Network Monitoring and Control (announcement)

[mcn () EnGarde com (Mike Neuman)]

  Hello,

  I'm going to send this message to bugtraq, comp.security.*, and alt.security,
so I apologize if you see it more than once. Bugtraq WAS first on my list,
so I deserve some credit for that. :-)

  My company has written a program called "Watcher" which allows a system 
administrator to monitor all login and mail connections on his network, in 
real-time. The administrator can log data to either a text file or a raw 
packet file which can later be replayed through Watcher. Most importantly,
Watcher allows the admin to CONTROL network users by instantly terminating
any connection, setting up makeshift firewalls, or even TAKING OVER 
(hijacking) any connection. 

  Watcher has a graphical (and text) interface which displays a list of
every network login session. The admin can select from this list which brings
up a terminal emulator window. The admin then sees EXACTLY what the user is
seeing, and what the user is typing. On this window there're also controls
to log the connection, as well as to use the active countermeasures as 
described above.

  Watcher is an extremely valuable tool for monitoring network activity
in real-time. Aside from the obvious security applications, Watcher could also
be used to debug network problems, or even to assist users of machines who
need help.

  As with any security program, Watcher can be seriously abused to the point
of rendering firewalls, and all one-time authentication systems worthless
(including smartcards, challenge/response schemes, pre-arranged password
sequences, default unencrypted kerberos, etc).

  For a description of Watcher, as well as a screenshot and a discussion of
the features (both defensive and offensive) Watcher offers, take a look at:

http://www.c3.lanl.gov/~mcn/watcher.html

  NOTE: Watcher has NOTHING to do with LANL.GOV! If you have questions or
complaints, come to me and my company.

  Watcher is not yet available commercially. We haven't decided what to do
with it yet (commercial or free?). Until now, we've been using it primarily 
for our penetration testing and network security consulting for our clients. 
I'm only making this announcement because the existance and availability of 
such technology needs to be considered. In addition, since I put up the page 
yesterday (and made NO announcements), over 60 people have accessed it (out of 
the usual 2 or 3 who access my home page daily). In order to prevent confusion, 
I thought I would announce this publicly.

  A paper on the Watcher is being submitted to the Computer Security 
Applications Conference (CFP is due in 2 days). I will be putting a copy of 
this paper up as soon as possible (assuming CSAC has no objections).

  Feel free to contact us if you have any questions or comments.

-Mike
--
Mike Neuman (mcn () EnGarde com) - EN GARDE SYSTEMS - Computer Security Consulting
http://www.c3.lanl.gov/~mcn   - http://www.cec.wustl.edu/~dmm2/egs/egs.html
===============================================================================
"Most of these should be 'void', but the people who defined the STREAMS
 data structures for S[ystem] 5 didn't understand data types." - Solaris source