Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 12-17-2013, 11:49 AM
Glamis's Avatar
Glamis Glamis is offline
Member
 
Join Date: May 2012
Location: Orange County & Glamis sand duns
Posts: 455
iTrader: 5 / 100%
Default Need some Info from a Network Admin and IOS APPs

My work has Wifi as most do now. My work computers and my laptop are linked to this. Soniwall TZ-205My work PC is only for work and I remote to the home office. My Laptop is linked and used for research, calguns, and Itunes. Nothing I worry about there. Every WWW.com is longed in some way I'm shore. Note: never had a problem yet.

Now that I mind. Say I link my phone and start using the facebook App, Flicker App, or my Banks app on my phone. What dated can be seen by the net work Admin with Apps. Just wondering how it works for apps mostly.

Still never had a problem in 3 year but never know.
Reply With Quote
  #2  
Old 12-18-2013, 3:01 PM
stonith3901 stonith3901 is offline
Member
 
Join Date: Jul 2012
Posts: 166
iTrader: 3 / 100%
Default yes they can

yes they can

Quote:
Originally Posted by Glamis View Post
My work has Wifi as most do now. My work computers and my laptop are linked to this. Soniwall TZ-205My work PC is only for work and I remote to the home office. My Laptop is linked and used for research, calguns, and Itunes. Nothing I worry about there. Every WWW.com is longed in some way I'm shore. Note: never had a problem yet.

Now that I mind. Say I link my phone and start using the facebook App, Flicker App, or my Banks app on my phone. What dated can be seen by the net work Admin with Apps. Just wondering how it works for apps mostly.

Still never had a problem in 3 year but never know.
Thanks for providing the device that your company is using. In doing so, short answer is yes they can analyze the packets with the device that you have:

https://www.sonicwall.com/us/en/products/ATA.html

I'll try to answer this for you.

Granted a rule of thumb is a network engineer can potential be the man in the middle. They have capabilities of port mirroring and analyzing every single packet that is coming from your network port. On a system level we can analyze what traffic you are going through via a proxy or a transparent proxy (I run this at home), or through DNS logs. If things are crossing that is not using encryption like SSL, they can grab information via plain text.

The lock that shows on your web browser when you go to a banking site for instance shows that you are connecting via SSL and the traffic is encrypted to the endpoint (since its encrypted, the packets even captured will be garbled useless information).

So on a joint level for forensics, if we know the ip address which in turn changes to MAC addresses, we can find out who is going to lets say a porn site on company pipes via raw packets. You can run tcpdump (linux) or run something like wireshark (windows) to analyze your traffic.

Rule is to try and use encrypted methods as much as possible. Generally highly sensitive sites will require to run over HTTPS (the one with the lock). If someone tries to be a man in the middle and reroute your traffic, your browser wonít trust the certificate that has been signed if it isnít coming from a Certificate Authority that is in the trusted list. If the private key has been stole or compromised from the website, you are screwed.
Reply With Quote
  #3  
Old 12-20-2013, 8:38 PM
problemchild problemchild is offline
Banned
 
Join Date: Oct 2005
Location: 33.753276,-118.19139
Posts: 6,968
iTrader: 82 / 100%
Default

I can see everything you do. Best not to chit where you eat. If they have the extra features turned on its not good for you.


Where you go.
When you go.
What you looked at.
How much you looked at.
Reply With Quote
  #4  
Old 12-21-2013, 9:28 AM
stilly stilly is offline
Banned
 
Join Date: Jul 2009
Location: Currently in a shanty I made in the river bottom by Eastvale.
Posts: 9,004
iTrader: 44 / 100%
Default

Quote:
Originally Posted by stonith3901 View Post
yes they can



Thanks for providing the device that your company is using. In doing so, short answer is yes they can analyze the packets with the device that you have:

https://www.sonicwall.com/us/en/products/ATA.html

I'll try to answer this for you.

Granted a rule of thumb is a network engineer can potential be the man in the middle. They have capabilities of port mirroring and analyzing every single packet that is coming from your network port. On a system level we can analyze what traffic you are going through via a proxy or a transparent proxy (I run this at home), or through DNS logs. If things are crossing that is not using encryption like SSL, they can grab information via plain text.

The lock that shows on your web browser when you go to a banking site for instance shows that you are connecting via SSL and the traffic is encrypted to the endpoint (since its encrypted, the packets even captured will be garbled useless information).

So on a joint level for forensics, if we know the ip address which in turn changes to MAC addresses, we can find out who is going to lets say a porn site on company pipes via raw packets. You can run tcpdump (linux) or run something like wireshark (windows) to analyze your traffic.

Rule is to try and use encrypted methods as much as possible. Generally highly sensitive sites will require to run over HTTPS (the one with the lock). If someone tries to be a man in the middle and reroute your traffic, your browser wonít trust the certificate that has been signed if it isnít coming from a Certificate Authority that is in the trusted list. If the private key has been stole or compromised from the website, you are screwed.
The rest of this is good to know for someone like me (cause I like that stuff and am heading that way)

BUT I totally agree with all bold. If you do not know much about all of this, at least what is BOLDED holds true across the board. The better the encryption the better of you are.
Reply With Quote
  #5  
Old 12-21-2013, 10:31 AM
problemchild problemchild is offline
Banned
 
Join Date: Oct 2005
Location: 33.753276,-118.19139
Posts: 6,968
iTrader: 82 / 100%
Default

Quote:
Originally Posted by stilly View Post
The rest of this is good to know for someone like me (cause I like that stuff and am heading that way)

BUT I totally agree with all bold. If you do not know much about all of this, at least what is BOLDED holds true across the board. The better the encryption the better of you are.
Maybe or maybe not. You run encrypted inside my biz or a biz I manage and I see where you went to. You cannot hide the IP unless you start running encrypted to vpn/proxy and if you do that I know you are messing with me and trying to hide stuff. If i see you are running ssl to sexwithfarmanimals.com you are not going to be working there long. I would install a screen logger on your desktop to capture all your activity encrypted or not.

Like I said dont chit where you eat. Best to leave non biz surfing net crap at home. I take a pie chart to the owner showing him you are dodging my security and surfing the net 4 hrs per day you are hosed!

Last edited by problemchild; 12-21-2013 at 10:36 AM..
Reply With Quote
  #6  
Old 12-21-2013, 12:50 PM
seasapart seasapart is offline
Junior Member
 
Join Date: Dec 2013
Posts: 1
iTrader: 0 / 0%
Default

This depends entirely on your businesses network infrastructure and what devices are in place. If your business only has a sonicwall firewall in place and some of the advanced features are turned on then your business could potentially see some basic web logging, sites visited etc.... Now if your business has some sort of web filter in place or you are forced to go through a proxy then they can potentially see a lot more. True in most cases SSL sites are secure and encrypted so you cant see detailed logging but there are some web filters out there that actually can and do decrypt SSL traffic on the fly so even traffic from SSL sites like bank sites, web mail etc....are visable to a network admin. These devices are expensive and you typically only see them in larger enterprise type corporations. Now mind you there are a lot of factors that will dictate what level of visibility the sys/network admin also has. If we are talking about a company desktop/laptop there is usually an agent that is required to decrypt the traffic if this is not done on the web filter itself "ive only seen 1 filter that does this on the filter itself". For phones IOS/Android however this is much more difficult, typically web logging on phones you only see general web traffic, sites visited, etc... In most cases you wouldnt be able to see encrypted sites unless there is an agent installed which i dont know of any that can be installed on IOS or android devices today. There are some MDM " Mobile device Management" software providers out there that do a fair amount of logging if your company does have an MDM infrastructure in place and you are forced to install the agent on your phone. Like i said it depends entirely on your network infrastructure and what equipment is in place. If its just the sonicwall and they dont have the advanced features in place then i wouldnt worry about it too much. If they do then if someone has really nothing better to do i suppose they could go through the logs on the sonicwall and see some of the sites visited.
Reply With Quote
  #7  
Old 12-22-2013, 2:06 AM
stonith3901 stonith3901 is offline
Member
 
Join Date: Jul 2012
Posts: 166
iTrader: 3 / 100%
Default

Quote:
Originally Posted by seasapart View Post
True in most cases SSL sites are secure and encrypted so you cant see detailed logging but there are some web filters out there that actually can and do decrypt SSL traffic on the fly so even traffic from SSL sites like bank sites, web mail etc....are visable to a network admin. These devices are expensive and you typically only see them in larger enterprise type corporations.

Can you elaborate and explain what web filters or devices can decrypt SSL traffic on the fly or what device can do this?

Im curious and confused mainly because my understanding of signed SSL certificates creates encrypted session from the user's browser to the endpoint ip address that has the certificate along with the SSL private key that is paired. The user's browser have a listed of trusted certificate authorities and which ever CA is installed. Generally the SSL certificate is requested by generating a CSR that gets signed by a trusted CA (the ones in browsers like verisign for example). The CA signs the certificate and generates the SSL certificate returning to requestor. The requestor gets the signed SSL certificate from the trusted CA and pairs the SSL cert with the private key (along with optional intermediate chained certificates) and binds these to an ip address listening on 443. How does a device decrypt the SSL traffic when it doesnt have the private key of a SSL certificate it doesnt own? This device that you describes clearly is a man in the middle type of attack but I cant understand how it can decrypt the traffic without the private SSL key of the website the user is going to.
Reply With Quote
  #8  
Old 12-22-2013, 2:18 AM
Jason95357 Jason95357 is offline
Senior Member
 
Join Date: Feb 2013
Posts: 977
iTrader: 5 / 100%
Default

SSL decryption is easily done on a company owned device. We do so for security and HR reasons where I work.

The company has an internal Root CA. That Root CA is installed on all company devices. One way is via AD GPOs.

The proxy has a sub-CA signed by the company Root CA. The proxy sub-CA can then create a cert for any domain on the fly. Then a man-in-the-middle decryption/re-encryption occurs at the proxy.

But even without decryption, a transparent proxy/filter knows what IPs and based on that what general content you loaded.

Best bet is to VPN to home and use a home proxy, or just stick to cell service.

There is a Firefox add-on called SSL Observatory that checks to see if an SSL cert for a given site has been seen before and how often. This is a good way to detect MitM attacks.

Example proxy filter with this tech: http://www.websense.com/content/supp...sl_enable.aspx
__________________
LTCs: WA, OR, NV, AZ, UT, FL, ME, CA
NRA Member
Madison Society Member

Last edited by Jason95357; 12-22-2013 at 2:21 AM..
Reply With Quote
  #9  
Old 12-22-2013, 2:56 AM
stonith3901 stonith3901 is offline
Member
 
Join Date: Jul 2012
Posts: 166
iTrader: 3 / 100%
Default Need some Info from a Network Admin and IOS APPs

Quote:
Originally Posted by Jason95357 View Post
SSL decryption is easily done on a company owned device. We do so for security and HR reasons where I work.

The company has an internal Root CA. That Root CA is installed on all company devices. One way is via AD GPOs.

The proxy has a sub-CA signed by the company Root CA. The proxy sub-CA can then create a cert for any domain on the fly. Then a man-in-the-middle decryption/re-encryption occurs at the proxy.

But even without decryption, a transparent proxy/filter knows what IPs and based on that what general content you loaded.

Best bet is to VPN to home and use a home proxy, or just stick to cell service.

There is a Firefox add-on called SSL Observatory that checks to see if an SSL cert for a given site has been seen before and how often. This is a good way to detect MitM attacks.

Example proxy filter with this tech: http://www.websense.com/content/supp...sl_enable.aspx

There is the explanation I needed. I understand the need for internal CA for self-signed certificates, good to know that there are companies that screw with applications and installing their own Root CA, but creating SSL certs on the fly, that seems a little evil.

Screw that, glad i dont work for your company.

Care to elaborate more and give us an example of a reason this is done for? Of course i am not looking for specifics. This would be a great campfire story, please do tell.

Also if lets say i did sit in your network and you created a SSL on the fly to see my banking traffic to lets say chase.com, wouldnt it show clearly in my browser when i check that the SSL is signed and verified by the internal Root CA and going through the chained sub or the traffic does pass to the original destination and everything is totally transparent? I would imagine it'd be totally transparent and that totally sucks. What if I ran Opera web browser? Or it is installed in a certificate keystore on the windows operating system itself?

And a second scenario. Let's define this scenario a little bit better. Let's say I'm a 3rd party technician, from Trace3 or Dell that needed to service something in your office. I use your network, let's say you have your transparent proxy I had to go through as well and you have one of these decrypting SSL devices. I would imagine that I would get that warning in this scenario since my device didn't accept the Internal Root CA when I go to chase.com?

Seems like even more need to do a mandatory two factor authentication even here like calguns.net and hopefully facebook since that seems like a high profile site that HR would love to get their hands into. "Hey [boss], I'm out sick, don't feel too well. *Posts on Facebook same day* man this dole whip is hella great in Disneyland."

Also seems like a privilege to abuse when a security team has this type of power. *giggles* look at this guy... 10 bucks in his checking account, big spender. Or the NSA going to Verisign/Thawte/Comodo/etc and says,"Yeah your SSL private keys, gonna need a copy of that. Hey Jason, how's that websense appliance at the core routers at Level3 and AT&T holding up, here are those private keys. Feinstein is wanting to know who is going to calguns.net for the FEMA camp registration."

Just seems a little too invasive, but then again, you are using your companies pipes.

Thanks for clarification Jason much appreciated.

Last edited by stonith3901; 12-22-2013 at 4:29 AM.. Reason: Added scenario, other questions
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 4:16 PM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2016, Calguns.net an Incorporated Company All Rights Reserved.