SNOOP, SNIFF, AND SNUFF TOOLS

There’s a fine line in the difference between “snoop” and “sniff” tools. The meaning of “snuff” tools is obvious. Let’s look at “Sniffit” First.

Snoop/Sniff Tools

Sniffit is a kind of a network packet sniffer/snooper. Packet sniffers are rather intriguingly named pieces of software that monitor network traffic.

Under many networking protocols, data that you transmit gets split into small segments, or packets, and the Internet Protocol address of the destination computer is written into the header of each packet. These packets then get passed around by routers and eventually make their way to the network segment that contains the destination computer.

As each packet travels around that destination segment, the network card on each computer on the segment examines the address in the header. If the destination address on the packet is the same as the IP address of the computer, the network card grabs the packet and passes it on to its host computer.

Promiscuous Network Cards

Packet sniffers work slightly differently. Instead of just picking up the packets that are addressed to them, they set their network cards to what’s known as “promiscuous mode” and grab a copy of every packet that goes past. This lets the packet sniffers see all data traffic on the network segment to which they’re attached—if they’re fast enough to be able to process all that mass of data, that is. This network traffic often contains very interesting information for an attacker, such as user identification numbers and passwords, confidential data—anything that isn’t encrypted in some way.

This data is also useful for other purposes—network engineers use packet sniffers to diagnose network faults, for example, and those in security use packet sniffers for their intrusion detection software. That last one is a real case of turning the tables on the attackers: Hackers use packet sniffers to check for confidential data; companies use packet sniffers to check for hacker activity. That has a certain elegant simplicity to it.

The thing that worries most people about Sniffit is how easy it is to install. It takes about three commands and three minutes to get this thing installed and running on a Linux machine. It even has a GUI (not exactly pretty, but it is free).

Like Nmap, Sniffit is easy to use and does exactly what it says it does: It sniffs your network and shows you what sort of data is getting passed around.

It is recommended that you install a packet sniffer and have a look at what sort of data you can see on your local network. Better still, get one of your network engineers to install it for you. They probably know of better, more professional sniffers and will be able to talk you through some of the data that you see going past. It’s an interesting look into exactly what’s going on within your network.

Sniff

A recent report submitted by the Illinois Institute of Technology’s Research Institute (IITRI) in Lanham, Maryland, has not convinced security experts that Carnivore (the software created by the U.S. Federal Bureau of Investigation [FBI] to tap into Internet communications) is either ready to be used safely (without abuse) or can gather information that would be legally admissible in court.

Although Carnivore is the best software available for the job today, it is perhaps not as good as it could be. Carnivore’s source code should be made available for open review.

Such a review would provide confidence in Carnivore’s ability to gather information accurately and fairly—confidence needed to make it a publicly accepted crime-fighting instrument. Unless it is demonstrated that Carnivore will enable surveillance personnel to obtain the information they are authorized to see, and not draw innocent bystanders into its net, it will remain an object of public suspicion (see sidebar, “Privacy Concerns Remain”).

Despite winning a favorable review by an outside group, the FBI’s Carnivore Internet wiretap system continues to raise strong concerns about privacy and the legal limits of government surveillance.^[v] The new report could mean further trouble for a system that has drawn criticism since its existence was first revealed in July 2000.

The new report responds to a review of Carnivore by the Illinois Institute of Technology’s Research Institute, which released a draft report on November 17, 2000. While lauding the Justice Department and the Illinois group for a good-faith effort to examine the Internet wiretap system, the study was designed too narrowly to answer the most pressing questions.

The limited nature of the analysis described in the draft report simply cannot support a conclusion that Carnivore is correct, safe, or always consistent with legal limitations. Serious technical questions still remain about the ability of Carnivore to satisfy its requirements for security, safety, and soundness.

The Illinois review should have included a thorough search for programming flaws, and should have more deeply explored whether the system provides the kind of precise records that wiretapping calls for—especially in systems that can be operated remotely, such as Carnivore.

Carnivore is a modified version of a common piece of software known as a packet sniffer that is used by Internet service providers to maintain their networks.

The Carnivore version is installed during criminal investigations at the office of the suspect’s Internet service provider.

The system has been used dozens of times in criminal and national security cases under federal wiretap authority. It is designed to be adjustable so that it can skim only some information from the flood of data that make up on-line communication. Law enforcement officials assert that it provides a tool for the Internet similar to “pen register” and “trap and trace” devices, which capture the telephone numbers of criminal suspects and those who call them.

What worries privacy advocates and lawmakers critical of Carnivore is that the Justice Department wants to follow the rules for pen registers in using the device. Those rules are far less restrictive than the regulations governing wiretaps. Justice Department officials confirmed that the system has been used, in most cases, under the less-restrictive rules.

Because the system can be used to collect much more than Internet addresses, lawmakers and civil liberties advocates contend that the government should not be able to use the less-stringent standards of proof. Another review of the Illinois report from the Privacy Foundation, which is based in Denver, sounded similar notes of concern about auditing Carnivore’s use and its place in the legal system.

Carnivore is, potentially, an appropriate law enforcement tool. But there are technical deficiencies that have to be addressed, as well as legal questions.

The legal framework for wiretapping must be revised for the digital age, and that the system must undergo continuing review. Software is a moving target, and a one-time review doesn’t tell you what you need to know about future versions.

The FBI publicly admitted the existence of Carnivore in July 2000, after it had been in use for over a year at numerous Internet service providers (ISPs) and rumors of its existence began to surface. Congress and privacy advocates then called for full disclosure of the software. Replying that such disclosure would only help criminals get around the system, the FBI offered to let it be reviewed by an outside technical group selected by the Bureau. Illinois Institute of Technology’s Research Institute (IITRI) was chosen after accepting the review limits proposed by the FBI, a stipulation other institutions such as the San Diego (California) Supercomputing Center (SDSC) would not accept.

The IITRI report does not address significant technical issues. Although it looks at how Carnivore worked when it was used as intended, the report failed to look at “the larger issue,”: its system requirements. They did not look at the interaction between Carnivore and its host operating system or the interaction between Carnivore and the ISP’s setup. Thus, the vulnerability of the system to hackers is still not clearly established.

Carnivore runs on Windows and, to control it, the person who is using it must be logged on at the highest level: administrator. At that level, the operator (meant to be an FBI agent) has a great deal of freedom. For instance, he or she can access the content of all communications, and change and edit files at will. What is more, anyone logged in as administrator can hide any evidence of the activity. Thus, it would be possible for an agent or someone who hacked into the system to tamper with evidence, plant false leads, or extract confidential information for bribery, extortion, fraud, and so on.

Failure to examine the interaction between Carnivore and an ISP’s systems may be a gap in the report. The limited nature of IITRI’s review cannot support a conclusion that Carnivore is accurate, safe, or always consistent with legal requirements. The scope of IITRI’s review was dictated by the FBI, and any additional effort would have invalidated the contract under which the work was performed.

^[v]John R. Vacca, Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill, 2001.