Hackers, crackers, and sniffers

Internal Auditor, Oct, 1996

Sniffing tools that allow unauthorized access to computer systems are powerful, accessible, and very much out there.

The diagnostic and development tools of information system (IS) professionals have not only helped to create efficient and safe computing environments; they also assist IS auditors in verifying the adequacy of security. Unfortunately, computer prowlers and thieves are also relying on those tools to gain unauthorized access to even the most secure systems.

Sniffers,(*) widely accessible and powerful tools that travel through computer networks, are being used by some hackers and crackers to snatch user IDs and passwords. The consequences can obviously be devastating. The hacker is able to install trojan horse programs, trap doors, additional user IDs and passwords, and more -- and is then able to delete log files to eliminate the electronic audit trail. Auditors need to become familiar with these sniffing tools and their potential, so that the risk to the organization is identified and defenses are established.

Sniffers

Sniffers are essentially programs that eavesdrop on network communication, moving stealthily through information channels and recording information illicitly. Computers are generally connected in a network through ethernet. Ethernet protocol works by breaking documents and files into small components called packets, which are then sent along the network to the destination computer. Each packet contains address information, which is how the network gets the message to the proper computer. Unfortunately, messages sent along a computer network do not receive the level of privacy that one might expect.

In fact, computer networks are somewhat analogous to the telephone "party-lines" of the past, where two households shared a loop but held separate telephone numbers. Incoming calls rang the appropriate household phone, but the shared loop gave any unprincipled person in the other household the opportunity to "sniff" or eavesdrop on the other party's conversation.

In much the same way, the packet header contains the proper address of the destination machine; only the machine with the matching address is supposed to accept the packet. Just as in the party lines of old, however, other machines may be able to sniff network traffic or eavesdrop without detection. Because account and password information travels along the ethernet in readable text format, it is relatively simple for unauthorized persons to gain access simply by sniffing. With the phenomenal growth of the Internet, reported sniffing incidents are definitely on the rise.

The Good Guys

For many years, network engineers have used sniffers, which they usually call network monitors or LAN analyzers, to fine-tune, expand, and troubleshoot network performance. The tools allow the engineer to observe the network, uncover a wide range of problems, and quickly pinpoint their origins. Sniffers are also valuable to the security administrator, as they enable the capture of both failed and successful logon attempts. Many commercially available sniffers provide powerful yet easy to use capabilities, ranging from full seven-layer protocol model analysis to statistical traffic displays in real time.

Without sniffers, it's difficult to identify problems that impact the network's performance, and nearly impossible to anticipate them. Without the sniffer and the skilled engineer, networks are vulnerable to slowdowns, or worse, total system failure. Network monitors are considered essential tools in any shop with responsibility for efficient and effective management of a network. A shop without a network monitor is not in control of the network; it's that plain and simple!

Preventing a Sniffer Attack

Recognizing the potential of sniffers for both "good and evil," internal auditors will want to investigate preventive measures that may help to ward off attacks. The following strategies may provide an effective starting point:

* Practice good system administration. Maintain an up-to-date list of valid users and administrators, limit the number of super-users, remove all non-essential accounts, review audit logs, and install security patches.

* Hide behind a firewall.

* Authenticate individuals as authorized users.

* Lock up files with encryption. Eliminate the transmission of clear text or reusable passwords on the network by purchasing hubs that defeat sniffing through packet encryption. Encryption is the most effective and least expensive technique for eliminating risk of clear text passwords being sniffed from your network.

* Choose ethernet adapter cards that cannot go into promiscuous mode. Some software packages allow encryption between connections, making it virtually impossible for an intruder to decipher captured user IDs and passwords. Appropriate defenses can do much to blockade sniffer attacks.

Detecting a Sniffer Attack

Two major factors make sniffers difficult to detect. One is that sniffers listen quietly; the software is simply capturing packets without sending anything itself. The second factor is that sniffers are packet analyzers, common tools that have been in worldwide use for years. The technology is proven and available for almost every network and protocol.