The Threat Of Packet Sniffers Information Technology Essay
Packet sniffing software is a controversial subject and a double-edged sword. It can be used to analyze network problems and detect Internet misuse. But at the same time, it allows hackers and people with malicious intention to “sniff” out your password, get your personal information, and invade your privacy. That is also why securing and encrypting data is so important. In this paper, the definition of packet sniffing will be introduced and several functionality features and possible uses of packet sniffers will be explained. Also, information on how to protect against sniffers and man-in-the-middle attacks will be provided. An example of a packet sniffer program, Wireshark, will be given, followed by a case study involving the restaurant chain Dave & Buster’s, which will show the negative consequences that can occur when organizations are not aware of the threat of packet sniffing by hackers.
A packet sniffer is “a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network” (Connolly, 2003). Packet sniffers are known by alternate names including network analyzer, protocol analyzer or sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer (Connolly, 2003). As binary data travels through a network, the packet sniffer captures the data and provides the user an idea of what is happening in the network by allowing a view of the packet-by-packet data (Shimonski, 2002). Additionally, sniffers can also be used to steal information from a network (Whitman and Mattord, 2008). Legitimate and illegitimate usage will be explained in later sections.
Packet sniffing programs can be used to perform man-in-the-middle attacks (MITM). This type of attack occurs when “an attacker monitors network packets, modifies them, and inserts them back to the network” (Whitman, et al., 2008). For example, a MITM attack could occur when two employees are communicating by email. An attacker could intercept and alter the email correspondence between each employee, without either knowing that the emails had been changed. MITM attacks have the potential to be a considerable threat to any individual or organization since such an attack compromises the integrity of data while in transmission.
Packet sniffing programs work by capturing “binary” data that is passing through the network, and then the program decodes the data into a human-readable form. A following step called “protocol analysis” makes it even easier for the data to be read. The degree of these analyses varies by individual packet sniffing program. Simple programs may only break down the information in the packet, while more complicated ones can provide more detailed information and analysis, for example, by highlighting certain types of data such as passwords that pass through the network (“Packet Sniffing”, Surasoft.com, 2011).
As for today’s networks, switch technology is commonly used in network design. This technology makes it increasingly easy to set up sniffing programs on servers and routers, through which much traffic flows. In addition, there are already built-in sniffing modules being used in today’s networks. For example, most hubs support a standard called Remote Network Monitoring (RMON). This kind of standard allows hackers to sniff remotely with the SNMP (Simple Network Management Protocol), used in most network devices, and only requires weak authentication. Network associates “Distributed Sniffer Servers” are used by many corporations. These servers are set up with passwords that are quite easy to guess or crack. In addition, computers with Windows NT system usually come with the “Network Monitoring Agent” program, which also allows remote sniffing (“Packet Sniffing”, ISS.net, 2011). Essentially, these sniffing programs are set up for the use of network administrators. However, the threat exists that hackers can gain access to the network and view the program logs.
Packet sniffers capture all of the packets that travel through the point where the sniffer is located. For example, if the program was installed next to the server of an organization, the user could have access to all the data being transferred across the company through that server. Typical types of packets intercepted by attackers include the following:
SMTP (email): The attacker can intercept unencrypted emails (“Packet Sniffing”, ISS.net, 2011).
HTTP (web): Web traffic information and history can be easily captured (“Packet Sniffing”, ISS.net, 2011).
Telnet Authentication: Login information to a Telnet account can be intercepted (“Packet Sniffing”, ISS.net, 2011).
FTP traffic: Access to an FTP account can be sniffed in cleartext (“Packet Sniffing”, ISS.net, 2011).
SQL database: Information from web databases is also vulnerable (“Packet Sniffing”, ISS.net, 2011).
Functionality and Possible Uses of Packet Sniffers
Good and Bad Uses
Like any tool, a packet sniffer is a “double-edged sword” because it can be used for good or bad purposes (Orebaugh, Ramirez, and Beale, 2007). It can be used by security professionals to investigate and diagnose network problems and monitor network activity (Orebaugh, et al., 2007). Conversely, it can be used to eavesdrop on network traffic by hackers, criminals, and the like, who can use the data gathered for harmful purposes (Orebaugh, et al., 2007).
Professionals such as system administrators, network engineers, security engineers, system operators, and programmers use packet sniffers for a variety of uses, including troubleshooting network problems, figuring out system configuration issues, analyzing network performance (including usage and bottlenecks), debugging during the development stages of network programming, analyzing operations and diagnosing problems with applications, and ensuring compliance with company computer usage policies (Orebaugh, et al., 2007).
Good: Troubleshoot Network Problems
When an error occurs on a network or within an application, it can be very difficult for administrators to determine what exactly went wrong and how to correct the error. Many consider the packet sniffer to be the best tool for figuring out what is wrong with programs on a network (Neville-Neil, 2010). Examining packets as a starting point for solving problems is useful because a packet is the most basic piece of data and holds information, including the protocol being used and source and destination address (Banerjee, Vashishtha, and Saxena, 2010). Basically, at the packet level of analysis, all layers are visible, so nothing is hidden (Neville-Neil, 2010).
Understanding the timing of what happened is another important factor in debugging network problems (Neville-Neil, 2010). This information can be easily attained by using a packet sniffing program. Essentially, packet sniffers allow you to find out the “who, what, and when” of a situation, all of which are vital to understanding how to fix a problem (Neville-Neil, 2010). Once these things are known, the administrator can determine what is causing the problem and how to go about fixing it.
As soon as a problem occurs, the first recommended step is for the network administrator to use a packet sniffing program to record all network traffic and wait for the bug to occur again (Neville-Neil, 2010). If the administrator already had a packet sniffing program with logging in place, then he or she could go back and examine the log records. Assuming the administrator did not have a log previously set up, the next step would be to only record as much information as necessary to repair the problem (Neville-Neil, 2010). It would not be a good idea to record every single packet of data because if too much data is collected, finding the error will be “like finding a needle in a haystack” although the administrator has likely “never seen a haystack that big” (Neville-Neil, 2010). For example, recording only one hour of Ethernet traffic on a LAN will capture a few hundred million packets, which will be too large to sort through (Neville-Neil, 2010). It goes without saying that the administrator should not record the data on a network file system because the packet sniffer will capture itself (Neville-Neil, 2010). Once the data is recorded, the administrator can examine the packets to analyze and understand what occurred to solve the problem.
Good: Network Optimization
In addition to solving network communication problems, packet sniffers can help administrators plan network capacity and perform network optimization (Shimonski, 2002). A packet sniffer allows users to view data that travels over a network packet by packet (Shimonski, 2002). However, rather than having to examine each packet, the appropriate sniffer program will perform the analysis for the administrator.
The tools are especially useful because depending on the packet sniffing program used, the packet data will appear in an easy-to-understand format. Packet sniffers can often generate and display statistics and analyze patterns of network activity (Shimonski, 2002). Data can appear in graphs and charts that make analysis and comprehension easy. Additionally, the network administrator can filter by selected criteria to capture only the relevant traffic rather than having to sort through irrelevant data (Shimonski, 2002). Knowing what programs and which users use the most bandwidth can help administrators manage resources efficiently and avoid bandwidth bottlenecks.
Good: Detect Network Misuse
Packet sniffers can be used to monitor application traffic and user behavior (Dubie, 2008). This information can be used to detect misuse by company employees or by intruders. To use a packet sniffer to monitor employees legally, a network administrator must do three things. First, he must be on a network owned by the organization, second, he must be directly authorized by the networks owners, and finally, he must receive permission of those who created the content (Whitman, et al., 2008). Permission by content creators is needed because packet sniffing is a method of employee monitoring (Whitman, et al., 2008). Typically, an employee will sign a release form when first employed that allows the employer to monitor the employee’s computer usage.
By using a packet sniffer, employers can find out exactly how each employee has been spending his or her time. Packet sniffers can be used to see all user activity and administrators can monitor for behaviors such as viewing inappropriate websites, spending paid time on personal matters rather than work, or abusing company resources. For example, a packet sniffer program could show that a particular employee was downloading music at work, both violating organizational policies and using a large amount of network bandwidth (Dubie, 2008).
Packet sniffers can also be used to detect network intrusion, log traffic for forensics and evidence, discover the source of attacks such as viruses or denial of service attacks, detect spyware, and detect compromised computers (Orebaugh, et al., 2007). A packet sniffer and logger that can detect malicious entries in a network is a form of an intrusion detection system (IDS) (Banerjee, et al., 2010). The packet sniffer IDS consists of a database of known attack signatures. It will then compare the signatures in the database to the logged information to see if a close match between the signature and recent behavior has occurred. If it has, then the IDS can send out an alert to the network administrator (Banerjee, et al., 2010). Despite this use of packet sniffers to detect intrusion, hackers have methods of making themselves very hard to detect and can use packet sniffers for their own advantages.
Bad: Gain Information for Intrusion
Intruders maliciously and illegally use sniffers on networks for an innumerable number of things. Some of the most common are to capture cleartext usernames and passwords, discover usage patterns of users, compromise confidential or proprietary information, capture communications such as emails and voice over IP (VoIP) telephone conversations, map out a network’s layout, and fingerprint an operating system (Orebaugh, et al., 2007). The previously listed uses are illegal unless the user is a penetration tester hired to detect such types of weaknesses (Orebaugh, et al., 2007).
An intruder must first gain entry to the communication cable in order to begin sniffing (Orebaugh, et al., 2007). This means that he must be on the same shared network segment or tap into a cable along the path of communication (Orebaugh, et al., 2007). This can be done in many ways. Firstly, the intruder can be physically on-site at the target system or communications access point (Orebaugh, et al., 2007). If this is not the case, the intruder can access the system in a variety of ways. These include breaking into a certain computer and installing sniffing software that will be controlled remotely, breaking into an access point such as an Internet Service Provider (ISP) and installing sniffing software there, using sniffing software that is already installed on a system at the ISP, using social engineering to gain physical access to install the software, working with an inside accomplice to gain access, and redirecting or copying communications to take a path that the intruder’s computer is on (Orebaugh, et al., 2007).
Intruders can use sniffing programs designed to detect certain things such as passwords and then use other programs to have this data automatically sent to themselves (Orebaugh, et al., 2007). Protocols that are especially vulnerable to such intrusion include Telnet, File Transfer Protocol (FTP), Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP), Simple Mail Transfer Program (SMTP), Hypertext Transfer Protocol (HTTP), Remote Login (rlogin), and Simple Network Management Protocol (SNMP) (Orebaugh, et al., 2007). Once the intruder has access to the network, he can collect data and use it as he likes. Common examples of stolen data include credit card numbers and proprietary organizational secrets, but could include anything the hacker desires. Although organizations may use a primarily switched network, they are not protected from sniffer attacks because many programs exist that allow packet sniffing in a switched network (Whitman, et al., 2008).
Because intruders who use packet sniffers do not directly interface or connect to other systems on the network, the use of sniffers is considered a passive-type of attack (Orebaugh, et al., 2007). It is this passive nature that makes sniffers so difficult to detect (Orebaugh, et al., 2007). In addition to this, hackers normally use rootkits to cover their tracks so that their intrusion will go unnoticed (Orebaugh, et al., 2007). A rootkit is a collection of Trojan programs hackers use to replace the legitimate programs on a system so that their intrusion will not be detected (Orebaugh, et al., 2007). Rootkits replace commands and utilities that the hacker inputs and clears log entries so that there will be no record of his entry (Orebaugh, et al., 2007). Though it is difficult, there are some ways to detect rootkits. Methods of detection include using an alternate, trusted operating system, analyzing normal behaviors, scanning signatures, and analyzing memory dumps (“Rootkit”, Wikipedia, 2011). Removing rootkits can be very complicated and difficult and if the rootkit is in the central operating system, reinstalling the operating system may be the only option to remove it (“Rootkit”, Wikipedia, 2011).
The threat of eavesdropping by hackers is large and challenging. However, there are some defenses that can be taken to prevent hackers from using packet sniffers against an organization.
Protecting Against Packet-Sniffers and Man-in-the-Middle Attacks
Packet sniffing and man-in-the-middle attacks compromise the integrity and confidentiality of data while in transmission. Fortunately, there are several techniques that can be used by organizations and individuals to protect against these threats and reduce risk. Specifically, technology, policy, and education are typically used to cover all aspects of security.
Encryption is the best form of protection against any kind of packet interception (Orebaugh, et al., 2007). The reason behind this is that even if the data is captured by the packet sniffer, the information will be completely unreadable by the attacker (Orebaugh, et al., 2007). By using this technique, messages are encrypted once the data leaves the sender’s computer. Both sender and receiver hold a key that decrypts the message being transferred. Most popular websites apply a level encryption by using the HTTP Secure (HTTPS) protocol. With this technology, the connection between the web server and the user’s computer is encrypted; making the information intercepted by a third party useless. Currently, most popular websites such as Google, Facebook, Yahoo, and Twitter use the https technology. However, some sites (such as Amazon.com) use https only at the login page and fail to provide a secure connection afterwards. In order to assure complete security, it is important to apply the https protocol throughout the user’s browsing experience. The main disadvantage of this feature is that it slightly slows down the user’s connection.
Email can also be protected from packet sniffers by using encryption. Email extensions such as Pretty Good Privacy (PGP) can be easily implemented using standard email platforms like Microsoft Outlook (Orebaugh, et al., 2007). Once sender and receiver start using the encryption techniques, intercepted email messages cannot be interpreted by an attacker during transmission (Orebaugh, et al., 2007).
Another way to protect against sniffers is by using One Time Passwords (OTP). With this method, a different password is sent every time the authentication is requested to the user (Orebaugh, et al., 2007). Similarly to the case of encryption, if a third party intercepts someone’s password, this information will be useless since these can only be used once (Orebaugh, et al., 2007). This technology can be extremely useful to ensure security; however, remembering new passwords for each login can be very challenging and frustrating for most users.
A new security technique called quantum encryption also provides good protection against sniffing attacks. This technique consists of making each bit of data as small as a photon (McDougall, 2006). The data is then transferred across fiber-optic lines. If the information is picked up and intercepted by any kind of packet sniffer, the entire photon message is disrupted, ending up the entire transmission (McDougall, 2006). A technology like this would make it impossible to intercept information since the communication would be cut in the case of interception. However, it requires fiber-optic Internet connections, which many service providers do not own and their installation can be expensive.
Information security professionals can help secure employees’ connections by requiring the use of any of the technologies explained before. For example, if certain employees need to access websites that are outside of the organization’s network, they should be allowed to use only websites that use the https protocol such as Google and Yahoo. Policies requiring Access Control Lists (ACL) can also help prevent sniffer attacks. All secured networks and assets should be supported by an ACL to prevent unauthorized access. Additionally, physical security policies should be implemented to efficiently protect the computer and server rooms in the organization. Unauthorized access to these locations could cause the installation of sniffer programs and equipment.
Every security initiative should have a training program supporting it. Basic but regular training sessions given to employees about the dangers of packet sniffing can prove to be very valuable when protecting a network. Security policies such as not allowing strangers into computer rooms should be explained to all employees.
Example and Demonstration of a Packer-Sniffer Program: Wireshark
Originally named Ethereal, Wireshark is a free and open-source packet analyzer (sniffer) typically used by network and security professionals for troubleshooting and analysis (Orebaugh, et al., 2007). However, many potential attackers also use it to perform man-in-the middle attacks and gain information for password cracking. Wireshark is available for most operating systems (including OS X, Windows, and Linux) and allows users to see all the traffic that goes through a specific network (Orebaugh, et al., 2007).
Wireshark differs from other packet-sniffer programs mainly because of its easy-to-understand format and simple Graphical User Interface (GUI) (Orebaugh, et al., 2007). Wireshark can be easily set up to capture packets from a specific channel. Once the program is running, all the network packets are shown in the screen. The top panel (summary panel) shows a summary of the entire packet, including source, destination, and protocol information (Orebaugh, et al., 2007). Since one quick web browse can provide a large amount of packets, Wireshark solves packet browsing issues by categorizing each packet according to its type and showing each category with a specific color in the GUI. Additionally, the user has the option of applying filters to see only one type of packets. For example, only packets dealing with http functions may be shown. The middle panel in the GUI is called the protocol-tree window. It provides decoded information of the packet (Orebaugh, et al., 2007). Finally, the bottom panel (data view window) shows the raw data of the packet selected in the summary panel (Orebaugh, et al., 2007). Figure 1 shows a screenshot of Wireshark while running and graphically shows the three main panels of the GUI.
Figure 1 – Screenshot of Wireshark while running and the three main panels.
To troubleshoot network problems, Information Systems professionals use Wireshark by installing the sniffer program in various locations in the network and seeing which protocols are being run in each location (Orebaugh, et al., 2007). Additionally, if the sniffer is placed in a location where it can capture all data flowing to the main server, Wireshark can detect network misuse by providing the source and destination of all packets. For example, if an employee in a company uses his computer to access inappropriate websites, Wireshark will show the employee’s and the website’s IP addresses in the source and destination columns with detailed information about the website in the info column and the protocol tree panel.
It is easy to see how useful Wireshark is for network troubleshooting and identifying misuse; however, the program can also be used with malicious intent. For example, the program can be used to find out passwords on unencrypted websites. To demonstrate this case, the username “john_doe_user” and password “123mypasswrd” were used to log in to the unencrypted and unsecured www.bit.ly website. At the same time, Wireshark was set up to capture all packets in the computer. After the packets were captured by the sniffer, the data can easily be filtered by the http category. In the info column, a packet labeled POST means that someone has entered text to a website. After clicking on this specific packet, all the username and password information can be seen in the center section of Wireshark (as shown in figure 2). Unencrypted and unsecured websites are very vulnerable to these types of attacks. On the other hand, websites using the https security feature prove to be safer for users. For example, the same situation as before was applied to the encrypted website www.facebook.com by trying to log in, but Wireshark was unable to capture any packets with login information.
Figure 2 – Wireshark screenshot showing username and password.
Other types of malicious attacks can also be performed with Wireshark. For example, some toolkit add-ins to Wireshark such as Dsniff and Ettercap can be used to perform man-in-the-middle attacks and password cracking (Orebaugh, et al., 2007). Even if the incoming data is encrypted, these tools can crack some passwords by using dictionary brute force attacks (Orebaugh, et al., 2007).
Case Study: A costly attack at Dave & Buster’s
In 2007, the popular restaurant chain Dave & Buster’s experienced the power of malicious packet-sniffing software attacks. A multinational group of hackers was able to penetrate the company’s corporate network and install basic packet-sniffing software at 11 of the chain’s restaurant locations (Thibodeau, 2008). During a four-month period, the attackers were able to intercept customer credit card data going from Dave & Buster’s restaurant locations to the corporate headquarters network in Dallas (McMillan, 2008). Extremely sensitive information such as credit card numbers and security codes were sold to criminals, who used this data to perform fraudulent transactions to online merchants (McMillan, 2008). The attack proved to be very profitable for the hackers. For example, from information coming from only one restaurant location, the criminals were able to gain over $600,000 in profits (McMillan, 2008). It was estimated that approximately 130,000 credit or debit cards were compromised by this attack (Westermeier, 2010).
To access Dave & Buster’s network, the attackers simply drove around a restaurant location with a laptop computer and took advantage of vulnerable wireless signals to access the computer networks (Westermeier, 2010). Malicious sniffing software was then installed in the network to intercept credit and debit card information (Westermeier, 2010). The packet-sniffing software was written by one of the group’s hackers and consisted of SQL injection attacks (Thibodeau, 2008). However, many organizations have stated that the code was not very impressive. For example, the CERT Coordination Center described the program’s source code as a “college-level” piece of technology (Thibodeau, 2008). Additionally, the malicious code had one weakness: it would shut down every time the computer that was monitoring rebooted (McMillan, 2008). Therefore, the criminals had to go back to the restaurant location, gain access, and re-start the packet-sniffer every time this happened. The fact that this costly program was developed by someone with just basic programming skills and that they consistently gained access to the network highlights the lack of protection of Dave & Buster’s security systems.
According to the Federal Trade Commission (FTC), Dave & Buster’s information security systems and policies did not provide the necessary security features to protect customers’ information (Westermeier, 2010). The attackers were able to access the network not just once, but repeatedly over a time frame of four months (Westermeier, 2010). The fact that the company was oblivious to these multiple intrusions during a long time period proves that they were vulnerable to attacks and that Dave & Buster’s did not apply any Intrusion Detection Systems (IDS) to their networks, nor did they monitor outbound traffic (Westermeier, 2010). Additionally, sensitive customer information was not given special protection. Credit card data was transferred across simple unprotected and unencrypted networks (Westermeier, 2010).
What could Dave & Buster’s have done?
First of all, private networks should have been protected in a better way. It was just too easy for hackers to gain access and install malware. By allowing only a specific group of IP addresses, or granting only temporary access, the firm could have been safe from unauthorized access by strangers. But even in the case of hacker access, tools such as IDS can help monitor the network during an attack. If the company had implemented an IDS in their network, the unauthorized intruders would have been detected in time to prevent losses.
Additionally, by treating sensitive data differently than regular communications, the company could have considerably reduced the threat. Dave & Buster’s could have simply used readily available firewall systems to the networks that held customer data (Westermeier, 2010). Encryption devices could have also proven to be useful. If link encryptors had been used, the intercepted data would have been completely useless to the hackers. Data isolation could have also been useful. The firm could have separated the payment card systems from the rest of the corporate network (Westermeier, 2010). Sensitive information did not necessarily require connection to the Internet; so the company should have separated these transmissions from the network.
Finally, a general company-wide policy requiring access restriction, IDS installation, firewall usage, and sensitive data isolation throughout all restaurant locations could have been extremely useful. A uniform and thorough information security policy along with a comprehensive training program given to specific employees would help enforce the security features. Considering that Dave & Buster’s had not implemented any of the security features explained in this section, it is obvious that their story would have been different if these techniques had been used.
Packet sniffing is a sophisticated subject that wears two hats. It can be used for either good or evil depending on the intentions of the person using the program. It can help with analyzing network problems and detect misuses in the network for good purposes. Meanwhile, it can also help hackers and other cyber-criminals steal data from insecure networks and commit crimes, as in the case of Dave & Buster’s. The best way to protect data from being “sniffed” is to encrypt it. Necessary policies and training also help with the protection. As technology evolves, there will be more and more ways to commit cyber crime. Extremely sensitive and valuable data such as credit card information should be well-protected, from the perspectives of both organizations and individuals. In order to protect this information, users should be aware of the benefits of packet sniffers but also protect against the threat of their misuse.Order Now