Computer Security: A Dangerous Illusion
Any power user will tell you that computer security is just an illusion. The only safety most people have is that there aren't nearly enough people out there with malevolent intent who have significant computer knowledge. Plus, most hackers are benevolent and the real cyber criminals aren't interested in small game anyway. That said, the little security that digital security techniques such as SSL and PGP key encryption offer go a long way in ensuring that you don't make it easy for the casual hacker to snoop on your data.
I say all this because today I realised once again how naive people can be. You see, in India, most of the so-called "cable internet" is actually a euphemism for a local area network hooked up and administered by a cable operator. So, not surprisingly, there are no cable modems involved in a cable internet set up, just a lot of Ethernet cards. What the cable operators and the users don't realise however is that they are setting up a large broadcast network (Ethernet) on which everybody has access to each other's data packets. While it is true that most people won't see each other's packets because they get filtered by the operating system's TCP/IP stack, that won't stop a determined hacker from having a looksy.
That, in a nutshell is exactly what I decided to do today. I was getting bored so I decided to find out exactly how bad the situation is. I have had Ethereal (a network protocol analyzer) set up on my windows machine for a while now. All I had to do is to fire it up and set it up so that it would capture all packets going past my network card. I did that and stored all the frames (network packets) in a log file. I did this for an hour and then ran a simple search filter on the file to bring up all http packets with the request method set to POST. Doing this got me access to six username/password combinations all for different users.
I didn't verify any of the credentials because it wasn't my intent to impinge on anybody's privacy. But I'd willingly bet all my knowledge on the fact that each and everyone of these credentials work. Because I limited my search to just the most obvious way of submitting credentials on web sites (the POST request method), it is also quite possible that this is just a small subset of all the credentials contained within the raw data that I gathered. The worst part is, that this network isn't just used by individuals. I know of actual companies that use my cable operator to provide for their connectivity needs. Having seen the general level of awareness of system admins in this country, I'm pretty sure a lot of them have no idea that it is so easy for anyone to steal data that is potentially valuable to their company or its clients. On top of that, I am sure that 90% of these companies have never bothered/will bother to get a third party security audit done.
So what I'm saying is:
- Use PGP or any other good free encryption tool to encrypt all important email.
- If you use a web mail provider, make sure they have a secure (possibly SSL) login mode. Otherwise, close that account.
- If you use an online banking provider, make sure their login is secure. This is the case 90% of the time, so I wouldn't worry about it too much.
- Firewalls and Anti-virus scanners won't help in this situation because they only protect your computer and the data that resides on it from outsiders. They DO NOT protect your data in transit, only encryption can do that.
Right now, I don't see much evidence of the data I found being misused. But I am quite sure that it probably won't last for long. Imagine two companies on the same cable provider operated network sending out tenders to the same client. How hard would it be for someone with a little knowledge working in company A to grab company B's mail off the broadcast network? And this is just one of the potential scenarios. The problem becomes even more complex when we consider wireless (802.11 based) networks. My company just put up a wireless network in the office, and although I don't use it (still tied to a LAN cabled desktop) I am quite sure that it is very unsecure. While someone would need to hook up their workstation to an Ehternet cable coming from the office to listen in on the packets earlier, now all it would take is an 802.11 wireless card. I'm pretty sure my network admin has never heard of the term war driving, but if he's not careful he's going to hear it pretty soon, and not in a good way. Same goes for you! Don't think 24-hour connectivity comes without a price.
This post was syndicated from the Blog of Arunjeet Singh who loves technology and can kill for his PlayStation 2 Gaming Console. He also happens to own an N-Gage QD and wants a Windows Powered Mobile Device. Reason being, he lives a .net powered life.
0 Comments:
Post a Comment
<< Home