nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Cisco's 'encrypted traffic fingerprinting' turned into a product

Silver badge

Veeeeery interesting....

So basically, although you can't see what's being sent, you can fingerprint a known thing and look for that fingerprint. But you do need to know what it is you're looking for and have a copy of it. And this will work for e.g. nasties phoning home, but is no use for intercepting the content of actual communications. And would this work on encrypted packets going over a VPN?

Pretty neat. There's bound to be a downside, but on the whole it's mainly upside.

3
2
Anonymous Coward

Re: Veeeeery interesting....

"There's bound to be a downside"

I would hazard a guess that there are limitations in relation to what crypto algos it works best (if at all) with.

0
0
Silver badge

Sounds ideal for the NSA and GCHQ to monitor everybodies encrypted internet data to fingerprint those who are upto naughty things.

5
0
Silver badge

Well as long as they are not seeing content and view any positives as a matter of getting a warrant to do so, I think I wouldn't mind all that much.

It would be a sight better than the current situation.

2
0
Silver badge

This is a new idea?

I discussed this method with a programmer during a plane ride from Melbourne to Perth in the 90's - it was a new idea then. I guess I know where he's working these days.

2
0
Silver badge

It's an old idea

There were already papers on finding out what place one looks on google maps, based on the size of the tiles (which were received via https).

It's not really suitable for finding malware, as it's trivial for malware to simply randomize its traffic. So instead of transmitting a file all at once, you send it in chunks of varying length, or mimic normal browser behaviour.

7
1
Bronze badge

Re: It's an old idea

I wouldn't say preventing traffic analysis is trivial, especially if you don't know exactly what the eavesdropper is looking at. There could be all sorts of subtle patterns in your traffic even after you've sliced your files into random-sized chunks.

1
0
Silver badge

Re: It's an old idea

Yes, but since this is a packaged product, you can test it in your laboratory for as long as you want to. I'd guess that there is virtually no contrast between "normal" data and "malevolent" data, so those systems will probably spit out far to many false positives to be of any use.

1
1
Bronze badge

Re: It's an old idea

A Catalyst 9300 is a pricy piece of kit, but cybercrime is apparently pretty lucrative so I guess the successful malware developers will be able to afford one for their test lab.

Although I've got to say, this is an argument against pretty much any malware detection technology. If the author has tested their malware against your defensive product, they will surely have been able to find a way to circumvent it.

1
0
Silver badge

Re: It's an old idea

All tor packets are the same size. Any malware with a c&c server that is remotely a threat is using the dark web to make it hard for law enforcement to locate.

Also, with any modern crypto you can't differentiate the byte stream from random. If you can via DPI then we all have much much bigger problems.

Maybe some sort of crypto downgrade attack might be possible during the negotiation phase to something practical to brute force (and the Muppets in charge still like the idea of backdoored encryption, will they ever learn from past mistakes).

0
0
Silver badge

Re: It's an old idea

"Although I've got to say, this is an argument against pretty much any malware detection technology. If the author has tested their malware against your defensive product, they will surely have been able to find a way to circumvent it."

Yes, and this is why security experts (outside of malware detection firms) call such products snake oil. Now add to this, that those programs typically are rather complex, run with high privileges and try to unpack every obscure format you may not even have software to use them otherwise. Right now, for example, it's likely that you can take over computers with that RAR decoder bug that's been found recently... even if that computer doesn't have an unpacker that supports RAR.

0
0
Silver badge

Re: It's an old idea

"Yes, but since this is a packaged product, you can test it in your laboratory for as long as you want to."

You can test it in YOUR environment, but how well can anyone replicate replicate the real-world network conditions of an average enterprise which could be as different as night and day? If such a product needs environmental conditioning first, then the defense has an insider's edge.

0
0
Anonymous Coward

Everything-over-HTTPS

The idea is already in use in products that block Tor or VPN traffic in countries less hampered by personal freedoms. The answer to that was obfsproxy

In the future, malware will just use any standard HTTPS library and add some random padding.

1
0
Silver badge

Re: Everything-over-HTTPS

But it's still tricky. In disguising some tells, you can create others. It's extremely difficult to obfuscate your traffic completely. Not just packet sizes but timings, rates, destinations, etc. can all leave tells, and if you try to scrub all the tells, you may not be able to get through. After all, even an envelope needs an address, and that alone can be useful information.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing