[iwar] Public demo of Carnivore


From: Fred Cohen
To: Information Warfare Mailing List
From: fc@all.net
To: iwar@onelist.com

Wed, 25 Oct 2000 06:41:31 -0700 (PDT)


fc  Wed Oct 25 06:46:15 2000
Received: from 207.222.214.225
	by localhost with POP3 (fetchmail-5.1.0)
	for fc@localhost (single-drop); Wed, 25 Oct 2000 06:46:14 -0700 (PDT)
Received: by multi33.netcomi.com for fc
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Wed Oct 25 13:46:08 2000)
X-From_: sentto-279987-698-972481543-fc=all.net@returns.onelist.com  Wed Oct 25 08:45:50 2000
Received: from mu.egroups.com (mu.egroups.com [208.50.99.218]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id IAA10584 for ; Wed, 25 Oct 2000 08:45:50 -0500
X-eGroups-Return: sentto-279987-698-972481543-fc=all.net@returns.onelist.com
Received: from [10.1.10.37] by mu.egroups.com with NNFMP; 25 Oct 2000 13:45:52 -0000
Received: (qmail 29404 invoked by alias); 25 Oct 2000 13:45:43 -0000
X-Sender: fc@all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-6_2_0); 25 Oct 2000 13:41:34 -0000
Received: (qmail 22307 invoked from network); 25 Oct 2000 13:41:33 -0000
Received: from unknown (10.1.10.26) by m2.onelist.org with QMQP; 25 Oct 2000 13:41:33 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta1 with SMTP; 25 Oct 2000 13:41:33 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id GAA14737 for iwar@onelist.com; Wed, 25 Oct 2000 06:41:31 -0700
Message-Id: <200010251341.GAA14737@all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen 
X-eGroups-Approved-By: fc@all.net via email; 25 Oct 2000 13:45:43 -0000
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe: 
Date: Wed, 25 Oct 2000 06:41:31 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] Public demo of Carnivore
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

NANOG is the North American Network Operators Group
********

Date: Tue, 24 Oct 2000 19:31:43 -0400
From: An Metet 
Comments: This message did not originate from the Sender address above.
It was remailed automatically by anonymizing remailer software.
Please report problems or inappropriate use to the
remailer administrator at .
To: cypherpunks@einstein.ssz.com
Subject: CDR: Public Demo of Carnivore and Friends

FBI agent Marcus C. Thomas (who is mentioned in the EPIC FOIA
documents) made a very interesting presentation at NANOG 20 yesterday
morning, discussing Carnivore.

Agent Thomas gave a demonstration of both Carnivore 1.34 (the
currently deployed version) and Carnivore 2.0 (the development
version) as well as some of the other DragonWare tools.

Most of this information isn't new, but it demonstrates that the
DragonWare tools can be used to massively analyze all network traffic
accessible to a Carnivore box.

The configuration screen of Carnivore shows that protocol information
can be captured in 3 different modes: Full, Pen, and None. There are
check boxes for TCP, UDP, and ICMP.

Carnivore can be used to capture all data sent to or from a given IP
address, or range of IP addresses.

It can be used to search on information in the traffic, doing matching
against text entered in the "Data Text Strings" box. This, the agent
assured us, was so that web mail could be identified and captured, but
other browsing could be excluded.

It can be used to automatically capture telnet, pop3, and FTP logins
with the click of a check box.

It can monitor mail to and/or from specific email addresses.

It can be configured to monitor based on IP address, RADIUS username,
MAC address, or network adaptor.

IPs can be manually added to a running Carnivore session for
monitoring.

Carnivore allows for monitoring of specific TCP or UDP ports and port
ranges (with drop down boxes for the most common protocols).

Carnivore 2.0 is much the same, but the configuration menu is cleaner,
and it allows Boolean statements for exclusion filter creation.

--

The Packeteer program takes raw network traffic dumps, reconstructs
the packets, and writes them to browsable files.

CoolMiner is the post-processor session browser. The demo was version
1.2SP4. CoolMiner has the ability to replay a victim's steps while web
browsing, chatting on ICQ, Yahoo Messenger, AIM, IRC. It can step
through telnet sessions, AOL account usage, and Netmeeting. It can
display information sent to a network printer. It can process netbios
data.

CoolMiner displays summary usage, broken down by origination and
destination IP addresses, which can be selectively viewed.

Carnivore usually runs on Windows NT Workstation, but could run on
Windows 2000.

Some choice quotes from Agent Thomas:

"Non-relevant data is sealed from disclosure."

"Carnivore has no active interaction with any devices on the network."

"In most cases Carnivore is only used with a Title III. The FBI will
deploy Carnivore without a warrant in cases where the victim is
willing to allow a Carnivore box to monitor his communication."

"We rely on the ISP's security [for the security of the Carnivore box]."

"We aren't concerned about the ISP's security."

When asked how Carnivore boxes were protected from attack, he said
that the only way they were accessible was through dialup or ISDN. "We
could take measures all the way up to encryption if we thought it was
necessary."

While it doesn't appear that Carnivore uses a dial-back system to
prevent unauthorized access, Thomas mentioned that the FBI sometimes
"uses a firmware device to prevent unauthorized calls."

When asked to address the concerns that FBI agents could modify
Carnivore data to plant evidence, Thomas reported that Carnivore logs
FBI agents' access attempts. The FBI agent access logs for the
Carnivore box become part of the court records. When asked the
question "It's often common practice to write back doors into
[software programs]. How do we know you aren't doing that?", Thomas
replied "I agree 100%. You're absolutely right."

When asked why the FBI would not release source, he said: "We don't
sell guns, even though we have them."

When asked: "What do you do in cases where the subject is using
encryption?" Thomas replied, "This suite of devices can't handle
that." I guess they hand it off to the NSA.

He further stated that about 10% of the FBI's Carnivore cases are
thwarted by the use of encryption, and that it is "more common to find
encryption when we seize static data, such as on hard drives."

80% of Carnivore cases have involved national security.

--

Also of interest was a network diagram that looked very similar to the
one in the EPIC FOIA document at
http://www.epic.org/privacy/carnivore/omnivorecapabilities1.html ,
except that there was no redaction of captions.

-------------------------- eGroups Sponsor -------------------------~-~>
eLerts
It's Easy. It's Fun. Best of All, it's Free!
http://click.egroups.com/1/9699/14/_/595019/_/972481543/
---------------------------------------------------------------------_->

------------------
http://all.net/