Network "sniffers" and You

You may be one of a thousand or more lucky people on the University of Washington campus who were told you need to change your password because of a "network sniffer" attack. Since before April 1997, there have been dozens of sniffer incidents on UW local area networks.

Sniffers are programs that allow an attacker to steal your password and thus your computer account. This method of attack goes back to the early 1980's and was brought to the public's attention in 1994 when the Computer Emergency Response Team (CERT) published their advisory CA-94.01 titled, "Ongoing Network Monitoring Attacks." Several books on "hacking" (the bad kind) describe attacks involving sniffers, often leading to theft of thousands of accounts on networks worldwide.

Because these attacks are continuing -- with no end in sight -- it is important that you, as an Internet user, understand how your passwords are vulnerable and to take appropriate measures to secure your computer accounts. Choosing "good" passwords and changing them frequently is part of the solution and so is knowing when you are vulnerable to sniffers and how to deal with them.

What is a "sniffer?"

A "sniffer" is a program that monitors communications on a local area network, or "LAN".

There are millions of small LANs -- each building on campus where your computers are connected, for example, has one or more LANs -- that are in turn connected to bigger networks like the University of Washington's network, which are in turn connected to even larger networks. The sum of all these interconnected networks is the "thing" we call the Internet.

Many of these LANs are made up of shared Ethernet network segments on which all systems communicate using the same physical medium. Practically any systems on these shared Ethernet LANs can be turned into a sniffer that can be used to steal passwords of users connecting to and from hosts on that LAN.

Sniffers work by monitoring the communication flow on a LAN to find when someone begins using a network service, such as a terminal emulator session using "telnet", a file transfer session using "ftp", or a remote electronic mail session using IMAP or POP services.

All these services are all handled with "protocols" and each protocol, or service, has its own identifying number. When you connect from one computer to another computer using a particular service, its like making a call to a switchboard, where an operator asks what extension you want and then transfers your call, going back to wait patiently to accept a new call.

Similar to the diplomatic term, "protocols" are strict rules that define how a particular session is established, how your account is identified and authenticated, and how the service is used. It is the authentication part of these protocols, which occurs at the start of every session, that the sniffer gathers.

The first part of many protocols goes something like this:

COMPUTER A: Hello COMPUTER B? I'd like to start a file transfer session.

COMPUTER B: Hello, COMPUTER A. For whom should I transfer files?

A: USER "dittrich" would like transfer files.

B: What is the PASSWORD for "dittrich"?

A: The PASSWORD is "op3nS3sam3".

B: That matches the password for "dittrich" that I have stored; "dittrich" may now transfer files.

...and so on.

How would my password be "sniffed?"

To understand how the sniffer works, lets use an analogy of the LAN as a hallway in a building, with each room being a computer.

Each room (computer) has a doorway connecting it to the hall (the network), and there is a person standing in each doorway (a "network interface") to facilitate communication. A client is a person sitting in one room, and they will communicate with a server, which is a person sitting in another room.

The client and server communicate by sending each other postcards (which are the "packets" of information that travel on a real LAN). Each postcard has a source address (the client's identification and room where that postcard is sent FROM) and a destination address (the room where the postcard is going TO). The server is also identified, by its service, or protocol, number (FTP, used for file transfer, is service #21).

To handle just the first part of this protocol (establishing the FTP connection), someone in room A addresses a postcard to someone in room B, requesting an FTP session, and the postcard is passed out into the hallway. Each network interface sees each postcard as it travels down the hall. If the postcard is not addressed to someone in that room, the interface ignores the postcard and nobody inside the room sees it.

If, on the other hand, the interface is put into a special mode called "promiscuous mode", that is like the person standing at the door making a photocopy of every postcard it sees and passing it into the room to someone (the sniffer) who asks to see every postcard. They aren't supposed to do this, but there is nothing to stop them in this scenario and no way to tell they are doing it (sniffing is a passive activity, that leaves no trace on the network itself; it does, however, leave a trace on the computer that is being used as the sniffer.)

Playing out the protocol for transferring files shown above, but on postcards this time, the sniffer in room C ends up with a stack of postcards that look like this:

From: A, To: B, service FTP -- connect
From: B, To: A, service FTP -- connection accepted, USER?
From: A, To: B, service FTP -- USER dittrich
From: B, To: A, service FTP -- PASSWORD?
From: A, To: B, service FTP -- PASSWORD op3nS3sam3
From: B, To: A, service FTP -- READY
The sniffer only cares about the first few postcards that start the session, because this is where all the good information is found. In this case, the sniffer makes a note in their sniffer log that looks something like this:

Computer A => Computer B [FTP]
USER dittrich
PASS op3nS3sam3
----[END]----
This shows that I made an FTP connection, to an account on computer B with the name "dittrich" and that my password is "op3nS3sam3". The person reading the log can also infer that I may also have an account on computer A (if it is another Unix system and not a single-user PC or Macintosh) and that the odds are good that I have the same password on that system.

The key is that the sniffer is (a) able to monitor the communication channel and (b) my password travels the channel in readable form, often called "clear text."

Who cares if someone steals my password? Its only email. Isn't it?

No, its not only email.

Many people who use the simple email services the UW provides on computer clusters like Homer and Dante don't realize what they have access to.

Personal computers that run Windows 95 or the Macintosh operating system are "single user" systems. There are no "accounts" per se for more than one person to use, and you certainly can't have two or more people using a standard Windows 95 PC or Macintosh at the same time (that is, they are not "multi-tasking" or "multi-user" operating systems.)

In order to do much of anything with a Windows 95 or Macintosh, you must be sitting in front of the computer and touching the keyboard. (Well, that's not entirely true. If you have enabled file sharing, someone on a remote system can potentially read, alter, or delete files on your hard disk, even though they are not sitting in front of your PC. You should be VERY CAREFUL if you turn on file sharing. You can also install programs that allow remote control of the PC or Mac, but these are commercial add-on products that are not widely used.)

This "single" vs. "multi" user situation is very different with operating systems like Unix, or Windows NT. Unix is a multi-user, multi-tasking operating system. Homer and Dante run Unix as their operating system. This means you can "log in" to Homer and Dante, from practically any computer, anywhere, on the Internet. That means anywhere, literally, in the world!

Not only that, but your account is not the only one there. There are tens of thousands of other accounts on Homer and Dante. Hundreds, or even thousands, of people can be using the Homer or Dante clusters at a given moment.

You may not realize it, but "Homer" and "Dante" are not single systems. They are clusters, which are made up of dozens of individual computers with names like "dante01" and "homer32" that all look alike and share the generic cluster name.

And Homer and Dante are not the only Uniform Access clusters where you may have accounts. There is the Saul cluster. And the Mead cluster. And the Becker cluster. In all, you may have access to over a hundred individual computers, all using the same single password, and not even know it!

So electronic mail is just one service, out of many, that you access with your password.

Why would someone want my password?

One of the most powerful things about computers is that you can write programs to make them do many things.

Some programs are "good" programs. They let you edit files, send email, or browse the Web. You can also write your own programs (or compile "public domain" programs written by others) to do homework assignments, analyze data generated by research experiments, etc.

Other programs are "bad" programs. There are programs that are designed to deny people services on the Internet by crashing someone's computer, flooding someone's email inbox, forging email to send illegal chain letters, breaking in to other computers, etc.

If someone wants to be a "bad guy" and attack someone else, they first need an account from which to do it. It would be foolish to attack computers from their own account, since that is easy to trace and they would get in trouble, maybe even lose the account forever. Instead, they steal someone else's account and attack from there; Getting you in trouble, instead of them. The more accounts the attacker has, the easier it is to hide their real identity and location. Remember those hundreds of computers you might be able to use with just one password? This is the primary reason people break in to systems and install sniffers; to steal as many accounts as they possibly can, as quickly as they can.

Or maybe they just want to read your email, perhaps to steal credit card numbers, find out where you live, send embarrassing email out in your name. Or maybe they want to steal or alter your research data. Or they just want to steal Internet access by using your password to get to the UW dial in pool. Free Internet!

So you can see, there are many reasons why you should protect your account, and you need to learn them and act appropriately. Just like you learn to lock your car door, and your door at home, and your bike when you park it on the street.

So how can I protect myself?

You might be thinking that sniffers make the entire Internet completely insecure and that you shouldn't touch it with a ten foot keyboard. Not at all.

There are unsafe parts of the Internet, just like there are unsafe parts of large metropolitan areas in the United States. You just need to learn where the risk is, when you are at risk, at what to do to be safer.

Think of your account password like you would your credit card number. If you are like most people you purchase items in stores, or over the phone, using your credit card number. That number is visible to others -- just like your password is visible -- during some transactions (e.g., When you hand the card to a server in a restaurant, do you know who sees it or when/if they make a copy? Do you make sure that the carbon paper is ripped up instead of ending up in the trash can in the alley out back where anyone can find it?) If you suspect that someone has your credit card number and may use it, you call your bank and change the number.

The first thing you must understand is that your password may be exposed when you use certain network services like telnet, ftp, rlogin, and POP and IMAP email sessions. Web browsing can also involve passwords, so it too can risk exposing password information (although passwords used in web forms are usually not the same passwords as your email, or Unix "shell", account).

Next, think about how many times you type your password in a single work session. If you find have to type your password dozens, or even hundreds of times per session, you should be looking for ways to reduce this number (ideally getting to a "single sign on" environment where you only authenticate yourself once per session).

There are alternatives to telnet and ftp, for example the Berkeley "r" utilities. [The Berkeley "r" utilities are documented in Unix man pages. Use the Unix commands man rsh, man rlogin, man rcp, and man rhosts to see them.] For terminal sessions, you can use rlogin instead of telnet. For transferring files, you can use rcp instead of ftp. There is also a remote shell program called rsh that lets you start a program running on one or more remote computers using a single command.

When set up properly, a file named .rhosts in your home directory on the remote system allows you to connect to that system without having to type your password. This means no passwords to sniff, nor can the person sitting next to you watch over your shoulder you type your password. (One problem is that the Berkeley "r" utilities suffer a security problem in that they trust computers' and users' names when determining who is allowed access, which is one reason they are disabled at some sites.)

Since passwords are sometimes stolen, it is a good idea to change your password periodically. Some sites actually require you change passwords every so often (e.g., every 120 days). This limits the amount of time a stolen password is usable by an attacker.

It is also a good idea to not share your password with anyone. Sharing accounts makes it hard for you to know where your password is being used (and exposed) and when you account is being used by the person you trusted with your password or someone who stole it.

That includes not giving your password to someone who calls you on the phone claiming to be "C&C Computer Operations" or the "UW Network Security Officer" and informing you they need to verify some information about your account to fix some problem or investigate a system break-in. C&C staff would not -- as a matter of policy -- ask someone for their password over the phone. This is called "social engineering" and is probably the simplest and most effective method of hacking available. Don't be suckered into it.

You also need to ask yourself, "which networks can I trust, and which ones can't I trust?" That is a hard question to answer.

It is best to be a bit wary of trusting networks to be secure and to ask your network provider what precautions they take to secure you against sniffers. (If they say, "what is a sniffer?", its probably time to look for a new Internet provider!) If you go on vacation and use a friend's account in southeast Asia, or an Internet Cafe in Europe, or even use a friend's dorm room computer at another University in your home town, are you sure you can trust that network?

One general statement that can be made is that the cheaper the network, the more insecure it is. Dividing services up across multiple systems (called "partitioning") costs more money. Using bridges or ethernet switches (to subdivide networks and limit what packets a sniffer can see), scrambling hubs (to prevent sniffers from being able to read the data portion of packets), or installing security software, also cost money. Lots of money. This means the smaller network providers, who need the protection the most, are the ones that can afford it the least. With more and more companies jumping onto the Internet, the problem is getting worse, not better.

On the software side, MIT has developed a system called "Kerberos". Kerberos provides a way to authenticate yourself when using some network services without exposing your password to sniffers. It also means you only have to give your password once for every few hours you are using network services.

Another way of avoiding exposure of your password that is widely supported on the Internet is to use the "Secure Shell", or "ssh". Ssh also hides your password, using various methods of encrypting your password, so it is not visible to sniffers. A session like the one above, done on postcards using ssh, would look to a sniffer like a bunch of meaningless garbage:

From: A, To: B, service SSH -- 7IDi8gS5cSvmJXOP3UuJ
From: B, To: A, service SSH -- 6mb3ReK3atlCHep2EUf9
From: A, To: B, service SSH -- vj4ymAHl9cjsXZkXN3dT
From: B, To: A, service SSH -- W9Y2WRJta1W21394eQAF
From: B, To: A, service SSH -- EbQrRGF2ZSBEaXR0cmlj
...
From this, the attacker can see nothing that is useful in stealing passwords, or even knowing what kind of communication is occurring.

What else can be done?

Just like many stores and restaurants now use carbon-less receipts to prevent credit card numbers from winding up in trash cans, your department or network provider can also do things to secure your password over at least their LAN. There are network cards that cannot be put in promiscuous mode, so computers can't be hijacked and turned into sniffers. There are ethernet switches and special network hubs that hide or scramble packets that don't belong to a particular network interface. There are also encryption packages (like Kerberos and ssh, and also SSL, commonly used for world wide web communication) that eliminate clear text passwords.

C&C has been installing scrambling hubs in the residence halls for years. This makes these networks effectively unsniffable. We have also partitioned the networks that serve the dial-in modem pools, so they are also unsniffable. The network backbone is made up of only Ethernet switches and routers, also unsniffable. The risks now are mostly on those LANs on campus that are poorly funded or lack sufficient network administration resources.

C&C is working on implementing Kerberos. Using the UW network will be much more secure with Kerberos, but it may take a long time to extend Kerberos to all computers you use in your academic department on campus, to your home computer, or to other institutions outside the UW where you may have accounts. If you fall back to using "telnet" in these cases, you right back at risk of sniffing.

We have also installed Ssh on all Uniform Access systems, so you can start using it today to secure your connections (ask your departmental network administrators about using ssh). Ssh and Kerberos can work side by side. They do not inter-operate, but then they are not mutually exclusive technologies either. When Kerberos is available on campus, it will be ideal to use it, but when that won't work you should try to use ssh instead.

If you have to use telnet some time on an untrusted network, like the vacation scenario where you log on to a UW computer remotely, you can take advantage of the fact that sniffers only steal the first few packets of each session and either change your password right before you log out each time, or at least change it as soon as you get back to the UW and can use a more trusted network to connect. You have to remember, though, that you used your account on an untrusted network.

In an ideal world, many of these things would be handled by the people who provide you with network service so you don't have to know about them, but like locks on your car and home, you still need to know at least a little bit about how and when to use them. Security is never something you can take entirely for granted.

Why has the Internet been vulnerable to sniffers for so long?

The situation has taken this long to fix for a number of reasons.

Part of the problem is that software companies are fighting their own battles for market share and trying to bring users fancy new features. They will say the prefer delivering "user friendly" systems over ones that come with tight security features, which often make the systems harder to set up or less convenient to use. (It is often said that security is inversely proportional to ease of use.) This is the same logic car manufacturers used in the early 1900s to justify not installing seat belts in all vehicles sold.

Part of the problem is added cost for ethernet switches, hubs, interface cards that don't support promiscuous mode, and new software. If there is barely enough money to buy the cheapest hardware to get a minimal network up and running, and practically none for skilled network administrators, its going to be very hard to have a secure network. With security, you [don't] get what you [don't] pay for.

Part of the problem is incompatibilities -- vendor A software to vendor B software, and older software to newer software -- between software products.

Often the priorities for dealing with these problems are set by "market forces" -- in other words "money"; they don't have enough, or you won't pay enough -- and software vendors set these priorities in response to user demand, or the company's perception of user demand. More people want a new widget in their word processor, or support for some new sound card or 62X CD-ROM drive, than are asking for abolishing clear text passwords in network services and other security features.

One thing is certain. You can be sure that as more of our economic, academic, and personal lives are lived on ever more interconnected computer networks, the more responsibility we have to protect our online assets and our privacy.

Either that, or we had better be prepared to lose them.


Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Fri Jan 30 12:14:52 1998