February 03, 2006, 2:16 PM — These days, the vast majority of administrators go to great lengths to protect the files on their network. Typically, elaborate firewalls are used to keep outsiders away from file servers. The files residing on those servers often lie behind an intricate permissions scheme and are often encrypted. Complex auditing mechanisms might even monitor access to files. The point is that in this day and age, most administrators take security very seriously. What you might not realize though is that all of this security can be easily undone through the simple action of a user accessing a file through legitimate means. In this article, we'll look at how this is possible and what you can do to fight back.
Encrypted Files on the Network
Let's pretend for a moment that you use the Encryptable File System (EFS) to encrypt all of the files residing on a particular server. Now let's pretend that a user with legitimate access needs to open one of those files from their workstation. When the user opens the file, security is briefly compromised. The reason for this is that the file must travel over the network. This is a problem because when a user accesses an encrypted file, the file is decrypted at the server level, not at the workstation level. This means that the file has been decrypted before it ever arrives at the user's PC. Anyone on the network with a little bit of know-how can use a protocol analyzer to intercept the file in transit and gain access to the information contained in the file.
The reason that this type of exploit works has to do with the way that networking works at the most basic level. On many types of networks, all of the computers on a network segment share a common connection medium. When a computer transmits a packet to another computer, all of the computers on the segment receive the packet. Each computer checks the packet's destination address to see if it is the intended recipient of the packet. If the destination address doesn't match the computer's address, then the computer assumes that the packet is intended for someone else and ignores the packet.
Protocol Analyzers
When a computer runs a protocol analyzer though, the protocol analyzer places the computer's network card into promiscuous mode. This means that the computer does not ignore packets, regardless of the intended destination. The protocol analyzer then displays the contents of each packet on the screen. Every protocol analyzer is different, but most of the time protocol analyzers will allow users to filter out unwanted packets and reconstruct packet streams. The result is that a user who is running a protocol analyzer can get their own copy of a file that is being transmitted, they can read E-mail messages, and do just about anything else that they want.
Obviously, the idea that a user on your network can use a protocol analyzer to snoop the contents of packets that are flowing across the network isn't exactly a comforting thought. In reality though, the damage that a user can do with a protocol analyzer is a whole lot worse than what I have already told you about. Yes, a user who's equipped with a protocol analyzer can steal files in transit, read E-mails, see the contents of the Web page that you are looking at and things like that, but they can also steal your online identity.
Identity Theft
Think about it for a moment. Files, E-mail messages, and Web pages aren't the only things that flow across the network. Authentication credentials are also transmitted across a network. Imagine for a moment that you are logging on to a FTP site. As you type your password, the password is not displayed on the screen. You see a dot or an asterisk in place of each character. As soon as you press enter though, your password is transmitted to the FTP server. If someone is watching the login process with a protocol analyzer, they won't see your password represented as dots or as asterisks. They will see your password spelled out in plain text.
OK, in all fairness, it isn't always that easy to steal a password. A generic FTP session transmits the password in clear text, but most modern authentication mechanisms encrypt the password prior to transmission. When the server receives the password, it is decrypted and checked for accuracy. If you were to watch an encrypted password be transmitted, the protocol analyzer wouldn't show you anything but a long string of hieroglyphics.
The good news is that having the password encrypted makes it difficult, if not impossible, for someone with a protocol analyzer to steal the password. The bad news is that the user doesn't have to steal the password. The user can steal your identity through the use of a replay attack.
Replay attack
