Email: info@relevanttechnologies.com   |   Tel: 877.904.8506  
  HOME
  About Us
  Our Services
  Our Partners
  Security Articles Archive
  Security Resource Center
  Security Events Calendar

Hacker Ports
Check out our Hacker Port list, complete with Port Numbers and Program Names.




Let us build your security website.
Click here to learn more.

Newsletter Subscription
Stay up to date with the latest security news. Find out more here.




What's New
Relevant Technologies supports The Smile Train. Find out how you can help.



Polls and Surveys
Take our latest security survey and view results from previous polls.

Legal and Privacy Notice

Copyright Relevant Technologies 2001-2008.
All rights reserved.
 
Search Article Archive:      using   

< Back to Home Page  |    Print this Article


Snooping: It’s Not Just For Geeks Anymore
By Brien M. Posey
March 20, 2004

It might just be my imagination, but lately it seems like just about every person in my entire family has been pressuring me to trade in my DSL connection for a cable modem. Whenever this happens, I always try to explain to who ever I happen to be talking to at the moment that cable modems have certain inherent security risks.

In case you aren’t familiar with cable modems, the basic premise is that one cable segment services an entire neighborhood. This simple fact has a couple of implications. First, in many areas, cable modems have a higher potential throughput than DSL lines, however the available bandwidth is being shared by everyone on the network segment. Therefore, if your next-door neighbor is downloading a bunch of big files, it will affect the performance of your connection.

A more serious issue associated with sharing a common cable segment is that it is possible for anyone on the segment to snoop on anyone else’s Internet usage. Most of the time when I try to explain this to my family, the argument is dismissed with a statement such as “The cable company wouldn’t offer the service if it wasn’t safe,” or “Only you would know how to do that, normal people wouldn’t begin to know how to snoop on someone else’s connection,” or my personal favorite “Sure they can see what Web sites you are visiting, but that’s all they can do.”

As you have probably already guessed, every one of these statements is false. In fact, although there has been a much greater emphasis on security these days, it is easier than ever to hack someone else’s computer or to spy on someone over a cable modem connection.

Part of the reason for this is because home users often don’t know enough to take the appropriate security precautions. For example, you probably know that Windows XP has a built in Administrator account that can be used to gain unlimited access to a computer. You probably also know that the vast majority of computers sold to consumers come pre loaded with Windows XP Home Edition.

The problem is that because the machines are pre-configured, most home users don’t even know that the Administrator account exists. Worse yet, most of the computer manufacturers configure Windows XP to initially have a blank Administrator password. It gets better though. Windows XP also has several invisible, built in shares that cannot be disabled because the operating system depends on them. These shares include the C$, IPC$, and Admin$ shares.

With this in mind, let’s pretend that you wanted to hack someone’s system. Any protocol analyzer, and some intrusion detection tools, will allow you to see the IP addresses that are in use on your cable segment. Many will also allow you to spot operating systems and even NetBIOS names. It’s then easy to determine which machines on the segment are running Windows XP. You can then connect to these machines and log in by using a local Administrator’s account (machine name or IP address\Administrator and no password). Once connected, you are free to browse the remote machine’s hard drive. If the machine’s owner isn’t technically sophisticated enough to lock down the Administrator’s account, they probably aren’t sophisticated enough to detect this type of hack either. You can see an example of such an exploit in Figure A. In the figure I was not prompted for a password because I had previously connected to the share prior to snapping the screen shot. In the real world though this screen would only differ in that you would be prompted for a login name and password.

Figure A: It’s easy to map a drive letter to a hidden share on someone else’s machine.

This type of hack relies on being able to use NetBIOS over TCP/IP. If the remote machine has a personal firewall then it will block this type of hack. The problem is that not everyone has a firewall. Recently one of my neighbors was contemplating getting a cable modem. I tried to talk him out of it, but he was determined that a cable modem was what he wanted. Since I still wanted to give my neighbor whatever assistance I could, I told him to ask the cable company if they provide a firewall or if he needed to get one on his own. When the guy from the cable company came out to install the cable modem, he actually told my neighbor that a firewall is only used in large companies and is totally unnecessary for home usage.

My point is that there are a lot of people out there with default Windows installations and no firewalls. It is extremely easy for even a novice hacker to gain full read and write access to the hard drives of these machines. After doing so they can steal data, plant viruses, or do anything else that they can dream up.

OK, in all fairness the type of hack that I just described will only work if the system being hacked is completely insecure. The hacker also has to have a little bit of knowledge because they have to know that the hidden shares exist, and they have to know how to exploit those hidden shares (which isn’t difficult).

For the sake of argument though, let’s say that you have got a neighbor who is a real computer geek and they have renamed the Administrator account, changed the administrative password, and put in a state of the art firewall complete with an intruder detection system. It is still possible for even a novice to spy on every move that your neighbor makes from his supposedly secure system.

A company named eEye makes a protocol analyzer called Iris that is very user friendly and that can completely reconstruct Web pages based on intercepted packets. The product costs just under a thousand dollars, but there is a free trial version on the company’s Web site at www.eeye.com/html/Products/Iris/index.html.

So how easy does this program make it to do some snooping? Check out the screen shot shown in Figure B. In this figure, I did a standard packet capture in promiscuous mode just like could be done through any other protocol analyzer. I then clicked the Decode button and Iris sorted the packets by machine and by traffic type. Now let’s say that I wanted to snoop on a neighbor’s Web activity. All I would have to do is look at the HTTP traffic coming from TCP port 80 for that machine. In the figure, the column to the left shows where I have selected HTTP traffic for a machine at 147.100.100.98.

Figure B: Iris can reassemble a Web page that someone else had been looking at.

As soon as I select this portal of the captured blocks of packets are displayed in the top right column. You will notice in the figure that some of the captured blocks of packets have Web page icons next to them. If you want to see exactly what your neighbor was looking at then just select one of these Web pages and then click the Go button. The page is displayed in the lower right portion of the user interface. In Figure B, the captured Web page is just the Relevant Technologies Web site. Imagine though what one of your neighbors might intercept if they were monitoring your Internet usage with a tool like this one.

My point is that tools like this are easy to acquire and even easier to use. The problem is that a firewall offers absolutely no protection against this type of monitoring. Encryption is the only defense against this type of monitoring, and the vast majority of Web traffic is unencrypted. Sure, any legitimate Web site will use encryption if you are entering your credit card number or other sensitive information, but this minimal encryption doesn’t protect your privacy. After all, do you really want your neighbors to know how many hours a day you spend surfing porn, or what type of kinky stuff you might be into? Even if your online experience is purely G rated, do you really want your neighbors to know which bank you use, what stocks you follow, or which TV show fan sites you visit?

My point is that if you use a cable modem then you are asking for an invasion of privacy. It’s just a matter of time. If you still aren’t convinced though, there is one more trick that I want to show you. Take a look at Figure C. In this figure, I have intercepted an SMTP based E-mail message that was sent across TCP port 25. If you look at the lower right portion of the user interface you can see the message’s contents. You might have noticed that I had to scroll past a lot of header information to get to the message body though. If I were too lazy to scroll through the header, I could just click the envelope icon and Iris would open the message in Outlook Express, as shown in Figure D. I know what you are thinking and yes, this trick does work with message attachments.

Figure C: Iris can display the contents of an E-mail message.

Figure D: IRIS can even open someone else’s E-mail in Outlook Express for you.

As you can see, cable modems are inherently insecure and it’s easier than ever to hack your neighbor’s computers or to monitor their every move. For this reason, I strongly recommend not using cable modems for anything beyond the most innocent casual Web surfing. If you do use a cable modem, at the very least use an intrusion detection system that monitors the other clients on your network segment so you know precisely who, and at what times, had access to your data. That way, if you notice signs of surreptitious activity, at least you will have an idea of who to investigate.


Copyright Relevant Technologies 2007. All rights reserved.