LINUX SECURITY --- December 26, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters -------------------------------------------------------------------------- ------ HIGHLIGHTS * Is dsniff really as nasty as it's being made out to be? -------------------------------------------------------------------------- ------ The dsniff Controversy By Rick Johnson If you have been following the latest in Linux security news this past week, then I am sure dsniff has been on your mind. Is it really as bad as people say? Have we seen the end of SSL and SSH? Well, lets take a look at the whole issue. First off, dsniff (http://www.monkey.org/~dugsong/dsniff/) is a collection of network auditing and penetration testing tools that can passively monitor a network for interesting data (passwords, e-mail, files, etc.) using filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy. dsniff then facilitates the interception of network traffic normally unavailable to an attacker (e.g., due to layer-2 switching) using arpspoof, dnsspoof, and macof and active man in the middle attacks against redirected SSH and HTTPS sessions are performed with sshmitm and webmitm by exploiting weak bindings in ad- hoc PKI. The first in-depth review was published at Security Portal. Kurt Seifried's article "The End of SSL and SSH?" (http://securityportal.com/cover/coverstory20001218.html) raised quite a buzz among the mailing list circuit and in my office. The article accentuates the potential shortcomings within SSL and SSH. Richard Silverman, coauthor of "SSH, The Secure Shell: The Definitive Guide", wrote a rebuttal for O'Reilly (http://sysadmin.oreilly.com/news/silverman_1200.html). He feels that "Seifried's piece, however, contains several factual errors and misleading statements in discussing the details of SSH (secure shell), SSL (secure sockets layer), and MITM." Which point of view should you follow? I cannot answer that. All I can recommend is to carefully read both articles and remember they are only the opinions of two individuals. Granted, they are two highly skilled individuals, and both correct on multiple accounts, but still if you have the time, examine the capabilities of dsniff yourself. That is what I did. I have seen previous versions of dsniff in action and found it beyond impressive. Once, released, I bore witness to this tool's power firsthand. While the snarf and spoof tools are exceptional, the MITM applications were downright scary. For example, the only evidence that my SSH version 1 connection wasn't kosher was the following message. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Agent forwarding is disabled to avoid attacks by corrupted servers. X11 forwarding is disabled to avoid attacks by corrupted servers. Are you sure you want to continue connecting (yes/no)? If this was a legitimate message, the Sysadmin should have warned all users ahead of time. If you were the Sysadmin, then obviously you would know of the validity of this message. From this point, if a user blindly types "yes" and proceeds, then frankly they deserve what they get. While it is true that dsniff makes if downright simple to hijack connections, the user still bears some responsibility if it happens. This software doesn't point to the end of the world. Although, I am not sure if I will ever look at my network the same. About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. -------------------------------------------------------------------------- ------ ADDITIONAL RESOURCES The security consultant's toolbox Commercial products have their place, but nothing beats some of the better freeware tools http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_1624, 00.html An arsenal of attack tools http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_1642, 00.html OS identification The more a hacker knows about your system, the easier it is for him to get in http://www.itworld.com/jsw/linsec_nl/swol-12-2000/swol-1208-buildingblocks .html -------------------------------------------------------------------------- ------
<<attachment: winmail.dat>>