Security: A Dangerous Illusion
Disclaimer: This writeup is a bit more tech heavy than my usual posts. You have been warned!
Any power user will tell you that computer security is just an illusion. The only safety most people have is that there aren't nearly enough people out there with malevolent intent who have significant computer knowledge. Plus, most hackers are benevolent and the real cyber criminals aren't interested in small game anyway. That said, the little security that digital security techniques such as SSL and PGP key encryption offer go a long way in ensuring that you don't make it easy for the casual hacker to snoop on your data.
I say all this because today I realised once again how naive people can be. You see, in India, most of the so-called "cable internet" is actually a euphemism for a local area network hooked up and administered by a cable operator. So, not surprisingly, there are no cable modems involved in a cable internet set up, just a lot of Ethernet cards. What the cable operators and the users don't realise however is that they are setting up a large broadcast network (Ethernet) on which everybody has access to each other's data packets. While it is true that most people won't see each other's packets because they get filtered by the operating system's TCP/IP stack, that won't stop a determined hacker from having a looksy.
That, in a nutshell is exactly what I decided to do today. I was getting bored so I decided to find out exactly how bad the situation is. I have had Ethereal (a network protocol analyzer) set up on my windows machine for a while now. All I had to do is to fire it up and set it up so that it would capture all packets going past my network card. I did that and stored all the frames (network packets) in a log file. I did this for an hour and then ran a simple search filter on the file to bring up all http packets with the request method set to POST. Doing this got me access to six username/password combinations all for different users.
I didn't verify any of the credentials because it wasn't my intent to impinge on anybody's privacy. But I'd willingly bet all my knowledge on the fact that each and everyone of these credentials work. Because I limited my search to just the most obvious way of submitting credentials on web sites (the POST request method), it is also quite possible that this is just a small subset of all the credentials contained within the raw data that I gathered. The worst part is, that this network isn't just used by individuals. I know of actual companies that use my cable operator to provide for their connectivity needs. Having seen the general level of awareness of system admins in this country, I'm pretty sure a lot of them have no idea that it is so easy for anyone to steal data that is potentially valuable to their company or its clients. On top of that, I am sure that 90% of these companies have never bothered/will bother to get a third party security audit done.
So what I'm saying is:
Any power user will tell you that computer security is just an illusion. The only safety most people have is that there aren't nearly enough people out there with malevolent intent who have significant computer knowledge. Plus, most hackers are benevolent and the real cyber criminals aren't interested in small game anyway. That said, the little security that digital security techniques such as SSL and PGP key encryption offer go a long way in ensuring that you don't make it easy for the casual hacker to snoop on your data.
I say all this because today I realised once again how naive people can be. You see, in India, most of the so-called "cable internet" is actually a euphemism for a local area network hooked up and administered by a cable operator. So, not surprisingly, there are no cable modems involved in a cable internet set up, just a lot of Ethernet cards. What the cable operators and the users don't realise however is that they are setting up a large broadcast network (Ethernet) on which everybody has access to each other's data packets. While it is true that most people won't see each other's packets because they get filtered by the operating system's TCP/IP stack, that won't stop a determined hacker from having a looksy.
That, in a nutshell is exactly what I decided to do today. I was getting bored so I decided to find out exactly how bad the situation is. I have had Ethereal (a network protocol analyzer) set up on my windows machine for a while now. All I had to do is to fire it up and set it up so that it would capture all packets going past my network card. I did that and stored all the frames (network packets) in a log file. I did this for an hour and then ran a simple search filter on the file to bring up all http packets with the request method set to POST. Doing this got me access to six username/password combinations all for different users.
I didn't verify any of the credentials because it wasn't my intent to impinge on anybody's privacy. But I'd willingly bet all my knowledge on the fact that each and everyone of these credentials work. Because I limited my search to just the most obvious way of submitting credentials on web sites (the POST request method), it is also quite possible that this is just a small subset of all the credentials contained within the raw data that I gathered. The worst part is, that this network isn't just used by individuals. I know of actual companies that use my cable operator to provide for their connectivity needs. Having seen the general level of awareness of system admins in this country, I'm pretty sure a lot of them have no idea that it is so easy for anyone to steal data that is potentially valuable to their company or its clients. On top of that, I am sure that 90% of these companies have never bothered/will bother to get a third party security audit done.
So what I'm saying is:
- Use PGP or any other good free encryption tool to encrypt all important email.
- If you use a web mail provider, make sure they have a secure (possibly SSL) login mode. Otherwise, close that account.
- If you use an online banking provider, make sure their login is secure. This is the case 90% of the time, so I wouldn't worry about it too much.
- Firewalls and Anti-virus scanners won't help in this situation because they only protect your computer and the data that resides on it from outsiders. They DO NOT protect your data in transit, only encryption can do that.
posted by Arun at 10:23 AM
5 comments
