One Sniff and Your Password Is Stolen

Dave Dittrich, Client Services Software Engineer, Computing & Communications

You come to work one day to find that an FBI special agent has just paid a visit and that the system administrator has shut down your computer account to comply with a subpoena for all of the email and other computer files. One of "your" files contains a large collection of credit card information. You did not create that file and know nothing about it.

You have been using hard-to-guess passwords and changing them regularly. How could someone have gotten access to your account to use it for this activity? One likely possibility is that you have been a victim of a password sniffer attack.

What Is a Sniffer?

Sniffers are programs that enable an attacker to steal your password and thus the use of your computer account. These programs monitor activity on a network in order to record the names and passwords of users as they log on to other systems.

When Can Your Password Be Sniffed?

Many local area networks (LANs) are made up of shared Ethernet network segments. Practically any computer on a shared LAN can launch a sniffer program to steal passwords of people using that network.

Sniffers work by monitoring the communication flow to discover when someone begins using a network service such as a remote email session (IMAP or POP), a file transfer (FTP), or general timesharing (Telnet). Each of these services uses a protocol that defines how a session is established, how your account is identified and authenticated, and how the service is used.

To get access to one of these services, you first have to log in. It is the login sequence--the authentication part of these protocols, which occurs at the start of every session--that sniffers look for because it contains your password.

How Is Your Password Sniffed?

To understand how a sniffer works, you need to know that every computer on a shared LAN can see all of the packets of data being sent to or from all the other computers on that LAN. Depending on how the network interface card is configured, any of these computers can be running a sniffer program that looks at every packet and can save a copy of it in a log file for someone to use.

The sniffer ends up with copies of information sent from one of the computers on the shared LAN to the LAN server or to a UW Uniform Access computer such as Homer. The first few packets of a session are the ones the sniffer cares about because they pass back and forth the desired login information:

Computer A to computer B: Hello. I'd like to start a file transfer session.

Computer B to computer A: Hello. For whom should I transfer files?

A to B: USER smith would like to transfer files.

B to A: What is the PASSWORD for smith?

A to B: The PASSWORD is openSesame.

B to A: That matches the PASSWORD for smith that I have stored; smith may now transfer files.

In this case, the sniffer records the information in a sniffer log that may look like this:

Computer A => Computer B
[FTP]
USER smith
PASS openSesame
----[END]----

The log shows that someone made an FTP connection to an account on computer B using Smith's password. The person reading the log could infer that Smith also may have an account on computer A (if it is another Unix system) and that the odds are good that Smith uses the same password on that system.

The key to this interception is that the sniffer is able to monitor the communication channel and that Smith's password travels in readable form, often called "clear text."

Why Steal Your Password?

As in the scenario described at the beginning, there are many uses that people make of stolen computer accounts. These range from nuisance attacks (sending "joke" email that appears to be from you) to illegal activity (breaking into computers or selling stolen goods). The attraction for the hacker is the potential to carry on these activities by using someone else's identity.

The more accounts the attacker has, the easier it is to hide his or her real identity and location. The primary reason people break in to systems and install sniffers is to steal as many accounts as they can, as quickly as possible.

How Can You Protect Yourself?

You might be thinking that sniffers make the entire Internet completely insecure and that you shouldn't touch it with a ten-foot keyboard. Not at all. You just need to know where the risk is, when you are at risk, and what to do to be safer.

Think of your password as you would your credit card number. When you purchase an item in a store or over the phone with your credit card, that number is visible to others--just as your password is visible during some transactions. If you suspect that someone has your credit card number and may use it, you call your bank and get a new number.

Since passwords are sometimes stolen, it is essential that you change your password regularly. This precaution limits the amount of time a stolen password can be used by an attacker.

It is never a good idea to share your password with others. Sharing accounts makes it difficult for you to know where your password is being used (and exposed) and harder to detect unauthorized use.

Never give your password to someone who calls you on the phone claiming to be a "C&C Computer Operator" or a "UW Security Officer" saying they need to verify information about your account to fix a problem or to investigate a system break-in. C&C staff would not, as a matter of policy, ask someone for their password over the phone. This type of trickery (known as "social engineering") is probably the simplest and most effective method of hacking.

Using Networks You Can Trust

You also need to know which networks you can trust, and which ones you can't. If you go on vacation, for example, and log on to your UW account remotely at an Internet Cafe in Europe or on a colleague's computer at another university, are you sure you can trust that network?

[Graphic: Diagram where a sniffer might be.]

The path you use to connect to Homer determines whether your password is vulnerable to a sniffer. Switched LANs and direct dial-in are trusted because they do not share data with computers that could be running a sniffer program.

If you have to use Telnet sometime on a network you are not sure you can trust, take advantage of the fact that sniffers usually only look at the first few packets of each session. Simply change your password right before you log out each time. If your password was sniffed when you logged on, it will no longer be valid.

No Quick Fix

Why have networks remained vulnerable to sniffers for so long? There are a number of reasons.

Part of the problem is that software companies see the trade-off between spending resources on new features versus adding security. Tight security features often make the systems harder to set up or less convenient to use.

Another part of the problem is the added cost for Ethernet switches, hubs, interface cards that don't support a special "promiscuous" mode that sniffers can use, and new software.

And, finally, part of the problem is incompatibilities between security software products: vendor A software to vendor B software, and older software to newer software.

What Network Administrators Are Doing

Just as stores and restaurants now use carbonless receipts to prevent credit card numbers from winding up in trash cans, your department or network provider can also do things to secure your password over their LAN. Many departments use:

Network cards that cannot be put in promiscuous mode, so computers cannot be hijacked and turned into sniffers
Encryption packages that eliminate clear text passwords

Many of these and other steps are already being taken campus-wide. The residence halls, for example, have scrambling hubs. The networks that serve the dial-in modem pools are not shared with any computers. And the UW network backbone and server subnets, made up of Ethernet switches, likewise cannot be sniffed.

Adding a few switches to the subnet does not alone provide privacy protection to the devices connected to it; the privacy goal is only achieved as part of a coordinated upgrade to an entire subnet. C&C has requested funding to begin these projects, as part of an overall campus network upgrade, but it will take quite a while to complete the entire campus. Departmental computer lab managers or others with special requirements should contact help@cac.washington.edu or netops@cac.washington.edu for assistance in this area.

Future Network Security

The next level of security on campus will be achieved using encryption (to be covered in our Autumn issue). When passwords are encrypted, the UW network will be much more secure, but only when implemented on all computers you use in your department, in your home, and at other institutions outside the UW where you may have accounts.

One encryption technology that C&C has been exploring is called Kerberos. It is currently being used within the C&C computing clusters, but passwords coming from departmental desktop machines are not yet protected.

C&C has also installed ssh (Secure Shell--a secure login, remote shell, and file transfer program) on all Uniform Access systems, so you can start using it today. Ask your departmental network administrators about using ssh. If you use ssh you can still be sniffed, but because of the encryption it looks like meaningless garbage. If you do start using ssh, it will not be a problem when Kerberos is fully implemented because they are independent technologies.

In the future, more security will be built into the computing and networking infrastructure and the products you use. But like locks on your car and home, you still need to know how and when to use them. Security is never something you can take for granted.

For More Information

Internet Security Systems Network Packet Capture FAQ: www.iss.net/vd/packcapt.html

Computer Emergency Response Team (CERT) Coordination Center (studies Internet security): www.cert.org/

Unix Security Overview: weber.u.washington.edu/~dittrich/talks/security/

At Large: The Strange Case of the World's Biggest Internet Invasion, by Charles C. Mann & David H. Freedman (1997)

University of Washington Computing & Communications
Windows on Computing, No. 21, Spring 1998
newsltr@cac.washington.edu