Posted on Wednesday, July 26th, 2006 | Bookmark on del.icio.us

WiFi, Encryption & Clue Density

by Danny McPherson

I regularly use wireless networks at meetings, conferences, airports, hotels, workshops, coffee joints, friend’s homes (and mine) - as I suspect is the case with most folks these days. I often leave Dug’s passive listening toolkit running in the background (where network usage licensing/agreements implicitly permit, of course :-) just to see what type of cruft is running amuck on the network, and, more importantly, if I’m inadvertently conveying some critical bit of information that miscreants might be eagerly awaiting.

In doing so, over the past 3-4 years, I’ve made a somewhat conscious effort to gauge prevalence of clear-text network transactional activities within varying user demographics which I frequent (e.g., IETF v. NANOG|RIPE|APRICOT v. airports v. security conferences, explicit network security workshops v. hotels, etc..) and much to my chagrin - with very few exceptions, the constancy of clear-text password and other indubitably critical information tossed about on the network continues to perplex me -independent of the venue!

For example, at a recent network security workshop with ~40 network savvy folk in attendance, 3.5 hours aggregate listening time encompassing two collection periods (all entirely passive) yielded the following (and this is an abbreviated version):

PASSWORDS:

  • 110: pop (31)
  • 143: imap (2)
  • 389: ldap (1)
  • 5190: aol im (3)
  • 80: http: vhost web access (4, email, std vhost, one)
  • 161: snmp (15 - 2 local, 13 HP jetdirect or the like?))

EMAIL:

  • 209 clear text (11 gifs, 2 ms-excel, 1 .doc)

HTTP:

  • 11 cookies, 3 passwords (HTTP POST)

IM:

  • 17 conversations

At larger events collecting hundreds of passwords in a day isn’t uncommon, from shell accounts, to direct routers and other network element logins, to a slew of POP/IMAP passwords and the like. Often times I nudge folks I know and point out their (or their colleagues) usual oversight, and at places like NANOG there’s usually a good bit of nudging that needs to be done.

Rather than dive into some tutorial on what, where and why you should encrypt (in particular because I’m likely the least qualified on the ASERT team here at Arbor to do such a thing), or perhaps why you think your cleartext network traffic is encrypted but it’s really not, I’ll simply refer you to Google, where I suspect copious articles on the subject can be found.

If you’re wondering why I’m posting an article here on such a threadbare topic, well, apparently, it’s one of those things so obvious even the self-described network-savvy folk often overlook it. When’s the last time you had a look at what you’re actually transmitting?

If folks have any useful references regarding this topic, please feel free to share them here.

This entry was posted on Wednesday, July 26th, 2006 at 9:57 am and is filed under Arbor Networks, Encryption, Forensics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses | Add your own



Comment Post by: Richard Bejtlich — July 26th, 2006 @ 8:10 pm EST  Reply

You know that you’re conducting a wiretap, and that in the United States that is illegal?

Comment Post by: Thomas H. Ptacek — July 27th, 2006 @ 1:26 pm EST  Reply

You know that in Michigan, where the Arbor research team is based, owning a copy of dsniff is also illegal? You’re goin’ down, Danny. 2006’s first Super DMCA casualty.

Comment Post by: Chris Morrow — July 28th, 2006 @ 2:07 am EST  Reply

I think both of the previous comments miss the greater point: “Security is more than a firewall or AV solution, it includes authentication information as well.” Do the criminals stealing your info care about the ‘laws’ regarding dsniff or ‘wiretaps’? No, obviously not. Do they care about the legality of using their ill-gotten authentication information later? No.

One thing that scares me about authentication information being sent in the clear is that on average users have only 4-5 passwords. So, given one, I can probably ‘break into’ 1/4th of that user’s logins. This is scary. It’s not a call for ‘better, more diverse passwords for all’ it’s a call for ‘better, more pervasive secure authentication systems for all’.

I’d venture to guess that, like me, many users just use whatever authentication system is provided to them. Their corp IT folks don’t see the ‘need’ for ’secure authentication’ or can’t make it work (applying a x.509 cert is so very hard these days, eh?) or just don’t care. It’s not always the user’s fault :(

I appreciate the entry though. Thanks!

Leave a Comment