April 20, 2004

Tutorial T2: Network Surveillance HOW-TO: A Tutorial on Snooping Around Modern Networks

The 14th Annual Computers Freedom and Privacy Conference started with a paranoid bang this Tuesday morning, as Chris Palmer, Seth Schoen, and Dan Silverstein guided a captive audience through the art of digital network surveillance. The tutorial culminated in a somewhat shocking demonstration of just how vulnerable the average out of the box P.C. is. But before that, Palmer outlined the physical and conceptual composition of modern computer networks. We often think of computing and network technologies through layers of abstraction. Whereas, on wire medium, communication in machine code is essentially a series of voltage fluctuations, through protocol layers, we are able to interpret these raw signals into binary 0’s and 1’s, address them to end hosts, deal with data loss or interference, and provided robust messaging sequences and formats for applications (such as your web browser or email client) to interpret.

Abstracted views of underlying technology mask complexity which may confuse us as users. However, they also hide how an underlying machine may be behaving on one’s behalf to execute user’s delegated tasks. One prominent example of this, which set the stage for, Palmer, Schoen and Silverstein’s eventual demonstration was the broadcast nature of most network traffic. When users surf the web, or download email on a networked machine, one might implicitly assume that request emanate from one machine to another, and responses return in a similar fashion. However, both Ethernet and commonly used wireless protocols (802.11b, 802.11g) broadcast all messages to all nodes connected to the network. It might shock users to realize that there are no functional barriers to third party monitoring on all network activity. It is only the programmed good behavior of systems to ignore data packets address to others and only view those addressed to them. Palmer put it simply quoting a 19th century statesman who, in response to a proposal to construct an NSA like agency, said “Gentlemen do not read each other’s mail.”

Palmer, Schoen, and Silverstein demonstrated the how snooping software could be produced with only slight modification to existing and standard computer system software tools. The speakers setup a small local area network and activated one machine to monitor the traffic of another as it requested a web page. An abundance of data was readily available as the HTTP request was broadcast over common wire in plain unencrypted text. Any machine connected to the network could view the web page requested, the IP address from the issuing host, the operating system that host was running, as well as a globally unique machine identifier called a MAC address, in addition to many additional explicit and inferable facts.

There are cryptographic ways to prevent network snooping. Secure Socket Layer is commonly used for secure World Wide Web transactions. Diffie Hellman cryptography is also commonly used to protect information produced by applications prior to network transmission.

But communication channels are not the end of network security woes. Computer networks are composed of end systems (computer) and network medium (wires). In many cases, it is the common assumption that communications channels are vulnerable to snooping (as in the Ethernet example) but less so the computer systems which they connect. The speakers were emphatic about pointing out that although transmission security may be strong, end systems are not, as some assume, inherently safer than communication channels. Schoen stated that using SSL to deliver HTTP is like:
“using an armored car to deliver a package to someone on a park bench.” With the installation of malicious software such as a Remote Access Trojan or RAT on a networked computer, an attacker can essentially take complete control of another individual’s computer.

To demonstrate this end system attack, a RAT (SubSeven v.2.1.5) was installed on a victim machine. This Trojan allowed the attacker to view the victim’s current screen, record and insert keystrokes, download and upload arbitrary files, as well as activate the PC’s microphone to record audio from the surrounding environment. Schoen stated that “when malicious code infects a computer all bets are off … It may do anything.”

End system and communications attacks are increasingly sophisticated. One computer science professor at UC Berkeley has devised a system to break SSL by analyzing the timing of encrypted data packets emanating from a computer over a network. Moreover, less malicious but equally invasive monitoring software (sometimes called spyware or adware) is commonly found on computers where users have no idea they exist. A recent BBC news report found that an average 29 spyware applications were installed on computers it studied as part of a survey.

The best ways to fight these security compromises are to update virus definitions regularly, scrutinize the source of information including Verisign certificates before accepting files, and to configure network software (including operating systems) to disallow things like automatic software download and execution.

Posted by johnhan at April 20, 2004 06:28 PM
Post a comment

Remember personal info?