Hi Peter,
basically I’d like to know if any tools are available which might help to identify “dissolving” traffic, perhaps those with small byte amounts like key strokes covered in the “white noise” of the traffic’s junks, sent via different intranet IP to unsuspicious external domains, such as large cloud providers already used by existing set top boxes, servers, printers or workstations within the network.
When looking into a network in general, there is usually more than one attack vector, to name it, these points could be at least:
- Capture a device within DMZ
- Capture WLAN AP’s, especially when they’re stationary
- Capture mobile devices in public on wireless ports and let them be brought home
- Some cases where the sky falls back on your head in form of coupled entities
- TV sticks with both WLAN and LAN attached, closed source, and undocumented API’s
- Set top boxes with closed source firmware
- Install input drivers from OEM’s (e.g. keyboard drivers communicating with servers)
… and so on.
What I’d ask for is the possibility to check which kind of traffic going “out” might be unwanted/suspicious based upon its stochastical behavoir.
However, I don’t know if this is reasonable, as e.g. mobile phones with e.g. AI apps have often both WLAN and GSM/LTE enabled at the same time; so I wonder if it makes sense to take much care on security on BLUE, because, if someone’d attack on your mobile in the very highest, improbable and unimportant case, you have not really got control over the closed source firmware and how the apps then act within those two networks and so on. I mean, especially cell providers do not offer the same amount of detailed traffic information for their non commercial customers as your own firewall does, I assume.
I even don’t exactly know how much a cell provider update could change the behaviour of your mobile device. So, for iPhones, I do allow just RED over proxy, with 17.0.0.0/8 whitelisted for the at least necessary service ports, and so on.
Might be a bit silly, these thoughts, but it’s just of interest for me where to put the focus on these occasions.
So I understand there is no “golden answer” on my questions. It’s just a gut feeling leading me to these kind of questions.
Cheers!
P.S. As final point: in case of e.g. Microsoft Windows, they’d say
> DISM.exe /Online /Cleanup-Image /RestoreHealth
> sfc /scannow
would be good enough for checking the OS’s integrity. In case the solution tells:
Systemsuche wird gestartet. Dieser Vorgang kann einige Zeit dauern.
ĂśberprĂĽfungsphase der Systemsuche wird gestartet.
ĂśberprĂĽfung 100 % abgeschlossen.
Der Windows-Ressourcenschutz hat keine Integritätsverletzungen gefunden.
I’d assume propable leakages not within the core of the Windows OS. Me, as a hobbyist, would really be glad to have some kind of checksum tool for the iPFire installation, just to make sure the system’s integrity stays valid over time.
P.P.S. If I’d be really interested to gather data from someone else without logging, I’d experiment with a laser interferometer, pointing upon the glass of that window where your keyboard resides behind, record the sound patterns of the keyboard clicks and compare these with a small sound database in order to recover the keystrokes back to characters.
But who the fuck would really do something like that?