October 14, 2002 (Computerworld) --
Join the online discussion about this column.
I've said it before, but it's worth repeating. All network traffic should be protected by strong encryption. I recently learned that even SSL is simple to bypass, thanks to a powerful collection of free, open-source network sniffing utilities called dsniff (http://monkey.org/~dugsong/dsniff/). So if you think you're safe because you're using Secure Shell (SSH) instead of Telnet, or because you've connected to a Web site by using the https address, think again.
Network sniffing has its place, and even saved my gluteus maximus once. While managing a network, I noticed from a security log that the e-mail servers were exchanging mail with source and destination domains other than their own.
That's something e-mail servers shouldn't do unless you set them up to relay mail. These weren't relay servers, so these exchanges indicated that someone might have cracked the e-mail system.
I ran a dsniff utility called mailsnarf to capture the suspicious e-mails and see what was going on. As it turns out, my suspicions were well founded, and I ended up with a stack of papers to send to the FBI. The whole process was rather easy, since mailsnarf captures mail traffic that passes through a network node or Ethernet switch. It saves the messages in Berkeley mbox format, so you can use just about any e-mail client to read what you capture as easily as you can read mail from your in-box. The nice thing about mailsnarf is that you can specify a search pattern to look for only the network traffic that raises a red flag. This doesn't completely prevent the system from capturing innocent messages this way, but it does help minimize the problem.
Unfortunately, while dsniff is an ideal set of tools to ferret out crackers, it's also an ideal cracker's tool. The fellow in the cubicle next to yours can use dsniff to read all of your e-mail, watch all of your instant messages and even synchronize his browser with yours so that it displays the Web pages you visit as you visit them.
Some network administrators are under the mistaken impression that they're immune to rampant sniffing problems because they use Ethernet switches instead of hubs. That's an easy mistake. When a computer sends network traffic to an Ethernet hub, the hub broadcasts the information to every computer or network node attached to that hub. It's up to the node to figure out if it's the intended recipient of the message. It's intuitively obvious that any computer on the hub would be capable of snooping on all of the traffic on that portion of the network.
In contrast, an Ethernet switch directs packets only to the intended recipients. One would think, therefore, that if Computer A sends packets to Computer B, Computer C shouldn't be able to sniff that data because it doesn't "see" any traffic intended for Computer B. As it turns out, it's actually quite easy for Computer C to trick the Ethernet switch into thinking it's the intended recipient for network traffic. That's what the dsniff program arpspoof does. It allows you to intercept switched network traffic intended for others, examine and save the information, and then pass it on to the intended targets so that no one will suspect his data is being snooped.
This spoofing technique is called a monkey-in-the-middle attack, and it brings us to the weakness with SSL. Thanks to inadequate public-key handling in SSL, you can dsniff utilities to launch a monkey-in-the-middle attack to intercept SSH or https sessions. That's right. The fellow in the cubicle next to you could have all your encrypted passwords by now.
The best way to protect yourself against dsniff is to pressure hardware and software vendors to use and enforce strong encryption for all network traffic. So I urge you to vote for these changes with your dollars. In the meantime, there's no easy way to protect your network against dsniff users, but you can find some helpful suggestions at the aforementioned dsniff Web site. Nicholas Petreley is a computer consultant and author in Asheville, N.C. He can be reached at nicholas@petreley.com.

|
|
|
"Yes, NASA has confirmed that some laptops taken to the International Space Station were infected with an online-gaming password stealing..."
Read more...
"Linux is more secure than most operating systems, but Not if you don't practice basic security measures..."
Read more...
Read more Security posts or See all Blogs
|
Telework can change office dynamics in ways you hadn't anticipated. Proceed cautiously.
Got a painfully slow connection or random dead spots? Our tips will help you get the most out of your wireless network.
Listen up, managers: Employees don't quit the job; they quit you.
Netbooks, ultraportables, mini-notebooks whatever you call them, they've been grabbing headlines. Are they here for the long term or just a flash in the pan?
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
|
 |
| From Laggard to Leader: Transforming the Data Center From Laggard to Leader: Transforming the Data Center Register for this complimentary live webcast today! Go to the webcast |
|
| Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing |
|
| Online Security Issues in Regulated Industries Download this research paper, free for a limited time, compliments of Webroot! (Source: Webroot Software) In June 2008, Computerworld invited IT and business leaders to participate in a survey on online security initiatives at their organizations. The goal of the survey was to better understand Web and e-mail security issues faced today within the regulated education, financial services, government and health care industries. The following report represents top-line results of that survey. Download this white paper |
|
| White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. | View more whitepapers |
|
|