In a world of encrypted traffic, where is the NIDS ?

Published: 2008-03-18
Last Updated: 2008-03-18 16:12:35 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Last Sunday, I read a fascinating paper by Charles Wright on how to deduct the language spoken in a phone conversation of which only encrypted VoIP (Voice-over-IP) traffic can be observed.  The paper presents a couple of funny conclusions, like the result that "Hungarian has false positives on speakers of Arabic, Czech, Spanish, Swahili, Tamil, and Vietnamese" - all languages which not even share a common root but seem to "look similar" in an encrypted stream.  But what really made me think is whether this form of analysis is all that will be left for a NIDS (network IDS) to do, once everything on the Network is wrapped in to SSL or encrypted otherwise.  It sounds as if we'll soon be back to reading the application and security logs on the various servers themselves, because that's where the "observable" portion of an attack is. Of course "reading logs" nowadays is called "host based intrusion detection with event correlation", but basically it still is: checking the logs.  Another area of the security profession that just seems to be destined to circle back to its early years...

Keywords:
0 comment(s)

Unzip of Death?

Published: 2008-03-18
Last Updated: 2008-03-18 02:30:05 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Buffer overflows and erratic behavior in decompression routines and unpackers are nothing new really, but CERT-FI (Finland) still has added a nice twist by providing a library of "fuzzed" (deliberately and randomly wrong) archive format test files.  www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html .  The patches that F-Secure AV released earlier today seem to be related to this issue - but I frankly rather have my AV listed as "affected, patch available" than as "unknown"....

Keywords:
0 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives