Geeks With Blogs
Jim Becher blog

I typically stop at a local coffee shop to get some caffeine and use their wi-fi network to check email and surf the web.   I am gathering this is not unlike most people out there in the business world.  I tend to visit places that offer wi-fi because of their ease of use.  But the other day I saw some thing that upset me.  The story I am about to tell is not anything new, but rather just an eye opener for me.

As I was standing in line for coffee I noticed a fellow wi-fi user in the corner and happened to glance at his laptop.  Being a tech geek I noticed he was running linux (you may ask how?), well I noticed etherape running and ethereal. These are both tools I use often.  Especially when trouble shooting applications or networks. 

At first I did not think anything about it.  Then as I was firing up my laptop, I started to think why someone would be using ethereal and etherape here?  Then it hit me. This guy was grabbing network traffic on the wireless network and sniffing, probably for passwords and usernames.   At this point I came up with a plan.  I looked around at the other 10 or so people on their computers and realized that they were unknowingly giving their information away.  Usernames and passwords were floating in plain text all over that coffee shop.  The girl next to me was on yahoo mail, the guy on my right had outlook express open. I figured that the kid had at least 10 or so usernames and passwords by now, and I was angry. 

To see if my mind was just crazy or corrupt I decided to test my theory that he was sniffing usernames and passwords.  I first ssh’ed into my box and created a new email account.  I created a username called jvandenbon.  I figured since I am in a Dutch area that a dutch username made sense.  I created a password of Alice6232001, hopefully a real enough password.  Then I hoped into my inbox using Mutt,and forwarded some of my spam emails into the jvandenbon user account.  So now I had a real account that had some mail in it.  

I then fired up ethereal and then thunderbird.  First I took a quick capture of what was on the network, and as I suspected there were lots of POP accounts being used which show Username and PASS in clear text.   I opened Thunderbird and checked my mail,  I  use SSL / TLS when I connect to my mail server so I was not worried about this kid grabbing my info.  But I had to make sure that I was safe so I watched my traffic and sure enough it was encrypted with TLS.   I closed ethereal, and created a new account in thunderbird using the above jvanderbon account name and told it to use POP as the means of communication.    Again, I opened ethereal and then did a send receive to watch my fake username and password be sent across the wire.  I then wrote an email and deleted some others to create traffic.  I closed Thunderbird and waited.  I set a string filter for Alice623001 in ethereal and watched.  Sure enough in a few min later(about 10) I saw my fake username and password being sent over the wireless lan.  I captured the kids source address. 

This kid was trying to access my fake account.  By this point I was angry.  I got to thinking about what kind of stuff I could do to him.  I easily could have kicked his ass; however I am not sure that it would have helped.    All these people had been cheated of their info and privacy.  That is when I started to think about legal options.  I don't even know if it is illegal to sniff a public network.   I have never even thought about it.  I did a quick google search and did not find much.   I guess you can kind of relate this to yelling across the room to a friend with your username and password.  Whoever happens to be in the room has access to that information.  The analogy does not sit well with me.  I would like to think that people can be safe or feel safe even when their trusted programs (outlook, outlookexpress, thunderbird, and hotmail) send their information in plain text over the network. 

Right now I am just angry.  If I do see this kid again, I plan on approaching him and asking what he plans on doing with all the usernames and passwords he stole.  I can only guess he is going to just mess around.  But, what happens when he comes across a guy who happens to have admin rights on a system and sends his username and password over the line.  I realize this is a gray area of the law, but what about people privacy.  I am not a malicious person by any means.  I have sniffed networks in the past to gather information to help me learn how to protect them.  But when I watched this kid and the speed of which he attempted to open my POP account, I am a bit worried.  He must have had a program that would just take a username, password, and mail server and check validation. 

I guess I am now asking the community what they think of this event. Do you know if you are secure?  Do you go to a coffee shop and check mail via POP and send your info?  Do you use ftp at the coffee shop to update your web site or worse; your corporate web site?  I would love some feed back on what people think.  Just think, if someone got your email password?  Does it match your bank account password or your paypal password?  These are the questions on my mind.  And how can I do something against this punk kid.  Should I just walk over and kick his ass or should I call the police?  And if I call the police, what do I say?

Posted on Friday, November 18, 2005 8:31 PM | Back to top

Comments on this post: Network Intrusion / Invasion

# re: Network Intrusion / Invasion
Requesting Gravatar...
It's too bad you didn't post your article from the coffee shop. Let this kid see that...

Left by Kyle on Nov 19, 2005 11:45 AM

# re: Network Intrusion / Invasion
Requesting Gravatar...
DUDE! You should've exposed him immediately.

What he's done is tantamount to a pickpocket, stealing money from people's pockets without them knowing. Its illegal. Especially when masquerading as you to login to your personal accounts, whether or not its a bank account.

At the VERY least, you should've stood up and called attention to him, showing everybody else your evidence.

Inaction is what progresses this to stealing bank account logins.
Left by Eric Newton on Nov 20, 2005 9:49 AM

# re: Network Intrusion / Invasion
Requesting Gravatar...
And personally, I never use a "public" wi-fi hotspot for my normal activities.

I'll check my bank account (via SSL) but never (intentionally) check webmail with anything other than https. Unfortunately a lot of people really dont "know" and just leave all their stuff wide open.
Left by Eric Newton on Nov 20, 2005 9:51 AM

# re: Network Intrusion / Invasion
Requesting Gravatar...
I think I would have been to first take the kid's picture for later posting on your Web site, then tell the manager to call the cops and tell him you had proof of the guy's thieving ways. Perhaps he could have been charged with identity theft.

What an eye opener it would have been for all the other people in the coffee shop (and for the kid) when the cops showed up and questioned him!
Left by Mark W. on Dec 12, 2005 2:31 PM

# re: Network Intrusion / Invasion
Requesting Gravatar...
Hi. I'm one of etherape developers. I hack on it because *I* find it useful, but is nice to know others do. Thanks.
Returning to the matter, if the "sniffer" was a kid I think calling the police could be too much, but you should definitely stop him.
If you know the coffee manager, a good way could be let him call the kid parents. A little scare could do wonders to improve social behaviour ...
Left by bchiara on Dec 30, 2005 1:56 AM

# re: Network Intrusion / Invasion
Requesting Gravatar...
Well, is it illegal to use someone's password to log into and read their email or not? I for one guessed my ex-girlfriends password, no kidding, and was able to prevent her every effort to adopt my son by the knowledge gained there. Really, and now - I know my son - he is a blessing to me. Is it illegal to use someone's password to get into their "yahoo" account or whatever? Please answer back soon. The dude..
Left by Dude on Jan 24, 2006 8:31 PM

# re: Network Intrusion / Invasion
Requesting Gravatar...
sniffing may not be illegal... it is a passive activity... people are doing the active work of sending their passwords in the open, equivalent to yelling your password verbally... the problem lies in the fact that ISP's allow their uses to access mails in an unsecure fashion.
Left by someone on Jan 26, 2006 7:05 PM

# re: Network Intrusion / Invasion
Requesting Gravatar...
I think you could create a mail account with the coffee shop name and with a password that tell the kid some thing like "hey stop sniffing people info" or "hi kid how is your sniffing" :)
Left by my name on Jun 25, 2009 9:58 AM

Your comment:
 (will show your gravatar)

Copyright © Jim Becher - Untangle the Web | Powered by: