After seeing what is possible using WinDump, TCPDump, and/or WireShark, does this change your thoughts on an expectation of privacy when using a computer network?
What change(s) would you make yourself?
What change(s) would you think an organization should make?
Vince Kelly says
After seeing what is possible using WinDump, TCPDump, and/or WireShark, does this change your thoughts on an expectation of privacy when using a computer network?
I’ve used protocol analyzers on and off over the course of my entire career so these tools really don’t change my expectations regarding privacy. I think that they’re invaluable troubleshooting and debugging tools. In fact when it comes to the possibility of protocol analyzers exposing private communications, I think the issue has actually improved substantially. There are several reasons for this – *almost* all browser traffic now relies on https as a transport – (SSL/TLS encryption), most traffic is restricted within layer2 boundaries when using switched infrastructures and even those boundaries can be further virtualized, isolated and ‘microsegmented’ down to an extremely granular level with the emergence of SDN. In other words, today’s secure transport and segmentation technologies *has the potential* to facilitate better privacy.
That being said, what *DOES* really scare me is all of the other activity that’s occurring and accelerating within the infrastructure – techniques like encrypted traffic analytics, pattern recognition systems, machine learning and hyperlocation tracking. For all intents and purposes, these emerging technologies will make the fact that you’re using encryption almost irrelevant. The point is – am I worried about what private information can be exposed by protocol analyzers? Not really. But am I worried about the circumvention of existing privacy ‘protection’ tools and capabilities with new technologies? ABSOLUTELY!!!!
What change(s) would you make yourself?
There are certainly some prudent, simple steps that can be taken to make it somewhat harder to expose your private information like patching and encryption but this is most definitely an intractable problem. Short of throwing my phone and PC’s into the dumpster and moving into a cave in Montana so that I can completely drop off the grid, there’s pretty much nothing that can be done or changed. This situation won’t change or tangibly improve until the day that monitoring and tracking people’s activities – both physical and virtual – is no longer profitable.
What change(s) would you think an organization should make?
I’d like to say that standard approaches and best practices like locking down network infrastructure, controlling who has the ability to enable/disable span ports on switches, etc, etc, can help protect organizations – except for the fact that “organizations” themselves are actually some of the biggest privacy abusers!
Given the sensitivities, the amount of litigation and the vast sums of money involved in today’s business environments, the fines and litigation over PII negligence, brand/reputation damage, and loss of IP, many organizations are actively inspecting traffic behind the scenes without anyone’s knowledge. Its part of many companies “Acceptable Use Policy”/AUP that people accept every time they log into work.
I think that two circumstances have contributed to this problem:
1. Given the increasingly impulsive, dynamic and dangerous societal environments and ‘norms’ that have begun to emerge over the last few years, most companies believe that they have a fiduciary obligation to protect the workplace environment, their employees and shareholders and so monitoring *all* activity is assumed to be a necessity within the workplace.
2. The problem is that today, the definition of *where* the workplace boundary begins and ends has completely evaporated – ie, it’s not uncommon to overhear someone engaged on their (company owned) cell phone in (what obviously is) a work conversation at a diner or observing someone working on their (company owned) PC remotely from the beach. Traditionally, people have held a reasonable expectation of privacy at these locations but unfortunately today, “work/life balance” has become a misnomer and instead has dissolved into “work IS life”.
As a result most companies have taken to heart the notion that anything that an employee does on company owned equipment belongs to the company. This includes not only the data that is placed on a company owned disk drive but ALL of the data and voice traffic that traverses their network infrastructure as well. So many companies feel justified in not just actively monitoring everything but in making it more efficient and cost effective to do so by automating the process.
Kelly Conger says
Great post Vince. I love the work balance, work is life, line. Very true, especially in SecOps, but I digress.
The main point I took away from you post was that we, security experts, will seeming always be one step behind the bad guys and always strive to be one step ahead. It’s a race that changes lead multiple times, yet the “good” team doesn’t always come out on top. I spent most of my 20+ years in IT as a windows/virtualization admin and my big joke, when people made fun of how “bad” the windows operating system was/is, was to say, “Hey, because of Bill Gates swiss cheese software my family has a roof over its head” In other words, Job Security. In my new position as a SecOps admin that still holds true, only it’s even bigger and more encompassing than a poorly coded OS, it’s involves practically everything now.
Thanks,
Kelly
Dan Bilenker says
Like most things, context is key here. In an enterprise network, I would expect my activity to be monitored in some way. As such, I would refrain from accessing websites I might browse at home such as Facebook, Netflix, Amazon, etc. I do believe employers retain the right to ensure workers are not abusing network resources, or spending inordinate amounts of time doing things other than work. I doubt many organizations are interested in gleaning PII from employees, since they already have it on file. However, they could learn quite a bit about work and browsing patterns.
In regards to public networks, such as those in coffee shops or cable provider hotspots, I would absolutely not login to anything that had logically associated PII such a credit card payments, home addresses, pictures of me, or data I would not want shared publicly. In my opinion, tools such as wireshark, tcpdump, and Windump, would be most effectively used by black hat hackers in ambiguous settings such as public spaces. These spaces are breeding grounds for hackers due to high traffic, loose protection, and low visibility due to high traffic.
These tools don’t change my perception of privacy substantially. I would be most concerned with Wireshark, not because of it’s capabilities, but due to its GUI, as the GUI makes it more accessible to the casual user. Generally, I start with common sense solutions to privacy issues I can control.
Obviously, if Facebook, Netflix, Amazon, or my bank has a data breach, where I chose to logon from is irrelevant as my data is vulnerable through no mistake of my own. However, this is a risk we take when using internet based payment platforms.
Much like biological viruses, computer viruses respond to “vaccines” and patches, then evolve. Furthermore, computer viruses and malware programmers analyze the solutions to their malicious software, and evolve their coding to bypass remediation solutions. While keeping systems up to date, and patching vulnerabilities is a best practice, it is not a perfect solution.
I don’t know that there’s much else I could do personally. After I ran the tenable scans and saw a lot of update vulnerabilities I ran them. I’m pretty conscientious of the networks I connect to, and what data I share while connected.
From an organizational standpoint, I don’t think an organization necessarily needs to packet analysis internally. I would use it externally to monitor inbound traffic, particularly on networks or equipment directly connected to sensitive data.
Kelly Conger says
Wouldn’t packet analysis and log management help companies find and or prevent internal compromised systems? Once an internal asset is compromised packet analysis could start showing evidence of lateral movement. Just a thought, again, I enjoyed your post. Very insightful. See you in class tonight.
Duy Nguyen says
I personally have always been a little cautious limited computer usage and logging into accounts on public devices in addition to using debit cards or keying in pin #s for purchases. I would say that I rarely log into any devices other than personal devices and work devices. Seeing the various monitoring tools, I would be more cautious of the sites I visit at work such as Facebook, YouTube, or any non-work-related sites.
Of course, the organization needs to monitor their traffic, they need to correctly protect their investments. Any employee should expect to be monitored when working with the organizational property. An organization needs to have the tools to analyze the traffic that are on their networks and correctly implement the correct filters or blocks to safeguard their assets.
Kelly Conger says
I am the point that, while in a corporate or university setting, everything I do “over the wire or WiFi” can and most likely is being monitored and saved in some capacity. Where I work is no different. We monitor our network traffic at many different levels and just in the few months that I’ve been working in the security group I’ve seen how granular we can get with the results. We can take it a forensic investigation well beyond the data on the wire and pull out information end users thought they deleted or haven’t seen for years. Our siem alerts us on literally thousands of different scenarios. Passwords in clear text, Personally Identifiable Information like credit cards, social security numbers, home addresses, etc. We get alerts on loss prevention. You name it, if it’s on a server or on the wire, more than likely we have that information saved somewhere.
I have taken a more proactive approach to security at home based on the what we have gone over in class. I setup a VPN service so that all of our internet traffic is encrypted from the time it leaves to the time it comes back to our home router. Corporations should, and I believe have been, reduce their risk footprint when dealing with Cybersecurity and external threats by investing in infrastructure to help reduce and automate cyber risk. Managing risk will vary with the size and budget of each corporation, so it’s hard to list things they should do, but I would say at a bare minimum they need to monitor email, both incoming and outgoing. We see so many phishing campaigns that we would be compromised within hours were it not for our email security applications. Another obvious need is endpoint protection, again, at a bare minimum there should be an antivirus and malware product on every company device. Moving forward we are just starting to test and roll out application segmentation as a way of locking down our company applications.