Update on Network Security Issues Jeff Schiller, Network Operations Joanne Costello, Network Services The expansion of MITnet to undergraduate dormitories and independent living groups has raised a red flag concerning security issues. A recent article in The Tech ("Loopholes Loom Large in MITnet," April 22, 1994), and a response from Information Systems ("Responsible Use of Computing Environment Assumed," April 29, 1994), outlined the nature of these issues. This article, drawing in part on excerpts from The Tech article and IS response, summarizes what network users should understand about the current limits of network security. Packet-Sniffing Programs The privacy of a user's password, electronic mail, zephyrgrams, and files can be easily compromised through the use of programs called packet "sniffers." The ability to "sniff" packets has existed since the inception of Ethernet technology. However, this capability has only recently surfaced as an Internet-wide security problem, mostly due to the availability of sniffing programs. At MIT, these can be found on local AppleShare servers and public Athena workstations. It is not possible to detect snoops who use such utilities. While packet-sniffing programs are legitimately used for network diagnostics, they can also be used to read data to or from other users on the same subnet. In order for someone to sniff packets within your subnet, they must first have access to a computer on your subnet. Excluding the case of someone outside MIT breaking into your computer and gaining access, this means that it is your neighbors who have the easiest access to sniff your packets. (Note that each of the dormitories on campus is a separate subnet.) Additionally, passwords are not encrypted when a user runs a Telnet or File Transfer Protocol (FTP) program to connect to a remote site. This makes users of Telnet and FTP vulnerable to sniffing. Kerberos and Passwords The initial designers of MIT's Project Athena were aware of the risk of sniffing. In response, they developed the Kerberos authentication system, which is used instead of password files within the Athena environment. If the entire world used Kerberos, no one would have to worry about sniffers stealing passwords. Unfortunately, this is not the case. There is some real vulnerability when users log into Athena dialup servers, because "traditional" technologies for authenticating remote logins require the transmission of clear text passwords. Beyond MIT, several regional network service providers have had hosts compromised in the last few months, which has permitted sniffers to steal passwords for any connection made over that regional service. Law enforcement authorities, within the U.S. and internationally, are working to catch these password-cracking sniffers. New Security Tools As the Internet has evolved from a research vehicle into a tool for general information exchange, security has become a growing concern. IS staff and colleagues on the Internet Engineering Task Force (IETF) are working aggressively to address security issues. Tools such as PGP, which IS recently licensed, use public-key encryption to protect electronic mail and data files. There will be a Network Notes column on PGP in the fall. IS also plans to support Kerberos-authenticated versions of Telnet and FTP for Macintosh, DOS/Windows, and other platforms that are common at MIT. Look for announcements of these products in future issues of i/s. MITnet and the MIT Community "Sniffing" networks is a violation of MITnet rules of use, and also violates the privacy of individuals. IS expects that members of the MIT community will act responsibly, and also do their part to stay informed of security issues. In all likelihood, the real security threats on MITnet come from beyond campus. IS will continue to alert the MIT community to security breaches, and provide information on how to protect systems from unauthorized access. If you have any questions concerning network security, send e-mail to . -Excerpts reprinted with permission of The Tech. .