ARP cache poisoning / ARP spoofing

Many people think that once they use a switch for connecting their local network they're safe from network sniffing. Basically this is right because the traditional way of sniffing where a host can read all network packets just by accepting them (the so called "promiscous mode") is not possible.

However there are other means to achieve the same and because maybe some SysAdmins think they're safe from sniffing thus designing their network a bit more open it's even more dangerous.

The tool used here is called arpspoof and is distributed in the dsniff package.

What we do is the following: We constantly send the victim computer ARP answers telling him that the MAC address belonging to the IP of the gateway machine (router) is our MAC address. After some time the victim computer will believe us and makes a wrong entry in his ARP cache. Next time the victim wants to send an IP packet to the gateway he sends the ethernet frame to our MAC address so actually we get the IP packet. We do the same thing with the gateway machine just the other way round.
RFC 1027 describes the ARP protocol.

In order to tell the victim host that now we (our MAC address) are the one belonging to the IP of the gateway enter the following command:
# arpspoof -t victim gateway

In a seperate shell we start the matching command to fool gateway to belive we are victim.
# arpspoof -t gateway victim

Don't forget to enable IP forwarding on your host so that the traffic goes through your host. Otherwise victim will loose connectivity.
# echo 1 > /proc/sys/net/ipv4/ip_forward

Now watch all the traffic between the victim host and the outside network going through your machine
# tcpdump host victim and not arp

Frightening easy...

SysAdmins beware of that threat! If you have users on your network you can't trust (e.g. in universities) use tools like arpwatch to monitor the changes of the MAC / IP address tables.

Growing pains hurt Skype

Skype CEO Niklas Zennstrom vowed to shake up the phone industry 20 months ago with his creation, the first ever peer-to-peer Internet phone service.

More than 110 million downloads and 2 billion minutes of phone conversations later, Zennstrom has shown that he wasn't kidding. But Skype's success has led to perhaps the most difficult chapter yet for the Luxemburg-based company. It now faces mounting concerns over a lack of customer service and a growing backlash by utility regulators as it hunts for new revenue opportunities. Zennstrom spoke to CNET.News.com about these and other issues earlier this week.

Q: There are a lot of customer complaints about SkypeIn, where you get inbound calls from any phone, and SkypeOut, which is used to call any phone. Is there a problem with it?

Zennstrom: One thing you have to bear in mind is that the telephone system has been around for 135 years; Skype's been around for 20 months. We are going through all kinds of improvements.

But clearly something is wrong. Customers are fuming about dropped or badly distorted calls. Any changes in the offing?

Zennstrom: There actually are people using SkypeIn that say it's better than SkypeOut. We are using a new software version for SkypeIn, which we will be gradually introducing into SkypeOut. We are continuously working on it.

Is that going to solve the problem?

Zennstrom: We're also adding more carrier partners in order to terminate more calls to traditional phones. That will help. We are also developing lots of new ways to correct errors in the traffic. I think we will continue to see improvements in quality.

These are quality of service problems Skype can address. But Skype can't control the quality of someone's broadband connection, which has a direct impact on Skype calls.
Zennstrom: We've identified a list of things we can do. But in cases where people are on a badly congested Internet network, that will have an impact on quality. But you're starting to see multi-megabit, per-second connections. In many places, Sweden for example, you can buy a 24mbps line here, and you'll start seeing that in a lot more places.

Your proprietary software has come under fire from those Net phone interests advocating open-source Session Initiation Protocol. What's Skype's SIP stance now?
Zennstrom: We've been using SIP to interconnect SkypeIn and SkypeOut calls to the (traditional) public switched telephone network (PSTN) since July. Second to Yahoo Broadband in Japan, we're probably one of largest SIP traffic generators. But doing anything beyond that? We think that SIP is not very good for end users.

But by using your own coding, don't you have trouble as a result interconnecting with the huge percentage of other Net phone operators that use SIP? Isn't Skype essentially walling in its users?

Zennstrvm: Our position is that over time, we expect to interconnect to voice over Internet Protocol (VoIP) networks directly, rather than using SIP and the PSTN.

The Federal Communications Commission recently said that Net phone operators must add 911 accompanied by a caller's location and call-back number. Will Skype comply?
Zennstrvm: We believe the FCC decision is not directly applicable to Skype. But we feel that enhanced 911 services are a serious matter, and we're working through various industry organizations to edge the industry into offering not just 911, but all kinds of IP-based emergency services.

So at some point in the future, you feel Skype needs to add 911?

Zennstrvm: Yes, but to what degree we don't know yet.

What are these new IP-based emergency services you're talking about?

Zennstrvm: If there's a burglar in my home, maybe I send an e-mail or a text message to the police instead of making a call.

But you're focusing on the future. What about now? Could Skype meet the FCC mandate?

Zennstrvm: With regards to location information? It's impossible for anyone like ourselves to supply that information. It's not technically feasible.

What's the problem?

Zennstrvm: We have no knowledge of the geographic location of anyone's IP address.

If asked to comply, how could Skype do it then?

Zennstrvm: There needs to be a database which maps IP addresses to geographical locations. There are some out there now doing geo-mapping, but the databases are not exhaustive enough.

Skype has indicated its next hardware effort involves essentially making mobile Skype phones. How's that effort going?

Zennstrvm: We're working with several manufacturers, like Motorola, on things like a Wi-Fi handset. You'll also see handsets that can get Skype calls over Wi-Fi or cellular networks.

What's the rationale for a wireless operator to sell such a handset? Doesn't it eat into their profits every time somebody uses Skype to make a call instead of their network?

Zennstrvm: The operators make money off a Skype call because Skype calls will run over their networks. They get the traffic.

Wiretap VoIP

The Federal Communications Commission* and the Justice Department are at loggerheads over a new problem in the war on terror: how to listen in on Internet phone calls. Thanks to the blistering growth of VoIP—Voice over Internet Protocol—services, which have been adopted by approximately 10 million people worldwide so far, law enforcement officials now worry that wiretapping may one day become technically obsolete. If traditional phone lines go the way of the horse and carriage, will the FBI still be able to listen in on Internet phone calls? How would it go about tapping one? Is it even possible?

I contacted three of the leading VoIP providers in the United States—Time Warner Cable, Vonage, and Skype—to ask them how they would comply with a court order to permit a wiretap. As it turns out, the Justice Department has good reason to worry. Depending on the provider, tapping a VoIP call can be either tricky or impossible.

For Jeffrey Citron, the CEO of Vonage, the critical problem is this: The 1994 law that dictates how telecoms must cooperate with the feds (it's known as CALEA) stipulates that government agents can listen in on phone calls only in real time. They are not permitted to record calls and play them back later to check for incriminating information. But as Citron explained it, on Vonage's system, it is technically impossible (for now) to listen in on a live phone call


Here's why: A VoIP call transforms your voice into digital bits, then segments them into separate packets of data that are routed through the Internet and reassembled upon arrival at the other end. From an old-fashioned perspective, there is no actual "sound" passing through the Internet at any time—the PC or other device you use to place the VoIP call digitizes your voice in your home. Of course, a huge amount of regular phone traffic is also segmented into digital packets at some point, but such calls are digitized and then reconverted into sound waves far deeper into the telephone system, at points outside private homes. Law enforcement can therefore listen in on your line within the telephone system itself; the technology to do this is already embedded in the phone company's switches.

In theory, Vonage could comply with a tap request by making a copy of the call in real time and streaming that call to a law enforcement agent. But that tack would violate CALEA, since Vonage would still be making a copy of the original call. The alternative, Citron says, is for Vonage to modify its VoIP system so that its digital routers include analog-friendly wires capable of producing a real-time sound wave. These could then be linked to a law enforcement agency, permitting simultaneous listening-in. Citron says making the shift would cost Vonage a few million dollars—before taking any action, he's awaiting further regulatory instructions from the FCC. The company has already complied with between 10 and 100 requests from various government agencies for general information (including call records and billing history), but to date, he has yet to receive a single request for a live tap into a Vonage call.

Time Warner Cable, which has announced that it will make VoIP available to all its digital cable markets by the end of the year, would have a much easier time wiretapping live phone calls. That's because Time Warner owns the underlying infrastructure its VoIP service relies on. So while Vonage could offer government agents access only to the handful of routers it uses to direct its calls over the wider Internet, Time Warner can offer them direct access to the cables, routers, and switches over which its VoIP calls travel. It could, in theory, open a live channel for law enforcement at the place where Time Warner's cable modem signals are routed onto the wider, public Internet. This switch, known as the Cable Modem Termination System, is a natural junction where a company like Cisco, which already builds CMTS hardware, could easily and cheaply add in CALEA-compliant technology.

Why, then, couldn't the feds tap any VoIP call by listening in on the line at the CMTS? Because some VoIP calls are routed, digitized, or encrypted in ways that law enforcement can't decipher. Skype, which now boasts 7 million users, specializes in such encryption. The company's system is designed to thwart potential eavesdroppers, legal and otherwise. The difference begins with how the networks are designed: Both Time Warner and Vonage offer VoIP services that run through centralized networks. For instance, when I place a call through Vonage, it starts by going to a centralized Vonage computer, which in turn looks up the phone number I am dialing and routes the call over to the traditional phone system. This is a classic instance of a "hub and spoke" network. But Skype, built by the same people who brought us Kazaa, is a totally distributed peer-to-peer network, with no centralized routing computers. (That's possible in part because Skype calls can only be sent and received by computers—you can't call a friend with an analog phone.) As a result, the company's network looks more like a tangled spider web, and the packets that make up your voice in a Skype call are sent through myriad routes to their destination. Part of the brilliance of the Skype software is that it has learned to use desktop PCs as "supernodes," each sharing some of the load needed to route Skype calls quickly to their destination. From the caller's perspective, this is all invisible: The call just works.

Since it's exceedingly difficult to follow the path that a Skype call makes through the network, law enforcement agents would be hard-pressed to figure out where to place a tap. But even if they could, the company has built in such strong encryption that it's all but mathematically impossible with today's best computer technology to decode the scrambled bits into a conversation. Here's how Skype explained it: "Skype uses AES (Advanced Encryption Standard)—also known as Rijndel—which is also used by U.S. government organizations to protect sensitive information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message." The point of all this mumbo-jumbo is that Skype uses an encryption algorithm* known as 256-bit AES. The National Institute of Science and Technology states that it would take a computer using present-day technology "approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key." And that's for the 128-bit version; Skype uses the more "secure" 256-bit standard. Since computers have a way of quickly getting more powerful, the institute forecasts that "AES has the potential to remain secure well beyond twenty years."

Moreover, Skype says, the company does not keep the encryption "keys" that are used to encode each Skype transmission—each one is generated and then discarded by the computer that initiates the call. So government agents couldn't force Skype to turn over the keys needed to decrypt a call either.

Last Thursday the FCC held an open hearing on the future of VoIP telecommunications. In a 4-1 decision, FCC commissioners, supported by Chairman Michael Powell, voted that a VoIP provider called Free World Dialup should not be subject to the same regulations as traditional phone companies—including the particulars of CALEA compliance. Instead, the FCC decided to put off the issue, stating that it would initiate a proceeding "to address the technical issues associated with law-enforcement access to Internet-enabled service" and "identify the wiretapping capabilities required." One commissioner, Michael J. Copps strongly dissented, calling the postponement "reckless."

But even if the FCC had ruled differently on Thursday, mandating specific rules for Internet phone calls and CALEA compliance, it couldn't have been the definitive word on the subject.

VoIP technology is gaining ground so fast that it may be impossible for any government agency to dictate what these networks should look like. Skype, for instance, isn't even an American company. It's legally based in Luxembourg. Increased regulation on American carriers, which could lead to higher costs for consumers, is likely to push people further toward carriers like Skype, rewarding companies that seek permissive legal jurisdictions and punishing those that try to comply with domestic regulations. It's this scenario that the Justice Department legitimately fears: Even though the Patriot Act has increased its ability to eavesdrop on Americans, companies like Skype are giving everyday people unprecedented freedom from government monitoring.