next up previous contents
Next: Social Engineering Up: Passwords Previous: Password Guessing

Password Sniffing

If a hacker can't guess your password, there are other ways he/she can try to get it. One way which has become very popular is called ``password sniffing''.

It turns out that most networks use what's known as ``broadcast'' technology. What that means is that every message that a computer on the network transmits can be read by any other computer on that network. In practice, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it.

However, many computers can be programmed to look at every message on the network. If one does this, one can look at message which are not intended for you.

Hackers have programs which do this, and then scan all the messages which traverse a network looking for passwords. If you login to a computer across a network, and some computer on the network you use has been compromised this way, you may end up giving your password to the attacker.

Using this technique, hackers who've broken into computers which are on heavily used networks have collected thousands of passwords.

This is a serious threat to users who login to our computers from remote sites. If you login on the console of a computer, your password never crosses a network where it can be sniffed. But if you login from some other school, or from an internet service provider, you are dependent on the security of their network.

One way to protect yourself from password sniffing, is to arrange to not need to type your password. The program rlogin can be configured to not require your password. If you know ahead of time that you'll be using your account from a given computer, you can create a file named .rhosts and put a line with the name of the remote computer you'll be using in that file. If you try to rlogin to our computers from the computer listed in your .rhosts, you won't be asked for your password. In effect, our computer will trust the other computer for your account if you list it in your .rhosts.

There are some dangers associated with the use of .rhosts files. If the remote computer gets broken into, the hacker might deduce that he/she can simply rlogin to your account here. One way to minimize that risk is to not have .rhosts files on both machines point at each other. If your account on the remote machine doesn't have a .rhosts file which allows your HSEAS account to login, somebody who's broken into the remote computer is less likely to notice that your account there can be used to breakin to our computers here.

Despite these dangers, the CNG feels that the dangers of password sniffing outweigh the dangers of .rhosts, and so in most cases we advise using rhosts if you expect to be accessing your HSEAS account remotely.

Under no circumstances should you use a ``+'' (plus) character in your .rhosts!

Another better way to defend against password sniffing is to use one-time-passwords. A one-time-password is a password which is only good for one use. After you've used it once, it's no longer any good, and so sniffing it is useless to a hacker. Of course, somehow you must be able to login more then once.

On way to accomplish this is to carry a list of passwords. Each time you login, you use the next password on the list. Some systems even provide ``calculators'' so that you don't need to carry a list. The calculator, which may run on your Macintosh or PC, will tell you which is the next password on the list, so all you need to do is cut and paste the password from the calculator.

The HSEAS has suffered two serious breakins in the last year as a result of passwords sniffed on remote sites. As a result, we are working on implementing procedures which will require remote users to use one-time-passwords to login to our computers. We hope to have this in place before Summer.

next up previous contents
Next: Social Engineering Up: Passwords Previous: Password Guessing

Del Armstrong
Fri Oct 25 16:31:41 EDT 1996