Are you being watched?
Following a comment by one of our valued readers, Patrick, I decided to write an article about Sniffing because the subject is way too broad to discuss via comments.
Patrick mentioned an event which happened recently. A Chinese Telecommunications company redirected 15% of the world’s internet routes through its system. It’s impossible to say whether this was a mistake or done intentionally. Once the traffic was routed through their system the Chinese company had the ability to look at all the data and even keep a copy of it. We of course have no way to know what operations were run on the data, if any.
This is obviously worrisome as such attacks can be used for industrial or military espionage. It is however very important to realise that network sniffing (the act of spying on data traffic) is not something new and is not a threat that is posed solely by large telecommunications companies either.
Previous to this incident there was the alleged project Echelon. The project’s initial target was spying on Russia during the Cold War. It was allegedly subsequently expanded to monitor possible terrorist activities, drugs and other criminal activities. In the 1990s however journalists claimed that project Echelon was being used for industrial espionage by the United States.
Governments are not the only entities that can spy on your network. Anyone along the route between you and your destination can set up a sniffer and spy on the data travelling through that pipe. This would be especially effective at the ISP where one can be guaranteed that all traffic will be passing through there. It doesn’t have to be an inside job at the ISP either; if a hacker can get access to any machine within that network segment even remotely, he can install a sniffer or even redirect the traffic. This can obviously be achieved fully transparently without the victim realising.
Even worse is when a satellite internet provider is along the route, because in such cases your data will be broadcast to a large geographical area where anyone equipped with a simple, cheap satellite card can easily sniff all the traffic, which in case of satellite systems is generally not encrypted.
The spying threat also exists within the company itself. Disgruntled employees can easily run sniffers inside your local network. The range of the data they can sniff is limited by the network design; however, there are attacks that could potentially allow an attacker to modify routes to allow him a bigger scope. A successful sniffing attack on an internal network could steal a lot of important information, from confidential documents to emails. A clever attacker could also record traffic to printers with the possibility to replay them to another printer, resulting in them obtaining a copy of whatever the victim would have printed.
In any case the solution is similar:
- Whenever possible use strong encryption.
- To protect against internal sniffing, protection against ARP (Address Resolution Protocol) poisoning is a must.
- VPNs and other encrypted tunnelling systems can also be an effective defence against sniffing.
I guess the question isn’t whether sniffing is being done, but rather, if sniffing is being done to “you”. I know security is always a major point of discussion here at the GFI blog, but with so many points of entry it seems like internet use is just a hotbed of potential eavesdroppers and snoopers. It’s one thing to know how to protect yourself against sniffing, but is there anyway to tell that you’re actually being sniffed?
I’ve been following the developments of the incident in China and it’s also crossed my mind that there literally is no way we’d be able to find out what China’s real intentions were. What has never been clear to me, however, is whether the United States had caught China of the redirected traffic, or if China was the one who came clean of it (I think it was the former, but I can’t be 100% sure).
That was an interesting tidbit about Project Echelon. I decided to run a google search about it myself (since I haven’t heard about the project prior to reading this article), and it turns out that the project is actually still active. When the article mentioned that Project Echelon was then used to monitor terrorist and drug activity after the Cold War, I didn’t know that meant it was still currently in use. How can we know what else Project Echelon has been sniffing out?
As good as the suggestions to protect yourself against sniffing may be, the fact of the matter is that individuals not too privy on software security (which is a majority of people), won’t have the tools, the training, or the experience to execute them properly. Even for those of us who do, it’s not like we have access to government level encryption to protect us against the snooping eyes of governments.
I think that the China situation is a testament as to how security protocols are being left behind by technology’s own rate of advancement. Governments are only now trying to steadily reinforce online security within their own borders. But when it comes to international disputes, shouldn’t there be a global (and therefore arbitrary) entity monitoring or overseeing these kinds of scenarios? The internet, by it’s sheer definition is international in scope, and limiting the area of responsibility to stratified domestic organizations is just backward.
It seems that this article is against the idea of data sniffing (as it should be) under whatever context, be it for international data acquisition or inter-company policing. But knowing that GFI is an advocate of internal network monitoring, how different would that be from something like this? Wouldn’t it all be just a matter of semantics when it comes to snooping into the workstations of your own company’s employees?
@Julian – This is a difficult question to answer. In some cases it is possible to find out if you’re being sniffed. For example, if the sniffer is running on a network you have access to, it can be detected. In order for any program to sniff data that is not addressed to it, it has to switch the Ethernet card to Promiscuous mode. This is a mode that allows the Ethernet card to dump all the packets traveling to it. There are tools that can scan the network and tell if an Ethernet card would be running in promiscuous mode at the time. If you are being sniffed from outside a network you control then there’s not much you can do. There are some advance ways but it’s very subjective to the situation. You might want to conduct a search on the subject and find out more if you’re interested as I’m afraid there is way too much to talk about to note it all in a comment.
@Leslie – It is actually more complex than that for it wasn’t China per se that redirected the traffic but a telecommunication company. I am not sure but I believe that they didn’t come clean, but rather people noticed the redirection and raised the alarm. It doesn’t mean anything either way however in my humble opinion.
@Warren Avery – Project Echelon is famous because it become public; we have no way of knowing if there are other initiatives like it and what they’re monitoring. After all we know telecoms are willing to spy secretly for the government as has happened in 2006. We would know nothing about that had it not been for the actions of the whistle blower who brought the whole thing to light. Personally I would always assume the line is compromised and act accordingly. If you’re transferring confidential information that you don’t want people to see, just use strong encryption on it, that’s the only way to be relatively safe.
@isabel quintanar – It’s true that the general user doesn’t have the know-how to protect himself against sniffing. Luckily that’s mitigated by service providers (to a point) who secure important infrastructure for the average user. I would not expect my aunt to know how to run a VPN with all her endpoints but she doesn’t need to. If she uses online banking then it’s the bank that will make sure that the line over which she will interact with the bank is a secure line. She is still vulnerable in instances that encryption is not used but generally those are of little consequence. If you’re an administrator in a company however it will be up to you secure your own systems. This is mostly geared at that audience even though the suggestions apply to everyone really.
@sally w. – Having a central authority for the Internet to investigate and control these incidents can be very tricky actually. Where will it be based? And how will everyone trust that it is not controlled by the government hosting it? In a way we already have something similar – ICANN is the organization responsible for managing IP addresses and top level domains. Some countries are concerned about US control and possibly with good reason since a few weeks ago there was a story that ICANN was asked by a US agency (ICE – Homeland Security’s Immigration & Customs Enforcement ) to transfer control of some domains to itself. ICANN complied even though there was no court order issued. Now granted that these sites were allegedly involved in copyright infringement but there are activities that are illegal in the US yet legal in other places, such as Online Gambling. With ICANN, the US has the power to just kill any domain name it wants and that’s a scary thing.
@rosalie – That is an interesting question. Firstly let me clarify a bit that I am not speaking in GFI’s name but rather stating my own views on the subject. The core subject we’re dealing with here is security. We’re dealing with the confidentiality part of security to be more exact. Sniffing is one of the top enemies of that confidentiality. In that context there is a difference between being the victim of sniffing and performing the sniffing. Now you may be thinking that I am a being a hypocrite but let me explain the difference. The target of a security professional is to keep the confidential information safe which means that only people authorized to view that information should be able to view it. If an unauthorized person sniffs out that information we failed in our security task and that act of sniffing itself is a bad thing as it is compromising our security. If I am running an IDS which is doing deep packet inspection, the IDS is doing sniffing effectively. It is looking for known signatures of hacking attacks in each packet passing through it. During its operation it might detect a hacking attempt and stop the transmission. In doing so an attacker might have been prevented from gaining access to our confidential data so in that case sniffing was a good thing as it is protecting our security and not hindering it. So it’s not correct to say the article is against sniffing under any context. The article is against sniffing which compromises our security. Sniffing for Inter-company policing (not for IDS reasons but actually monitoring employee activities) cannot be classified as bad sniffing (provided it is performed according to the rules such as informing employees of it) as it is not compromising confidentiality but actually enforcing it. If employees have been advised that monitoring is taking place they have no expectation of privacy and thus legally their confidentiality is not being infringed either. Basically the sniffing is gaining access to information that the company is authorized to view because effectively it owns it. That being said, it is an extreme action in my personal opinion and I personally would not recommend it unless really necessary. Security is always a balance so one must ask if actively monitoring employees is really necessary. There is a price to pay for security apart from the obvious monitory aspect. The extra price can be inconvenience or even employee morale. If by your actions you lower employee morale to the point that they become unhappy or even disgruntled then your security policy is actually creating a security risk. In my opinion security wise it is a lot better having an employee use the web for personal use now and then (within acceptable limits of course as well as if adequate protection ensures protection against possible malware that may result through their actions) than having him/her turn disgruntled as that makes the employee a possible security risk. Apologies for the long comment but just wanted to be as clear as possible on the subject. Feel free to add your views if you do not agree with anything I have said or if you feel that there is more to it.