RE: What about Traffic Analysis?

[sedayao () orpheus sc intel com (Jeff Sedayao)]

Adam Shostack writes:
>       Ok, so the assembled wizards have declared trying to
> understand the content of messages to be a loss, which is toughly
> correct.
>
>       What about performing traffic analysis on the mail flow?
> Catching information by spikes in the places people send mail?
> Sending files to the competition?  Is this worthwhile?  (Assume
> trapping messages that hit some threshold.)
 
One of the more useful things to do with mail traffic analysis is to
sort mail usage by number of bytes sent or received and number of 
messages sent or received.  Then come up with lists of the top 10 or 20 
users.  This often can reveal suspicious behavior or abuse of your
resources.  It can also reveal who your valid heavy mail users are. This
can help you optimize your configurations for those who use Internet
mail the most or give them special service.

As for mail thresholds, just calling up some of the people sending out
large messages can be a good way to educate users that you are watching
and thus affect their behavior.  

While it is possible to smuggle stuff out an organization while
evading checks as I have described (by sending smaller messages to and
from a variety of users), you will probably still catch a lot of 
suspicious activities.

>       In a talk at Defcon this weekend, someone made the comment
> that sending pictures of giraffes to your freinds is calling attention
> to yourself, regardless of the ability of the screener to find the
> stego'd encrypted message in the picture.
 
> Adam
 
> -- 
> "It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume
-- 
Jeff Sedayao
Intel Corporation
sedayao () orpheus sc intel com