[Gllug] SFTP Server

Simon A. Boggis simon at dcs.qmul.ac.uk
Tue Apr 15 00:21:21 UTC 2003 

On Mon, 2003-04-14 at 08:49, Doug Winter wrote:
> Yes, it's sort of possible.  AIUI arp spoofing, though, it's got a very

I'm afraid it is very possible - instructions and tools for automation
are readily available. See, for example: 

http://www.linuxsecurity.com/feature_stories/feature_story-89.html
or
http://www.althes.fr/ressources/avis/smartspoofing.htm

> good chance of showing up, because it would trash your network pretty
> badly.  You are unlikely to type in a password to a machine that you
> can't even log in to.

No, you can simply forward the eavesdropped traffic onto it's intended
destination - the sniffed machine will continue to work just like normal
from a users point of view.

> And although it's possible to set up a machine using arp spoofing to
> proxy traffic, so you can then make a man-in-the-middle attack, this
> isn't an automated attack.  This requires a real human being really
> trying to crack you.  Which just isn't the major risk for most of us -
> the real risk (to most of us) is crackers running huge automated attacks.

My point was only that having a switched network affords no real
protection against sniffing. I wouldn't want to suggest that it is more
important than other security issues, however it is my opinion that once
an attacker has found a chink in your armour it is a very likely way to
to widen that breach.

Given that you need a compromised host on the local network to sniff
from, it isn't usually the initial vector for a remote attack. However,
if you include the ethernet frame padding vulnerability as "sniffing",
it is easy to see how this could easily be used as a remote, automatic
attack.

However, if an attacker has taken over a single local machine by some
other means and gained a toe-hold, I would contend that sniffing is an
extremely effective route to compromising further local accounts and
hosts. Compared to launching aggressive network attacks it is unlikely
to be detected and it doesn't consume much CPU time (unlike, for
example, password cracking).

I can't speak from personal experience, however colleagues who have such
experience suggest that collecting usernames and passwords from a large
network by sniffing is likely behaviour following an initial break in.
There are always many more local exploits than remote ones - for these
attacks any local account will do, and sniffing provides an easy route
to obtaining plenty of these with little effort. Local accounts also
allow an attacker to launch "anonymous" attacks from your network.

So I'd argue it is cheap, low risk and has a high rate of return whilst
plain authentication mechanisms remain in relatively widespread use.

> Personally I run arpwatch too anyway, since I want to know when someone
> plugs a machine into my network (mostly just so I can make sure DNS,
> DHCP, firewall and the computer they plug in are in sync).

Me too - arpwatch is a very useful program, and it should notice if
someone tries such ARP nastiness as is mentioned above.

I also filter based on IP and MAC address pairs. This helps a bit too,
although an alien machine can easily change MAC address to defeat this
(but in practice usually not before trying it out triggering an alarm).

One could also lock down the association of IP-ARP address in the
switches (if supported) and on important machines such as routers and
servers - this is probably easier to implement on smaller networks.

> > Another reason not to assume that you are safe from sniffing is the
> > recent ethernet frame padding vulnerability which linux was vulnerable
[...]
> Good point.  This has been fixed now though :)

Indeed - although there will be plenty of vulnerable machines around for
a while yet, and some devices will be very hard to fix (for example
those with embedded OSes which exhibit the fault - it wasn't just linux
that had the problem).

> [and yes, I still think everyone should use SSL wherever feasible - it's
> just not the panacea it is sometimes touted as.]

I would absolutely agree. Too often I have to trot out the "fitting a 5
lever lock to a paper door" analogy <:

Regards,

Simon

-- 
----------------------------------------------------------------------
Dr Simon A. Boggis                                  Systems Programmer
Department of Computer Science,                     Tel. 020 7882 7522
Queen Mary, University of London, London E1 4NS UK. 
---- GPG public key <http://www.dcs.qmul.ac.uk/~simon/#publickey> ----


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list