It's like shredding bills and trying to piece them back together.. really!



  • A very good friend attends the local post-secondary institution, very plainly and unthoughtfully named after its resident city. This institution not only has no idea of the implications of having a general campus-wide access ID/username on top of having different logins for each faculty (ie. every computer science student has a CS account, as well as a campus-wide account), they also don't quite understand packet traffic security.

    Let me explain.

    In the last year, the institution has attempted to bring student apathy down by enforcing participation in classes. So now, rather than being able to listen to your professor harp about their chosen course, you must also "participate". Certain professors will choose to grade your "participation" on meaningless pop quizzes, whilst the smarter ones will hand out the grades like candy if you simply post on the institution's newly-implemented online academic suite's class forums.  Simple enough right?

    Upon initial login, the first thing to notice is that, yes, the creators of this website did use HTTPS for the login, rejoice! Yet, the rest of the site is not. The moment you are authenticated, you are kicked back to regular old HTTP. Hmm.. Considering this academic suite allows students and instructors to see course announcements, assignments, take quizzes, and [b]view/edit grades[/b]... perhaps this should be rectified.

    When a computer science professor brought up the security issues with the IT department, she was met with this reply:

    "Unencrypted packets are not an issue for this website, as traffic is so high, it would be like shredding up a thousand dollar-bills, and then attempting to put them back together again. It's simply impossible to make sense of all the packets being transferred to and from the system."

    Suffice it to say that shivers crawled up my spine when I realized that every student's IT needs are being overseen by people who think this. I hear they are duking it out as I type this.



  • Anyone with a copy of ethereal can tell you just how easy it is to filter a packet dump so you only packets from a single source IP.

    However, while the "like shredding bills" argument is crap, sniffing is non-trivial on a fully switched network.  Back in the days of expensive switches and cheap hubs, there was a pretty good chance that you and 40 other people were effectively on the same network segment, and you could just slurp up all their packets by putting your NIC in promiscuous mode.

    Not so anymore.  These days, hubs are a thing of the past, and sniffing the packets from the dorm room down the hall requires actually compromising a router somewhere along the way.

     

    The biggest threat these days is keyloggers, not traffic sniffing. 



  • [quote user="merreborn"]

    Not so anymore.  These days, hubs are a thing of the past, and sniffing the packets from the dorm room down the hall requires actually compromising a router somewhere along the way.

    [/quote]

    It is possible to sniff a packet from a router using arp spoofing and arp flooding. There is no need to compromise the router internals: it is simply using (misusing?) the standard ARP system. Any connection to the switch allows this technique to be used.

     

    Although I must agree that I would be much more concerned about keyloggers.

     

    -Andrew 



  • [quote user="teambob"]It is possible to sniff a packet from a router
    using arp spoofing and arp flooding. There is no need to compromise the
    router internals: it is simply using (misusing?) the standard ARP
    system. Any connection to the switch allows this technique to be
    used.[/quote]

    Hmm, I'm not quite sure exactly how this works, but
    it sounds somewhat... disruptive to network traffic. Although you did
    write "packet" as the singular, perhaps you meant to emphasis how you
    can capture a single packet before taking down the connection? :P

    Actually,
    in that sense, trying to capture packets is a bit like the
    thousand-dollar-bills thing, and the keyloggers threat also sides with
    the http thing. Then again, if they went to all the effort to setup the
    login with https, they could have just gone ahead and done the rest of
    the site in https as well, no?



  • [quote user="SpComb"]Then again, if they went to all the effort to setup the
    login with https, they could have just gone ahead and done the rest of
    the site in https as well, no?[/quote]

    That is was the first thought I had, actually. This system has enough problems as it is, though.. such as browser compliance. Even the professors have had issues posting announcements and forum topics and having them come up completely blank. Some people have also had their posts show up as anonymous (which really shouldn't be possible in a system like that).

     
    Incidentally, if anyone has ever bothered to notice, the same thing happens with GMail, unless you specifically point your browser to https://gmail.google.com when you sign in. Otherwise, you go back to regular HTTP for the rest of your email session.
     



  • [quote user="SpComb"]

    Hmm, I'm not quite sure exactly how this works, but
    it sounds somewhat... disruptive to network traffic. Although you did
    write "packet" as the singular, perhaps you meant to emphasis how you
    can capture a single packet before taking down the connection? :P

    [/quote]

    If done properly, ARP spoofing will not kill the network and will most probably not be noticed unless someone or some system is looking for it. But I'd fear that with admins like this, there is no such system.



  • HTTPS is very very expensive on server resources. You will find very few sites which do all ssl and usually those will be money related. In fact most encryption routines are computationally intensive. If your site is used heavily, based on the sensitivity of the information involved, you can decide on whether to opt for ssl. Session cookies and other tricks are quite adequate usually.

    As for student grades are they really that sensitive? I wouldn't know - mine were never very good and I think I am doing pretty well.



  • [quote user="markcairns"]

    As for student grades are they really that sensitive? I wouldn't know - mine were never very good and I think I am doing pretty well.

    [/quote]

    Given many instructors still post an entire class' grades on the wall for all to see, I'm going to guess 'no'. 



  • [quote user="markcairns"]

    As for student grades are they really that sensitive? I wouldn't know - mine were never very good and I think I am doing pretty well.

    [/quote]

    Read access to grades isn't very sensitive.  Write access, which seems to be the concern here, is.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.