Re: consequences for student hacking

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 19 Feb 2008 14:38:00 MST, Bob Henry said:

> That's the theory.  I'm looking for a reality check.  What do your
> institutions do when you catch a student sniffing the wired or wireless
> network for userID's and passwords?

More realistically, how *do* you determine that somebody is "sniffing"?
Let's face it, there's zillions of tools that will snarf packets literally
out of thin air, without transmitting any themselves.  Many more will snarf
stuff up, even while the machine in question is doing totally innocuous other
things.

At one SANS-EDU a number of years ago, I was able to set up a 'tcpdump' that
determined who was using plaintext protocols (in order to specifically avoid
catching user/password pairs, I narrowed the capture to only those SYN packets
to ports that would have a userid/password in the clear in the next few packets
(ports 21, 109, and so on).  At the break, I announced "This is a class on
wireless security. We have about 300 people in this room, of which some 110
have logged into something using cleartext userid/password".  The room goes
nuts, as the guilty 110 realize what's happened. I then said "Don't worry, I
was specifically careful to only catch SYN packets".  The room quiets down. I
then add "But I have no idea what those 5 guys sitting out in the atrium are
doing..."  :)

The reality check:

You really don't know it happened until the perpetrator actually *uses*
one of the snarfed passwords - at which point you can string them up by
the whatziz for use of a stolen password.

Attachment: _bin
Description: