Print Page      Email Page
Back to Article List

Snooping: Itís Not Just For Geeks Anymore
By Brien M. Posey
March 20, 2004

It might just be my imagination, but lately it seems like just about every person in my entire family has been pressuring me to trade in my DSL connection for a cable modem. Whenever this happens, I always try to explain to who ever I happen to be talking to at the moment that cable modems have certain inherent security risks.

In case you arenít familiar with cable modems, the basic premise is that one cable segment services an entire neighborhood. This simple fact has a couple of implications. First, in many areas, cable modems have a higher potential throughput than DSL lines, however the available bandwidth is being shared by everyone on the network segment. Therefore, if your next-door neighbor is downloading a bunch of big files, it will affect the performance of your connection.

A more serious issue associated with sharing a common cable segment is that it is possible for anyone on the segment to snoop on anyone elseís Internet usage. Most of the time when I try to explain this to my family, the argument is dismissed with a statement such as ďThe cable company wouldnít offer the service if it wasnít safe,?or ďOnly you would know how to do that, normal people wouldnít begin to know how to snoop on someone elseís connection,?or my personal favorite ďSure they can see what Web sites you are visiting, but thatís all they can do.?br>
As you have probably already guessed, every one of these statements is false. In fact, although there has been a much greater emphasis on security these days, it is easier than ever to hack someone elseís computer or to spy on someone over a cable modem connection.

Part of the reason for this is because home users often donít know enough to take the appropriate security precautions. For example, you probably know that Windows XP has a built in Administrator account that can be used to gain unlimited access to a computer. You probably also know that the vast majority of computers sold to consumers come pre loaded with Windows XP Home Edition.

The problem is that because the machines are pre-configured, most home users donít even know that the Administrator account exists. Worse yet, most of the computer manufacturers configure Windows XP to initially have a blank Administrator password. It gets better though. Windows XP also has several invisible, built in shares that cannot be disabled because the operating system depends on them. These shares include the C$, IPC$, and Admin$ shares.

With this in mind, letís pretend that you wanted to hack someoneís system. Any protocol analyzer, and some intrusion detection tools, will allow you to see the IP addresses that are in use on your cable segment. Many will also allow you to spot operating systems and even NetBIOS names. Itís then easy to determine which machines on the segment are running Windows XP. You can then connect to these machines and log in by using a local Administratorís account (machine name or IP address\Administrator and no password). Once connected, you are free to browse the remote machineís hard drive. If the machineís owner isnít technically sophisticated enough to lock down the Administratorís account, they probably arenít sophisticated enough to detect this type of hack either. You can see an example of such an exploit in Figure A. In the figure I was not prompted for a password because I had previously connected to the share prior to snapping the screen shot. In the real world though this screen would only differ in that you would be prompted for a login name and password.

Figure A: Itís easy to map a drive letter to a hidden share on someone elseís machine.

This type of hack relies on being able to use NetBIOS over TCP/IP. If the remote machine has a personal firewall then it will block this type of hack. The problem is that not everyone has a firewall. Recently one of my neighbors was contemplating getting a cable modem. I tried to talk him out of it, but he was determined that a cable modem was what he wanted. Since I still wanted to give my neighbor whatever assistance I could, I told him to ask the cable company if they provide a firewall or if he needed to get one on his own. When the guy from the cable company came out to install the cable modem, he actually told my neighbor that a firewall is only used in large companies and is totally unnecessary for home usage.

My point is that there are a lot of people out there with default Windows installations and no firewalls. It is extremely easy for even a novice hacker to gain full read and write access to the hard drives of these machines. After doing so they can steal data, plant viruses, or do anything else that they can dream up.

OK, in all fairness the type of hack that I just described will only work if the system being hacked is completely insecure. The hacker also has to have a little bit of knowledge because they have to know that the hidden shares exist, and they have to know how to exploit those hidden shares (which isnít difficult).

For the sake of argument though, letís say that you have got a neighbor who is a real computer geek and they have renamed the Administrator account, changed the administrative password, and put in a state of the art firewall complete with an intruder detection system. It is still possible for even a novice to spy on every move that your neighbor makes from his supposedly secure system.

A company named eEye makes a protocol analyzer called Iris that is very user friendly and that can completely reconstruct Web pages based on intercepted packets. The product costs just under a thousand dollars, but there is a free trial version on the companyís Web site at

So how easy does this program make it to do some snooping? Check out the screen shot shown in Figure B. In this figure, I did a standard packet capture in promiscuous mode just like could be done through any other protocol analyzer. I then clicked the Decode button and Iris sorted the packets by machine and by traffic type. Now letís say that I wanted to snoop on a neighborís Web activity. All I would have to do is look at the HTTP traffic coming from TCP port 80 for that machine. In the figure, the column to the left shows where I have selected HTTP traffic for a machine at

Men's Denver Broncos Majestic Orange Back Duo III T-Shirt,New England Patriots Black Helmet To Sky Graphic T-shirt,Mens Cutter & Buck Black Oakland Raiders Championship Polo Cheap Philadelphia Eagles Mark Sanchez nfl clothing canada,cheap nfl appeal management,New York Giants Team Shine T-Shirt - Royal Blue,Men's Philadelphia Eagles Brian Dawkins Nike Gray Gridiron Gray Limited Jersey The Future Of The Philadelphia Eagles.Arizona Cardinals Infant Girls Jumper Turtleneck Cheer Dress - Cardinals/White,Men's Green Bay Packers Concepts Sport Green Bleacher Robe,Women's Seattle Seahawks Richard Sherman Nike College Navy Limited Jersey.Indianapolis Colts The Northwest Company 18" x 18" Letterman Pillow,Pittsburgh Steelers Toddler Girls Team Spirit 2-Piece Cheerleader Set - Black/White Cheap Philadelphia Eagles Jerseys Online.Men's Cleveland Browns '47 Brand White Polar Side Hit Adjustable Hat,Minnesota Vikings 2-Pack Logo Headrest Covers,New Era Washington Redskins Breast Cancer Awareness On-Field Sport Knit Beanie - Gold/Burgundy.Infant New York Giants Royal Dazzle Bodysuit,Men's New York Giants New Era Royal/Red Fan Training Camp Reverse 39THIRTY Flex Hat,Women's Seattle Seahawks Nike College Navy Logo Crew 2 T-Shirt.wholesale nfl fleece fabric,cheap nfl tix,Pittsburgh Steelers Black Blitz Fanny Pack.Youth Seattle Seahawks Earl Thomas Nike College Navy Team Color Game Jersey,New Orleans Saints Plush Football Wholesale Nfl Philadelphia Eagles Jerseys
Figure B: Iris can reassemble a Web page that someone else had been looking at.

As soon as I select this portal of the captured blocks of packets are displayed in the top right column. You will notice in the figure that some of the captured blocks of packets have Web page icons next to them. If you want to see exactly what your neighbor was looking at then just select one of these Web pages and then click the Go button. The page is displayed in the lower right portion of the user interface. In Figure B, the captured Web page is just the Relevant Technologies Web site. Imagine though what one of your neighbors might intercept if they were monitoring your Internet usage with a tool like this one.

My point is that tools like this are easy to acquire and even easier to use. The problem is that a firewall offers absolutely no protection against this type of monitoring. Encryption is the only defense against this type of monitoring, and the vast majority of Web traffic is unencrypted. Sure, any legitimate Web site will use encryption if you are entering your credit card number or other sensitive information, but this minimal encryption doesnít protect your privacy. After all, do you really want your neighbors to know how many hours a day you spend surfing porn, or what type of kinky stuff you might be into? Even if your online experience is purely G rated, do you really want your neighbors to know which bank you use, what stocks you follow, or which TV show fan sites you visit?

My point is that if you use a cable modem then you are asking for an invasion of privacy. Itís just a matter of time. If you still arenít convinced though, there is one more trick that I want to show you. Take a look at Figure C. In this figure, I have intercepted an SMTP based E-mail message that was sent across TCP port 25. If you look at the lower right portion of the user interface you can see the messageís contents. You might have noticed that I had to scroll past a lot of header information to get to the message body though. If I were too lazy to scroll through the header, I could just click the envelope icon and Iris would open the message in Outlook Express, as shown in Figure D. I know what you are thinking and yes, this trick does work with message attachments.

Figure C: Iris can display the contents of an E-mail message.

Figure D: IRIS can even open someone elseís E-mail in Outlook Express for you.

As you can see, cable modems are inherently insecure and itís easier than ever to hack your neighborís computers or to monitor their every move. For this reason, I strongly recommend not using cable modems for anything beyond the most innocent casual Web surfing. If you do use a cable modem, at the very least use an intrusion detection system that monitors the other clients on your network segment so you know precisely who, and at what times, had access to your data. That way, if you notice signs of surreptitious activity, at least you will have an idea of who to investigate.

DHTML Menu By Milonic JavaScript