Home > Network Security > A Short and Shortsighted History of Hacks: Part 2 – The Internet Sniffing Attacks

A Short and Shortsighted History of Hacks: Part 2 – The Internet Sniffing Attacks

May 15th, 2009

My last blog entry was an attempt to fill in critical missing pieces from Computerworld’s “A short history of hacks.” Unbelievably, this otherwise well-written piece missed two of the major series of cybersecurity attacks that have ever occurred. The first was the Operation Desert Storm/Desert Shield attacks that occurred in the early 1990’s. I’d like to now focus on the plethora of Internet sniffer attacks that occurred between 1994 and 1996.

Some attacks are dramatic. Attackers may write brilliant scripts to exploit a not very well-known vulnerability, or may play “cat and mouse” with a technical staff trying to defend a network. The sniffer attacks that were so widespread between 1994 and 1996 were not dramatic, and the effort required on the part of the attackers was far less than any time before. But during this period more hosts were compromised than at any previous time in Internet history.

By the mid-1990’s Ethernet was a household word; token ring networks and other alternatives were becoming far less prevalent. Ethernet technology has many practical advantages, but it has a property that until the time widespread sniffer attacks were discovered was largely overlooked. This technology is “shared media” technology, meaning that any host or device connected to a local Ethernet segment can capture any data that traverse that segment. Attackers exploited this property by breaking into one host or device on an Ethernet and then changing the network interface to go into promiscuous mode. The “bad guys” then harvested the mostly cleartext content of the traffic traversing Ethernets to obtain an untold number of passwords. The attackers focused on network segments owned by Internet Service Providers (ISPs) on which external routers were placed. Consequently, frequently all network traffic coming in and out of the ISP’s networks was gleaned—a mindboggling nightmarefor the “white hat” community. Dr. Matt Bishop of the University of California at Davis, who had been closely following these attacks, surmised that attackers had obtained so many passwords that they were unable to use them within a reasonable period of their having obtained them and thus had to stockpile them.

I left CIAC in 1992, so I learned of most of the sniffer attacks with which I became acquainted through word of mouth. However, in the mid-1990’s I still had an account on one of CIAC’s machines. One day I discovered that my password for this account did not work, so I called the system administrator, who quickly reset the password. I was confident, however, that I knew the password and that somehow it had been changed. What I did not realize at that time was that just a few weeks earlier one of the members of the then current CIAC team went to Brookhaven National Laboratory to respond to the pandemic sniffing attacks there. After this person collected log data and other information, this person then did a cleartext login back to the same CIAC server to which I had access. Worse yet, this person also entered the password required for root access. After gaining unauthorized superuser access, the perpetrator then almost certainly set the network interface in promiscuous mode and then used captured passwords to gain unauthorized access to many other Lawrence Livermore Lab hosts. The number of compromised systems must have been embarrassing both for CIAC and Livermore Lab. I am also quite sure that this person for some reason also changed the password to my account. About the only good thing out of this ugly episode is the realization of the need to avoid terrible mistakes of this nature when handling incidents!

Today, secure shell (ssh) is widely used, something that precludes the kind of sniffing attacks that occurred in the mid-1990’s. Terminal (tty) sniffing is now far more common. But the sheer number of systems that were compromised by sniffing attacks in the mid-1990’s should have deserved mention in “A short history of hacks,” which should thus be renamed “A short and shortsided history of hacks.”

Categories: Network Security Tags:
Comments are closed.