Network Intrusion / Invasion
I typically stop at a local coffee shop to get some caffeine and use their wi-fi network to check email and surf the web. I am gathering this is not unlike most people out there in the business world. I tend to visit places that offer wi-fi because of their ease of use. But the other day I saw some thing that upset me. The story I am about to tell is not anything new, but rather just an eye opener for me.
As I was standing in line for coffee I noticed a fellow wi-fi user in the corner and happened to glance at his laptop. Being a tech geek I noticed he was running linux (you may ask how?), well I noticed etherape running and ethereal. These are both tools I use often. Especially when trouble shooting applications or networks.
At first I did not think anything about it. Then as I was firing up my laptop, I started to think why someone would be using ethereal and etherape here? Then it hit me. This guy was grabbing network traffic on the wireless network and sniffing, probably for passwords and usernames. At this point I came up with a plan. I looked around at the other 10 or so people on their computers and realized that they were unknowingly giving their information away. Usernames and passwords were floating in plain text all over that coffee shop. The girl next to me was on yahoo mail, the guy on my right had outlook express open. I figured that the kid had at least 10 or so usernames and passwords by now, and I was angry.
To see if my mind was just crazy or corrupt I decided to test my theory that he was sniffing usernames and passwords. I first ssh’ed into my box and created a new email account. I created a username called jvandenbon. I figured since I am in a Dutch area that a dutch username made sense. I created a password of Alice6232001, hopefully a real enough password. Then I hoped into my inbox using mutt and forwarded some of my spam emails into the jvandenbon user account. So now I had a real account that had some mail in it.
I then fired up ethereal and then thunderbird. First I took a quick capture of what was on the network, and as I suspected there were lots of POP accounts being used which show Username and PASS in clear text. I opened Thunderbird and checked my mail, I use SSL / TLS when I connect to my mail server so I was not worried about this kid grabbing my info. But I had to make sure that I was safe so I watched my traffic and sure enough it was encrypted with TLS. I closed ethereal, and created a new account in thunderbird using the above jvanderbon account name and told it to use POP as the means of communication. Again, I opened ethereal and then did a send receive to watch my fake username and password be sent across the wire. I then wrote an email and deleted some others to create traffic. I closed Thunderbird and waited. I set a string filter for Alice623001 in ethereal and watched. Sure enough in a few min later(about 10) I saw my fake username and password being sent over the wireless lan. I captured the kids source address.
This kid was trying to access my fake account. By this point I was angry. I got to thinking about what kind of stuff I could do to him. I easily could have kicked his ass; however I am not sure that it would have helped. All these people had been cheated of their info and privacy. That is when I started to think about legal options. I don’t even know if it is illegal to sniff a public network. I have never even thought about it. I did a quick google search and did not find much. I guess you can kind of relate this to yelling across the room to a friend with your username and password. Whoever happens to be in the room has access to that information. The analogy does not sit well with me. I would like to think that people can be safe or feel safe even when their trusted programs (outlook, outlookexpress, thunderbird, and hotmail) send their information in plain text over the network.
Right now I am just angry. If I do see this kid again, I plan on approaching him and asking what he plans on doing with all the usernames and passwords he stole. I can only guess he is going to just mess around. But, what happens when he comes across a guy who happens to have admin rights on a system and sends his username and password over the line. I realize this is a gray area of the law, but what about people privacy. I am not a malicious person by any means. I have sniffed networks in the past to gather information to help me learn how to protect them. But when I watched this kid and the speed of which he attempted to open my POP account, I am a bit worried. He must have had a program that would just take a username, password, and mail server and check validation.
I guess I am now asking the community what they think of this event. Do you know if you are secure? Do you go to a coffee shop and check mail via POP and send your info? Do you use ftp at the coffee shop to update your web site or worse; your corporate web site? I would love some feed back on what people think. Just think, if someone got your email password? Does it match your bank account password or your paypal password? These are the questions on my mind. And how can I do something against this punk kid. Should I just walk over and kick his ass or should I call the police? And if I call the police, what do I say?