Packet Sniffing Software Is A Controversial Subject Information Technology Essay

Packet Sniffing Softw ar Is A Controversial Subject instruction Techno entery EssayPacket sniffing softw ar is a polemic subject and a double-edged sword. It end be utilise to analyze net profit occupations and detect lucre mis subprogram. But at the same time, it exclusivelyows hackers and people with spiteful intention to sniff out your password, get your personal reading, and invade your privacy. That is as well as why securing and reckoning info is so important. In this paper, the definition of software sniffing willing be introduced and several functionality and possible uses of software package sniffers will be explained. Also, information on how to entertain a turn overst sniffers and man-in-the-middle attacks will be provided. An example of a parcel sniffer program, Wireshark, will be given, followed by a case study involving the eating place chain Dave Busters, which will show the negative consequences that provide bump when organizations are non aware of the panic of packet sniffing by hackers.DefinitionsA packet sniffer is a reckoner program or a piece of computer hardware that notify block up and record traffic passing over a digital mesh topology or part of a network (Connolly, 2003). Packet sniffers are known by riff names including network analyzer, protocol analyzer or sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer (Connolly, 2003). As binary information plumps through and through a network, the packet sniffer magnetises the data and provides the user an idea of what is happening in the network by bothowing a view of the packet-by-packet data (Shimonski, 2002). Addition ally, sniffers can to a fault be apply to eliminate information from a network (Whitman and Mattord, 2008). Legitimate and illegitimate purpose will be explained in later sectionalisations.Packet sniffing programs can be utilise to accomplish man-in-the-middle attacks (MITM). This type of attack occu rs when an assaulter monitors network packets, modifies them, and inserts them back to the network (Whitman, et al., 2008). For example, a MITM attack could occur when two employees are communicating by email. An attacker could intercept and alter the email correspondence between each employee, without any knowing that the emails had been changed. MITM attacks oblige the potential to be a consider subject threat to any several(prenominal)(a) or organization since such(prenominal) an attack agrees the fair play of data while in transmission.Packet sniffing programs work by capturing binary data that is passing through the network, and then the program de labels the data into a human-readable form. A following step called protocol analysis puddles it even easier for the data to be read. The degree of these analyses varies by individual packet sniffing program. Simple programs may only break down the information in the packet, while more complicated ones can provide more fine information and analysis, for example, by highlighting certain types of data such as passwords that pass through the network (Packet Sniffing, Surasoft.com, 2011).As for todays networks, switch technology is commonly used in network design. This technology makes it increasingly easy to delineate up sniffing programs on servers and routers, through which much traffic flows. In addition, there are already built-in sniffing modules being used in todays networks. For example, close hubs support a standard called Remote Network Monitoring (RMON). This kind of standard allows hackers to sniff remotely with the SNMP (Simple Network Management Protocol), used in most network devices, and only requires weak authentication. Network associates Distributed Sniffer Servers are used by many corporations. These servers are set up with passwords that are quite easy to guess or crack. In addition, computers with Windows NT administration usually come with Network monitoring agent, which also all ows remote sniffing (Packet Sniffing, ISS.net, 2011). Essentially, these sniffing programs are set up for the use of network decision makers. However, the threat exists that hackers can gain access to the network and view the program logs.Packet sniffers convey all of the packets that travel through the point where the sniffer is located. For example, if the program was effectuateed next to the server of an organization, the user could have access to all the data being transferred across the participation through that server. true types of packets intercepted by attackers include the followingSMTP (email) The attacker can intercept unencrypted emails (Packet Sniffing, ISS.net, 2011).HTTP (web) Web traffic information and history can be easily captured (Packet Sniffing, ISS.net, 2011).Telnet Authentication Login information to a Telnet account can be intercepted (Packet Sniffing, ISS.net, 2011).FTP traffic Access to an FTP account can be sniffed in cleartext (Packet Sniffing, IS S.net, 2011).SQL database Information from web databases is also vulnerable (Packet Sniffing, ISS.net, 2011).Functionality and Possible Uses of Packet SniffersGood and Bad UsesLike any calamus, a packet sniffer is a double-edged sword because it can be used for good or bad purposes (Orebaugh, Ramirez, and Beale, 2007). It can be used by certification professionals to investigate and diagnose network occupations and monitor network activity (Orebaugh, et al., 2007). Conversely, it can be used to eavesdrop on network traffic by hackers, criminals, and the like, who can use the data gathered for harmful purposes (Orebaugh, et al., 2007).Professionals such as system administrators, network engineers, gage engineers, system operators, and programmers use packet sniffers for a garland of uses, including troubleshooting network problems, figuring out system configuration issues, analyzing network performance (including usage and bottlenecks), debugging during the development stages of network programming, analyzing operations and diagnosing problems with applications, and ensuring compliance with company computer usage policies (Orebaugh, et al., 2007).Good Troubleshoot Network ProblemsWhen an error occurs on a network or within an application, it can be very difficult for administrators to determine what exactly went wrong and how to correct the error. Many consider the packet sniffer to be the best besidesl for figuring out what is wrong with programs on a network (Neville-Neil, 2010). Examining packets as a starting point for solving problems is useful because a packet is the most basic piece of data and holds information, including the protocol being used and source and destination address (Banerjee, Vashishtha, and Saxena, 2010). Basically, at the packet level of analysis, nothing is hidden when all layers are visible (Neville-Neil, 2010).Understanding the timing of what happened is another important factor in debugging network problems (Neville-Neil, 2010) . This information can be easily attained by victimisation a packet sniffing program. Essentially, packet sniffers allow you to find out the who, what, and when of a topographic point, all of which are vital to transforming how to fix a problem (Neville-Neil, 2010). Once these things are known, the administrator can determine what is ca development the problem and how to go about fixing it.As soon as a problem occurs, the first recommended step is for the network administrator to use a packet sniffing program to record all network traffic and wait for the bug to occur again (Neville-Neil, 2010). If the administrator already had a packet sniffing program with logging in place, then he or she could go back and envision the log records. Assuming the administrator did not have a log previously set up, the next step would be to only record as much information as necessary to repair the problem (Neville-Neil, 2010). It would not be a good idea to record every single packet of data be cause if too much data is collected, finding the error will be like finding a needle in a haystack although the administrator has likely never moderaten a haystack that big (Neville-Neil, 2010). For example, recording only one hour of Ethernet traffic on a LAN will capture a few hundred million packets, which will be too large to sort through (Neville-Neil, 2010). It goes without saying that the administrator should not record the data on a network file system because the packet sniffer will capture itself (Neville-Neil, 2010). Once the data is recorded, the administrator can examine the packets to analyze and understand what occurred to solve the problem.Good Network OptimizationIn addition to solving network conversation problems, packet sniffers can help administrators plan network expertness and perform network optimization (Shimonski, 2002). A packet sniffer allows users to view data that travels over a network packet by packet (Shimonski, 2002). However, rather than having to examine each packet, the appropriate sniffer program will perform the analysis for the administrator.The tools are especially useful because depending on the packet sniffing program used, the packet data will appear in an easy-to-understand format. Packet sniffers can often generate and display statistics and analyze patterns of network activity (Shimonski, 2002). Data can appear in graphs and charts that make analysis and comprehension easy. Additionally, the network administrator can filter by selected criteria to capture only the relevant traffic rather than having to sort through inappropriate data (Shimonski, 2002). Knowing what programs and which users use the most bandwidth can help administrators manage resources efficiently and avoid bandwidth bottlenecks.Good Detect Network MisusePacket sniffers can be used to monitor application traffic and user behavior (Dubie, 2008). This can be used to detect misuse by company employees or by interlopers. To use a packet sniffer t o monitor employees legally, a network administrator must do three things. First, he must be on a network owned by the organization, second, he must be directly authorized by the networks owners, and finally, he must receive permission of those who created the mental ability (Whitman, et al., 2008). Permission by content creators is needed because packet sniffing is a method of employee monitoring (Whitman, et al., 2008). Typically, an employee will sign a release form when first use that allows the employer to monitor the employees computer usage.By using a packet sniffer, employers can find out exactly how each employee has been spending his or her time. Packet sniffers can be used to realize all activity and administrators can monitor for behaviors such as viewing inappropriate websites, spending time on the trick on personal matters, or abusing company resources. For example, a packet sniffer program could show that a particular employee was downloading music at work, both v iolating organizational policies and using a large amount of network bandwidth (Dubie, 2008).Packet sniffers are also used to detect network usurpation, log traffic for forensics and evidence, discover the source of attacks such as viruses or denial of service attacks, detect spyware, and detect compromised computers (Orebaugh, et al., 2007). A packet sniffer and logger that can detect leering entries in a network is a form of an intrusion detection system (IDS) (Banerjee, et al., 2010). The packet sniffer IDS consists of a database of known attack signatures. It will then compare the signatures in the database to the logged information to ar shack if a close match between the signature and recent behavior has occurred. If it has, then the IDS can send out an alert to the network administrator (Banerjee, et al., 2010). disdain this use of packet sniffers to detect intrusion, hackers have methods of making themselves very hard to detect and can use packet sniffers for their own a dvantages.Bad Gain Information for IntrusionIntruders maliciously and illegally use sniffers on networks for an innumerable number of things. Some of the most common are to capture cleartext usernames and passwords, discover usage patterns of users, compromise confidential or patented information, capture voice over IP (VoIP) telephone conversations, map out a networks layout, and fingerprint an operating system (Orebaugh, et al., 2007). The previously listed uses are illegal unless the user is a penetration tester hired to detect such types of weaknesses (Orebaugh, et al., 2007).An intruder must first gain initiation to the communication cable in order to begin sniffing (Orebaugh, et al., 2006). This means that he must be on the same shared network segment or hit into a cable along the path of communication (Orebaugh, et al., 2007). This can be done in many ways. Firstly, the intruder can be physically on-the-scene(prenominal) at the target system or communications access point (Orebaugh, et al., 2007). If this is not the case, the intruder can access the system in a variety of ways. These include breaking into a certain computer and installing sniffing software that will be controlled remotely, breaking into an access point such as an Internet Service Provider (ISP) and installing sniffing software there, using sniffing software that is already installed on a system at the ISP, using social engineering to gain physical access to install the software, working with an inside accomplice to gain access, and redirecting or copying communications to take a path that the intruders computer is on (Orebaugh, et al., 2007).Intruders can use sniffing programs designed to detect certain things such as passwords and then use other programs to have this data automatically sent to themselves (Orebaugh, et al., 2007). Protocols that are especially vulnerable to such intrusion include Telnet, File Transfer Protocol (FTP), Post Office Protocol version 3 (POP3), Internet put across Access Protocol (IMAP), Simple Mail Transfer Program (SMTP), Hypertext Transfer Protocol (HTTP), Remote Login (rlogin), and Simple Network Management Protocol (SNMP) (Orebaugh, et al., 2007). Once the intruder has access to the network, he can collect data and use it as he likes. Common examples of stolen data include credit greenback numbers and proprietary organizational secrets, but include anything the hacker desires. Although organizations may use a primarily switched network, they are not protected from sniffer attacks because many programs exist that allow packet sniffing in a switched network (Whitman, et al., 2008).Because intruders who use packet sniffers do not directly interface or connect to other systems on the network, they are considered to be a passive-type of attack (Orebaugh, et al., 2007). It is this passive nature that makes sniffers so difficult to detect (Orebaugh, et al., 2007). In addition to this, hackers use normally use rootkits to cover thei r tracks so that their intrusion will not be detected (Orebaugh, et al., 2007). A rootkit is a collection of Trojan programs hackers use to replace the legitimate programs on a system so that their intrusion will not be detected (Orebaugh, et al., 2007). Rootkits replace commands and utilities that the hacker inputs and clears log entries so that there will be no record of his entry (Orebaugh, et al., 2007). Though it is difficult, there are some ways to detect rootkits. Methods of detection include using an alternate, trusted operating system, analyzing normal behaviors, scanning signatures, and analyzing memory dispose (Rootkit, Wikipedia, 2011). Removing rootkits can be very complicated and difficult and if the rootkit is in the central operating system, reinstalling the operating system may be the only option (Rootkit, Wikipedia, 2011).The threat of eavesdropping by intruders is large and challenging. However, there are some defenses that can be taken to prevent hackers from us ing packet sniffers against an organization.Protecting Against Packet-Sniffers and Man-in-the-Middle AttacksPacket sniffing and man-in-the-middle attacks compromise the integrity and confidentiality of data while in transmission. Fortunately, there are several techniques that can be used by organizations and individuals to protect against these threats and reduce risk. Specifically, technology, policy, and education are typically used to cover all aspects of protective cover. TechnologyEncryption is the best form of protection against any kind of packet interception (Orebaugh, et al., 2007). The reason behind this is that even if the data is captured by the packet sniffer, the information is completely unreadable by the attacker (Orebaugh, et al., 2007). By using this technique, messages are encrypted formerly the data leaves the senders computer. Both sender and pass receiver hold a key that decrypts the message being transferred. Most popular websites apply a level encryption b y using the HTTP Secure (HTTPS) protocol. With this technology, the liaison between the web server and the users computer is encrypted making the information intercepted by a third party useless. Currently, most popular websites such as Google, Facebook, Yahoo, and chirrup use the https technology. However, some sites (such as Amazon.com) use https only at the login page and fail to provide a secure connection afterwards. In order to encounter complete guarantor, it is important to apply the https protocol throughout the users seek experience. The important disadvantage of this feature is that it slightly slows down the users connection. Email can also be protected from packet sniffers by using encryption. Email extensions such as Pretty Good Protection (PGP) can be easily implemented using standard email platforms like Microsoft Outlook (Orebaugh, et al., 2007). Once sender and receiver start using the encryption techniques, intercepted email messages cannot be interpreted by an attacker (Orebaugh, et al., 2007).Another way to protect against sniffers is by using One Time Passwords (OTP). With this method, a different password is sent every time the authentication is pass along to the user (Orebaugh, et al., 2007). Similarly to the case of encryption, if a third party intercepts someones password, this information will be useless since these can only be used once (Orebaugh, et al., 2007). This technology can be extremely useful to ensure security however, remembering new passwords for each login can be very challenging and thwarting for most users.A new security technique called quantum encryption is also provides good protection against sniffing attacks. This technique consists of making each bit of data as small as a photon (McDougall, 2006). The data is then transferred across fiber-optic lines. If the information is picked up and intercepted by any kind of packet sniffer, the entire photon message is disrupted, ending up the entire transmission (Mc Dougall, 2006). A technology like this would make it impossible to intercept information since the communication will be ignore in the case of interception. However, it requires fiber-optic Internet connections, which many service providers do not own and its installation can be expensive.PolicyInformation security professionals can help secure employees connections by requiring the use of any of the technologies explained before. For example, if certain employees need to access websites that are outside of the organizations network, they should be allowed to use only websites that use the https protocol such as Google and Yahoo. Policies requiring Access Control Lists (ACL) can also help prevent sniffer attacks. All secured networks and assets should be supported by an ACL to prevent unofficial access. Additionally, physical security policies should be implemented to efficiently protect the computer and server rooms in the organization. Unauthorized access to these locations coul d cause the installation of sniffer programs and equipment. cultivationEvery security initiative should have a training program supporting it. Basic but regular training sessions given to employees about the dangers of packet sniffing can prove to be very valuable when protecting a network. Security facts such as not allowing strangers to computer rooms should be explained to all employees.Example and Demonstration of a Packer-Sniffer Program WiresharkOriginally named Ethereal, Wireshark is a free and open-source packet analyzer (sniffer) typically used by network and security professionals for troubleshooting and analysis (Orebaugh, et al., 2007). However, many potential attackers also use it to perform man-in-the middle attacks and gain information for password cracking. Wireshark is available for most operating systems (including OS X, Windows, and Linux) and allows users to see all the traffic that goes through a specific network (Orebaugh, et al., 2007).Wireshark differs from o ther packet-sniffer programs mainly because of its easy-to-understand format and simple Graphical User Interface (GUI) (Orebaugh, et al., 2007). Wireshark can be easily set up to capture packets from a specific channel. Once the program is running, all the network packets are shown in the screen. The top adorn (summary panel) shows a summary of the entire packet, including source, destination, and protocol information (Orebaugh, et al., 2007). Since one quick web browse can provide a large amount of packets, Wireshark solves packet browsing issues by categorizing each packet according to its type and showing each category with a specific color in the GUI. Additionally, the user has the option of applying filters to see only one type of packets. For example, only packets dealing with http functions may be shown. The middle panel in the GUI is called the protocol-tree window. It provides decoded information of the packet (Orebaugh, et al., 2007). Finally, the bottom panel (data view window) shows the raw data of the packet selected in the Summary panel (Orebaugh, et al., 2007). Figure 1 shows a screenshot of Wireshark while running and graphically shows the three main panels of the GUI.Figure 1 Screenshot of Wireshark while running and the three main panels.To troubleshoot network problems, Information Systems professionals use Wireshark by installing the sniffer program in various locations in the network and seeing which protocols are being run in each location (Orebaugh, et al., 2007). Additionally, if the sniffer is placed in a location where it can capture all data flowing to the main server, Wireshark can detect network misuse by providing the source and destination of all packets. For example, if an employee in a company uses his computer to access inappropriate websites, Wireshark will show the employees and the websites IP addresses in the source and destination columns with detailed information about the website in the info column and the protocol tr ee panel.It is easy to see how useful Wireshark is for network troubleshooting and identifying misuse however, the program can also be used with malicious intent. For example, the program can be used to find out passwords on unencrypted websites. To demonstrate this case, the username john_doe_user and password 123mypasswrd were used to log in to the unencrypted and unsecured www.bit.ly website. At the same time, Wireshark was set up to capture all packets in the computer. After the packets were captured by the sniffer, the data can easily be filtered by the http category. In the info column, a packet labeled locate means that someone has entered text to a website. After clicking on this specific packet, all the username and password information can be seen in the center section of Wireshark (as shown in figure 2). Unencrypted and unsecured websites are very vulnerable to these types of attacks. On the other hand, websites using the https security feature prove to be safer for user s. For example, the same situation as before was applied to the encrypted website www.facebook.com by trying to log in, but Wireshark was unable to capture any packets with login information.Figure 2 Wireshark screenshot showing username and password.Other types of malicious attacks can also be performed with Wireshark. For example, some toolkit add-ins to Wireshark such as Dsniff and Ettercap can be used to perform man-in-the-middle attacks and password cracking (Orebaugh, et al., 2007). Even if the incoming data is encrypted, these tools can crack some passwords by using dictionary brute force attacks (Orebaugh, et al., 2007).Case Study A costly attack at Dave BustersIn 2007, the popular restaurant chain Dave Busters experienced the power of malicious packet-sniffing software attacks. A multinational group of hackers was able to penetrate the companys corporate network and install basic packet-sniffing software at 11 of the chains restaurant locations (Thibodeau, 2008). During a four-month period, the attackers were able to intercept customer credit card data going from Dave Busters restaurant locations to the corporate headquarters network in Dallas (McMillan. 2008). Extremely nice information such as credit card numbers and security codes were sold to criminals, who used this data to perform fraudulent transactions to online merchants (McMillan, 2008). The attack proved to be very profitable for the hackers. For example, from information coming from only one restaurant location, the criminals were able to gain over $600,000 in profits (McMillan, 2008). It was estimated that approximately 130,000 credit or debit cards were compromised by this attack (Westermeier, 2010).To access Dave Busters network, the attackers simply drove near a restaurant location with a laptop computer and took advantage of vulnerable wireless signals to access the computer networks (Westermeier, 2010). Malicious sniffing software was then installed in the network to intercept credit and debit card information (Westermeier, 2010). The packet-sniffing software was written by one of the groups hackers and consisted of SQL injection attacks (Thibodeau, 2008). However, many organizations have stated that the code was not very impressive. For example, the CERT Coordination Center described the programs source code as a college-level piece of technology (Thibodeau, 2008). Additionally, the malicious code had one weakness it would close up down every time the computer that was monitoring rebooted (McMillan, 2008). Therefore, the criminals had to go back to the restaurant location, gain access, and re-start the packet-sniffer every time this happened. The fact that this costly program was certain by someone with just basic programming skills and how they consistently gained access to the network highlights the lack of protection of Dave Busters security systems. According to the Federal Trade mission (FTC), Dave Busters information security systems and poli cies did not provide the necessary security features to protect customers information (Westermeier, 2010). The attackers were able to access the network not just once, but repeatedly over a time frame of four months (Westermeier, 2010). The fact that the company was oblivious to these multiple intrusions during a long time period proves that they were vulnerable to attacks and that Dave Busters did not apply any Intrusion Detection Systems (IDS) to their networks, nor did they monitor outbound traffic (Westermeier, 2010). Additionally, sensitive customer information was not given special protection. Credit card data was transferred across simple unprotected and unencrypted networks (Westermeier, 2010). What could Dave Busters have done?First of all, private networks should have been protected in a better way. It was just too easy for hackers to gain access and install malware. By allowing only a specific group of IP addresses, or granting only temporary access, the firm could have been safe from unauthorized access by strangers. But even in the case of hacker access, tools such as IDS can help monitor the network during an attack. If the company had implemented an IDS in their network, the unauthorized intruders would have been detected in time to prevent losses.Additionally, by treating sensitive data differently than regular communications, the company could have considerably reduced the threat. Dave Busters could have simply used readily available firewall systems to the networks that held customer data (Westermeier, 2010). Encryption devices could have also proven to be useful. If link encryptors had been used, the intercepted data would have been completely useless for the hackers. Data isolation could have also been useful. The firm could have separated the payment card systems from the rest of the corporate network (Westermeier, 2010). Sensitive information did not necessarily require connection to the Internet so the company should have separated th ese transmissions from the network.Finally, a planetary company-wide policy requiring access restriction, IDS installation, firewall usage, and sensitive data isolation throughout all restaurant locations could have been extremely useful. A uniform and thorough information security policy along with a comprehensive training program given to specific employees would help enforce the security features. Considering that Dave Busters had not implemented any of the security features explained in this section, it is obvious that their story would have been different if these techniques had been used.ConclusionPacket sniffing is a sophisticated subject that wears two hats. It can be used for either good or evil depending on the intentions of the person using the program. It can help with analyzing network problems and detect misuses in the network for good purposes. Meanwhile, it can also help hackers and other cyber-criminals steal data from insecure networks and commit crimes, as in th e case of Dave Busters. The best way to protect data from being sniffed is to encrypt it. Necessary policies and training also help with the protection. As technology evolves, there will be more and more ways to commit cyber crime. Extremely sensitive data like credit card information and health care data should be well protected, from the perspectives of both the business and personal. In order to protect this information, organizations and individuals must be aware of the threat of packet sniffers.