As a follow up to my original post of watching some kid at a coffee shop sniff the wireless network for passwords, I am doing a wi-fi security series.
In this post I will show wi-fi users how easy it is to gather information from other computers and users by just sniffing the network. I first must explain what “sniffing the network” means. In the simplest form it is just listening and capturing the information that is sent across the network this information is in network packets. This can be done on a wireless or wired network. Network sniffers come in all different flavors and types. I prefer Eathereal, this is because it works on linux and Windows. These tools are used to troubleshoot and also diagnose issues on networks and applications. They can also be used to ease drop or snoop on others, which is what I plan on explaining in this post.
So you may ask, what can a person “sniffing the network” find? Well for starters, it is really easy to gather usernames and passwords. Especially from POP email accounts. Most people who use email have an email client, such as (outlook, outlook express, thunderbird, or some other branded client like AOL or earthlink) Most of these clients user POP3 to communicate with the server to read your email. This all happens when you hit the Send/Receive email button. These clients that use POP3 may send your username, password, and messages in clear text. By default these programs as set to be easy to use and do not have the security features that are available turned on. So what does this mean? Well let’s look at a typical transaction from a user who is checking his or her mail. The open up Thunderbird (my email client of choice) at a coffee shop and hit send/receive while using the free wi-fi.
When they do they are sending information unsecured over that network, which happens to be a wi-fi network. Other users, which use the wi-fi also, have the abilty to overhear or sniff your information. The image below shows an Ethereal capture of my fake user called jvandenbon.
As you can see from the image, the username jvandenbon is sending his password of Alice623001 to his mail server. This happens each time he hits send and receive. Not only is the username and password readable, but so is the email. Below is a screen capture of an email I sent to that user. You can see from the capture that I read the email then deleted it.
Here is the actual information from that email inside ethereal:
Received: from ?192.168.1.107? ( [18.104.22.168])
by mx.gmail.com with ESMTP id j4sm126467nzd.2005.11.22.19.09.50;
Tue, 22 Nov 2005 19:09:50 -0800 (PST)
Message-ID: <[email protected]>
Date: Tue, 22 Nov 2005 22:09:04 -0500
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
Subject: Are you reading my email
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
you can read this message
So as you can see a default email client and POP3 account is not very secure. You are basically sending your userinformation and password for all to see if they know how. What is scary, is when you actually do sniff a network the amount of email usernames and passwords are actually sent. The day that I caught that kid at the coffee shop I saw about 10 username flying over the network.
At this point some people may be saying why do I care, it is just an email account? Well ask yourself, a few questions. Do you use that password for anything else, like your online bank site, or bill pay, or paypal, or even your gas or electric site? Do you use that email for any other accounts like paypal, ebay, or your bank site. Could someone use your email and password to ask your bank to reset your online bank password? These are all just food for thought.
Others are probably reading this and saying that the users should know how to secure their email account properly and use SSL / TLS over POP. I plan on helping people do that in my next post.
To keep this part 1 section going, let’s discuss what other information your machine may be telling people about you. So far we have seen that email; usernames, passwords, and messages can be viewed. Now I will show how online web email accounts can also be viewed. Though not as easy, online or web mail can also be seen over the network. This is only true when it is not used under SSL (https). Below is a picture of what a typical web mail login looks like. You can see the username jvandenbon and his password being sent over the network.
All the information I have talked about so far is from a user’s computer being sent out. This means you are initiating traffic, checking email, browsing web sites. But, what about your computer, does it answer questions about you when asked? It amazed me when I did a quick scan of the coffee shop wi-fi the other week. I saw 3 laptops that had network shares available on them. That means I was able to copy files off that machine.
The user turned on network sharing without any security. In my next post I will discuss methods of protection against intruding eyes.
As always, leave me feedback. Both good and bad.