Protect Your Computer from Packet Sniffing Programs

Joanne Costello

In recent months many computers at MIT have been broken into by outsiders. These intruders have gained unauthorized access to machines and planted "packet sniffers" on them. Packet sniffing, which has been around since the invention of Ethernet, has legitimate uses. Today, however, the threat of misuse of these programs has increased greatly because they can be downloaded readily via the Internet.

What's a Packet?
Ethernet transmits data in blocks of characters called packets. While each packet is intended for a particular destination, once a sniffer is planted on a machine, it can listen in on all packets that travel on that subnet. Generally, these programs are written to capture only the first 128 or so characters of any telnet or ftp session. This is enough to find out the destination machine, username, and password.

Who's at Risk?
If you are the system administrator of a multi-user system such as UNIX, the machines you administer may be vulnerable to intruders. For advice on how to protect your system and what to do if you suspect a break-in, see http://web.mit.edu/network/unix_security.html.

If you regularly telnet or ftp to another machine, your username and password may have been compromised. Read about what steps you should take at http://web.mit.edu/network/compromise.html.

What Can Be Done?
There is no silver bullet that protects against this type of attack on an open network like MIT's. The best defense is conscientious password management, careful system management, and use, whenever possible, of applications that support Kerberos or public key security systems.

Traditional telnet and ftp require users to authenticate themselves to the host system by typing passwords. These passwords travel over the network in the clear. Kerberized telnet, however, protects your password as you authenticate yourself to a remote system. It also provides you with an encrypted telnet session.

To find out which version of Kerberized telnet is available for your platform, see http://web.mit.edu/ist/help/ktelnet/.

Be aware that for Kerberized telnet to work, both your machine and the remote host must be running it. If you regularly telnet to a non-Athena machine, check with the system manager of that machine to see if it supports Kerberized telnet sessions. Note: MITVMA/C, EREQ, and Athena are all Kerberized.

Unfortunately, there is no standard for Kerberized ftp on any platform. If you use ftp to transfer files from your desktop computer to Athena or any other computer, you are at risk of having your password compromised. For instance, if you create HTML files on your local machine and use ftp to transfer them to an Athena locker, your password travels the network in the clear. The only thing you can do to guard against packet sniffers is to change your password often.

Eudora uses Kerberos authentication, so your password can't be compromised when you use it for email. However, since you have the same username and password for email as you do when you ftp to Athena, your email password can be compromised through your use of ftp.

Encrypting Data
While sniffer programs usually capture only the first 128 characters of a packet, they can be set to capture all data as it passes over the network. This includes data sent via FTP or email. Your best protection against such eavesdropping is to use a public key encryption system such as Pretty Good Privacy (PGP). MIT has a license to distribute this program. For more information or to download a copy, go to http://web.mit.edu/network/pgp.html.