Saturday, March 05, 2005

Security: A Dangerous Illusion

Disclaimer: This writeup is a bit more tech heavy than my usual posts. You have been warned!

Any power user will tell you that computer security is just an illusion. The only safety most people have is that there aren't nearly enough people out there with malevolent intent who have significant computer knowledge. Plus, most hackers are benevolent and the real cyber criminals aren't interested in small game anyway. That said, the little security that digital security techniques such as SSL and PGP key encryption offer go a long way in ensuring that you don't make it easy for the casual hacker to snoop on your data.

I say all this because today I realised once again how naive people can be. You see, in India, most of the so-called "cable internet" is actually a euphemism for a local area network hooked up and administered by a cable operator. So, not surprisingly, there are no cable modems involved in a cable internet set up, just a lot of Ethernet cards. What the cable operators and the users don't realise however is that they are setting up a large broadcast network (Ethernet) on which everybody has access to each other's data packets. While it is true that most people won't see each other's packets because they get filtered by the operating system's TCP/IP stack, that won't stop a determined hacker from having a looksy.

That, in a nutshell is exactly what I decided to do today. I was getting bored so I decided to find out exactly how bad the situation is. I have had Ethereal (a network protocol analyzer) set up on my windows machine for a while now. All I had to do is to fire it up and set it up so that it would capture all packets going past my network card. I did that and stored all the frames (network packets) in a log file. I did this for an hour and then ran a simple search filter on the file to bring up all http packets with the request method set to POST. Doing this got me access to six username/password combinations all for different users.

I didn't verify any of the credentials because it wasn't my intent to impinge on anybody's privacy. But I'd willingly bet all my knowledge on the fact that each and everyone of these credentials work. Because I limited my search to just the most obvious way of submitting credentials on web sites (the POST request method), it is also quite possible that this is just a small subset of all the credentials contained within the raw data that I gathered. The worst part is, that this network isn't just used by individuals. I know of actual companies that use my cable operator to provide for their connectivity needs. Having seen the general level of awareness of system admins in this country, I'm pretty sure a lot of them have no idea that it is so easy for anyone to steal data that is potentially valuable to their company or its clients. On top of that, I am sure that 90% of these companies have never bothered/will bother to get a third party security audit done.

So what I'm saying is:
  • Use PGP or any other good free encryption tool to encrypt all important email.
  • If you use a web mail provider, make sure they have a secure (possibly SSL) login mode. Otherwise, close that account.
  • If you use an online banking provider, make sure their login is secure. This is the case 90% of the time, so I wouldn't worry about it too much.
  • Firewalls and Anti-virus scanners won't help in this situation because they only protect your computer and the data that resides on it from outsiders. They DO NOT protect your data in transit, only encryption can do that.
Right now, I don't see much evidence of the data I found being misused. But I am quite sure that it probably won't last for long. Imagine two companies on the same cable provider operated network sending out tenders to the same client. How hard would it be for someone with a little knowledge working in company A to grab company B's mail off the broadcast network? And this is just one of the potential scenarios. The problem becomes even more complex when we consider wireless (802.11 based) networks. My company just put up a wireless network in the office, and although I don't use it (still tied to a LAN cabled desktop) I am quite sure that it is very unsecure. While someone would need to hook up their workstation to an Ehternet cable coming from the office to listen in on the packets earlier, now all it would take is an 802.11 wireless card. I'm pretty sure my network admin has never heard of the term war driving, but if he's not careful he's going to hear it pretty soon, and not in a good way. Same goes for you! Don't think 24-hour connectivity comes without a price.

5 Comments:

Anonymous Anonymous said...

Tell me something, I was playing around with a packet sniffer software, I did capture many packets using the sw, I could see stuff like the destination IP source IP etc. Along with that there was lots of ASCII characters (the body of the packet) how did you translate the encoded ascii to readable text?

Anand

12:39 PM, May 14, 2005  
Blogger Arun said...

You'd need to write a bit of C/C++ code to read in the structures using binary read. You can find the details of those structures in the RFC/STD for the TCP/IP protocol (www.rfc-editor.org should be a good place to start). Another option would be to use Ethereal like I did. It translates most of the data in a TCP/IP (and many other protocol) packet to human readable form. The stuff carried over TCP/IP is HTML most of the time so it shouldn't be too hard to read that. But if its some propereitory format like SWF or JPEG (you can usually tell by the MIME type), you can just dump it into a bin file, rename it to the appropriate extension and use the appropriate app. to look at it.

9:19 AM, May 17, 2005  
Anonymous Anonymous said...

the cable guy has installed a client on my machine that lets me login into to the connection, and i belive he has bind my Ethernet card through that software, do you think if it is possible that he can access my workstation in the same way as when the admin can when a user logs in to the network domain?

5:46 AM, June 02, 2005  
Anonymous Anonymous said...

no .. he cannot. unless he is able to login as a admin to your pc.

9:24 AM, September 02, 2005  
Blogger Arun said...

Something you might want to do though is turn off File and Printer Sharing in the network connection properties box. Windows has a nasty habit of exposing root drives as public shares. If you really want to use file/printer sharing, make sure you set the security access permissions on C:, D: etc. to administrators only.

10:55 AM, September 02, 2005  

Post a Comment

<< Home