good method to make sure the crontab entry
couldn't be change.  Of course killing cron is the bypass, but then
you'd really notice that, wouldn't you?


The best thing for you to do is completely remove /dev/nit from the system,
and make sure noone can get access to mknod to recreate it.


With loadable modules, this is academic.


Also, realize that snooping can occur _anywhere_ in your network. Unless 
you're willing to shield all of the cable in your building with some 
massively thick steel conduit, and place video cameras and armed guards at
every network 'T' connection, you're vunerable.


I'm very well aware of the possibilities of how you can be snooped.
Internal security is something only the client can take care of.  I
can make my recommendations and do nothing more.


              -john


Ben Taylor --- Chief Information Officer --- Smoke N' Mirrors, Inc.
-=-=-=-=-=-=-=-  Services for Systems Integration -=-=-=-=-=-=-=-=-
bent () snm com  "Where the impossible jobs get done!"  (703) 318-1440
           580 Herndon Pkwy, Suite 300, Herndon VA, 22070

Current thread:

Re: snooper watchers Mark Graff (Feb 22)
- Re: snooper watchers Casper Dik (Feb 22)
- Re: snooper watchers Ben Taylor (Feb 22)
  - Re: snooper watchers Casper Dik (Feb 23)
  - Re: lsof on Solaris 2.4 (was snooper watchers ) Dave Goldberg (Feb 23)
- <Possible follow-ups>
- Re: snooper watchers John Adams (Feb 23)
  - Re: snooper watchers Julian Assange (Feb 23)
    - Re: snooper watchers Karl Strickland (Feb 28)
    - Re: snooper watchers Julian Assange (Feb 28)
  - Re: snooper watchers Ben Taylor (Feb 24)
- Re: snooper watchers Charles Stephens (Feb 23)
- Re: snooper watchers mascarkp () cc3 adams edu (Feb 24)
- Re: snooper watchers Eiji Hirai (Feb 24)
  - Re: snooper watchers Gene Rackow (Feb 25)
    - Re: snooper watchers Timothy Newsham (Feb 25)
    - Re: snooper watchers Darren Reed (Feb 25)
    - Re: snooper watchers Dr. Frederick B. Cohen (Feb 25)
- Re: snooper watchers smb () research att com (Feb 26)
- Re: snooper watchers der Mouse (Feb 26)
- Re: snooper watchers Timothy Jones (Feb 26)

(Thread continues...)