Just Testing

A couple of students in Another Place are in trouble for “hacking”. The news papers aren’t particularly specific about what they did, but it sounds like they installed a packet sniffer and listened in on traffic across their network.

Ethernet networks have everyone hanging off the same piece of wire. If you’re on an Ethernet network, your network card has a unique address. As the traffic for everyone on that piece of wire flows by, your computer picks up traffic addressed to it. It doesn’t listen to other people’s traffic because you usually don’t care about it. However, by running your network card in what is delightfully known as promiscuous mode, you can see other people’s traffic. Programs which do this and present the results to you are called packet sniffers. Ethereal is a popular free packet sniffer. Packet sniffers have legitimate uses, like diagnosing network problems or writing and debugging software which uses the network (I installed Ethereal the last time I was having problems with DNS lookups, for example). The remedies for undesired sniffing are encryption and restructuring the network so everyone’s packets don’t share the same piece of wire.

The Oxford students seem to have been disciplined for drawing attention to what they did, but none of what they found is news. A college network probably has everyone hanging off the same wire. There are encrypted versions of telnet, HTTP, IMAP and POP3 but not many people use them. There are a lot of clever people with time on their hands. You work it out.

People who know this have done some sort of risk calculation and come up with a solution that they’re happy with, which balances convenience against privacy. For example, I only permit encrypted logins to my machines and don’t send my password itself when fetching email (although the mail itself comes across the wire as plain text). Now you know what’s possible, you can do that calculation too.

3 Comments on "Just Testing"

  1. From what I read their actions only affected one college where there is just a single IT guy responsible for everything.

    I’m guessing the college has an old hub based system (rather than being switched) as few are up to MAC spoofing (to fool a switch into forwarding packets to your port), which of course wouldn’t work on any half decent (read Cisco) switch.

    Also I read that the whole CCTV thing was because management at the college decided to buy some ‘black box’ CCTV solution that uses HTTP instead of HTTPS with no login security !

    They could be rusticated which would be absolutel lunacy in my opinion. Its not like they covered up what they were doing, they were doing it for the college newspaper, and to be fair it just exposes the ridiculous incompetence of the college IT staff (a non switched network?!!?!).

    When I was at uni Computer Services had been trying to track down some rogue netware login servers that kept randomly appearing on the network, eventually they decided to do a room by room check in halls.

    They went to the rooms of two Residential Assistants (people who look after the freshers in halls) to let them know what they were doing and when they opened the door there were leds flashing, cat5 cabling hanging down from the ceiling, the whole works. Sufficed to say that they didn’t need to continue the search.

    I find all this quite ridiculous though – I mean its like when MI6 was on the news going on about how people with radio scanners are breaching national security by listening to what they’re saying on their walkie-talkies without mentionning the fact that they should really be using encrypted radio.


    1. I don’t know how common switched networks are, and how common switch networks which aren’t vulnerable to ARP spoofing tactics are. It sems likely that educational instituions won’t spend the extra money to prevent this sort of attack as they tend to be strapped for cash to start with. One can but hope, I suppose.


      1. I think not having a switched network is inexcusable nowadays – its got to cost, what? £10 at most per port to replace their hubs.

        Having basic switched hubs would stop 99.9999% of this sniffing, and for the remaining 0.0001% – well you probably can’t stop them whatever you do.


Leave a Reply

Your email address will not be published.