Firewall Wizards mailing list archives
RE: What about Traffic Analysis?
From: sedayao () orpheus sc intel com (Jeff Sedayao)
Date: Fri, 7 Aug 1998 12:18:59 -0700 (PDT)
Adam Shostack writes:
Ok, so the assembled wizards have declared trying to understand the content of messages to be a loss, which is toughly correct. What about performing traffic analysis on the mail flow? Catching information by spikes in the places people send mail? Sending files to the competition? Is this worthwhile? (Assume trapping messages that hit some threshold.)
One of the more useful things to do with mail traffic analysis is to sort mail usage by number of bytes sent or received and number of messages sent or received. Then come up with lists of the top 10 or 20 users. This often can reveal suspicious behavior or abuse of your resources. It can also reveal who your valid heavy mail users are. This can help you optimize your configurations for those who use Internet mail the most or give them special service. As for mail thresholds, just calling up some of the people sending out large messages can be a good way to educate users that you are watching and thus affect their behavior. While it is possible to smuggle stuff out an organization while evading checks as I have described (by sending smaller messages to and from a variety of users), you will probably still catch a lot of suspicious activities.
In a talk at Defcon this weekend, someone made the comment that sending pictures of giraffes to your freinds is calling attention to yourself, regardless of the ability of the screener to find the stego'd encrypted message in the picture.
Adam
-- "It is seldom that liberty of any kind is lost all at once." -Hume
-- Jeff Sedayao Intel Corporation sedayao () orpheus sc intel com
Current thread:
- What about Traffic Analysis? Adam Shostack (Aug 06)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
- Re: What about Traffic Analysis? Henry Hertz Hobbit (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
- Re: What about Traffic Analysis? Adam Shostack (Aug 07)
- <Possible follow-ups>
- Re: What about Traffic Analysis? Ryan Russell (Aug 07)
- Re: What about Traffic Analysis? Stephen P. Berry (Aug 07)
- RE: What about Traffic Analysis? Jeff Sedayao (Aug 07)
- RE: What about Traffic Analysis? Peter Mayne (Aug 11)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)