Chapter 4: Network Basics – Cyber Spying Tracking Your Family's (Sometimes) Secret Online Lives

Chapter 4

Network Basics

“There are some mysteries where you don’t know the answers, there are others where you don’t even know the questions.” — Anonymous

Topics in This Chapter:

Introduction

The miniaturization and versatility of computers have allowed them to pervade everyday life. While amazing on their own, one of the most powerful things about computers is their ability to link together to make a more capable entity. One positive effect of the Internet revolution is the continuing expansion of the Internet to home users. A few years ago, very few people were connected to the Internet. Now, most people wouldn’t dream of not being connected to it. The quality of Internet connections has also increased. According to www.nwfusion.com, in July 2004, there were 63 million broadband users and 61.3 million dial-up users.

This dependence on the Internet will play very strongly into how you plan to spy on someone. Once the decision has been made to spy on a loved one, a certain amount of prerequisite knowledge is required to proceed in an intelligent manner. This chapter presents information that will enable you to understand how your computer connects and communicates with other computers via the Internet. Typical setups for home networks and their components are also discussed. This chapter also explains the different types of traffic that computers use to communicate. Finally, it discusses some of the popular Internet-enabled applications that are used. This chapter completes the basic knowledge that you will need throughout the rest of the book.

Network Basics

A computer network is a collection of computers set up in a manner that allows them to communicate with each other. Imagine that each computer is a house and a neighborhood is like a local area network (LAN). Next, bring in a powerful and universal communication system such as mail. With mail, any house in the world can communicate with any other house regardless of distance. Communication is also the basis of a network; if computers can’t pass information between each other, there is no network. The following sections explain several fundamental concepts that enable networks to be formed.

IP Address

Every house has an address; when sending a letter between houses, the envelope is marked with the destination and sending address. Likewise, when two computers communicate, they are identified by their Internet Protocol (IP) address. Every computer connected to the Internet via dial-up or broadband is assigned an IP address in the format x.x.x.x, where “x” is any number between 0 and 255 (e.g., 10.1.1.33). Computers in a specific network usually have the same first set of numbers, which is analogous to every house in a neighborhood having the same zip code.

Most IP addresses are public and Internet routable, meaning that if you know the IP address of a machine, you can send data directly to it. There is also a special class of IP addresses called private or non-routable that are usually in the form 10.x.x.x and 192.168.x.x. The actual ranges are:

 10.0.0.0 to 10.255.255.255

 172.16.0.0 to 172.31.255.255

 192.168.0.0 to 192.168.255.255

 169.254.0.0 to 169.254.255.255

These private IP addresses are usually used for small networks and LANs that are either not connected or have only one or two points of connection to the Internet. Machines that have private IP addresses cannot have packets sent directly to them from other computers on the Internet. This is an important distinction to understand, as the type of address your target machine has may affect how you spy on it. Most computers connected directly to a cable or Digital Subscriber Line (DSL) modem or that use dial-up accounts, have a public IP address. In contrast, most computers connected to a broadband router have private IP addresses.

Explore More …

Network Address Translation

When a machine has a non-routable internal IP address, it must connect to another computer in order to access the Internet. This other machine performs Network Address Translation (NAT) so that the internal computer can communicate with the outside world. In many home networks, the router that is connected to the cable modem or DSL performs this task. Routers that are used for NAT have two IP addresses: a public routable address for communicating with other machines on the Internet and a private routable address for communicating with machines on its local private network. The router takes all of the packets destined for the outside network and replaces the sender’s IP address with its own routable IP address. If the router does not replace the IP address, the packet will be dropped at the next machine it reaches. The router keeps track of the traffic and when packets are returned from the outside network, the router rewrites the destination address to the address of the internal computer that initiated the connection. Thus, NAT allows many computers on an internal network to share a single routable IP address. This is how an entire family can share cable modem connectivity simultaneously, and how businesses can share a small range of IP addresses for their entire business network.

Ports

Computers can run many different applications at the same time. People can sit at home and simultaneously check their e-mail, browse the Web, and instant message. Computers use ports to determine which application they are communicating with. There is a reserved port for most of the common Internet applications. For example, web uses port 80, and e-mail traditionally uses port 25. A port refers to a number that a computer connects to when it accesses a specific application or service. A port ranges in value from 0 through 65,535. A port and an IP address together is the fully qualified information that a computer needs to connect to another computer. Therefore, a port can be thought of as an extension of the IP address. For example, in IP address 192.168.100.1:2323,”:2323” refers to the port. Once data has reached an IP address, a port helps it to reach the appropriate program. A simple analogy is of a large apartment building. Each apartment shares the same street address, but is differentiated by the apartment number. Ports are like the apartment numbers: all of the communication is sent to the computer, which sorts the traffic by port, much like the mailman who puts all of the mail into separate mailboxes.

It would be difficult to determine what traffic goes with what program if every application ran on the same port. Likewise, if standards were not set to distinguish which traffic should use which port, it would be difficult for two computers to communicate. To facilitate ease of use, ports 1 through 1,024 are reserved and standardized for different classes of applications. For example, most Web servers are run on port 80, America Online (AOL) Instant Messaging uses port 5190, and e-mail often uses port 25. Using the apartment analogy: if every apartment building’s superintendent resides in Unit 1, mail for the supervisor would always be addressed to Unit 1, allowing you to send mail without having to ask for the address. Ports are an important concept to understand, because they help differentiate between the types of traffic passing through a machine.

Notes from the Underground …

Ports of Interest

We previously mentioned that standard applications run on standard ports and listed a few of the most popular and interesting ones. Why is this important? In later chapters when we begin examining network traffic for interesting data, we can use our knowledge of common ports to help zero in on traffic of interest. Because many modern high-speed networks produce an enormous amount of traffic, not knowing these popular ports would make looking at network traffic overwhelming.

 File Transfer Protocol (FTP): 21

 Simple Mail Transfer Protocol (SMTP) (Mail): 25

 Web: 80

 Post Office Protocol (POP): 110

 Secure Sockets Layer (SSL) (Secure web): 443

 Secure SMTP 465

    Secure POP: 995

 AOL Instant Messaging 5190

 Internet Relay Chat: 6667

Domain Name System

Although IP addresses are technically very useful, they still have some problems. Nobody wants to remember to type in 64.236.16.116 when they want to read www.cnn.com. The solution to this complex numbering system is the Domain Name System (DNS). DNS maps IP addresses to domain names. A domain name is the name by which most people know Internet services. For example, www.hotmail.com, www.cnn.com, and www.whitehouse.gov are all domain names that are much easier to remember than their respective IP addresses. When a user types a domain name into a computer, the computer asks the DNS for an IP address matching that domain name and the DNS server responds with the correct registered IP address. This allows people to remember names instead of IP addresses when using the Internet.

DNSes consist of dedicated servers that hold IP addresses and their corresponding domain names. Because there are so many possible IP addresses, it is impossible for one machine to hold all Internet addresses and corresponding domain names. To handle this, DNS servers are arranged in a hierarchy. When a request for a DNS address can’t be fulfilled by one server, that server sends a request to the server above it. This request passes up the system until it encounters a machine that has the result (see Figure 4.1). Servers cache frequently requested IP addresses and their corresponding domain names, which is similar to directory assistance for the public telephone system. If a person wants to dial the local power company but does not know the number, they can call Directory Assistance who will respond with the correct telephone number. If the person requests an out-of-area number, Directory Assistance transfers the call to the proper directory assistance location.

Figure 4.1 DNS Request

Local Area Networks

A LAN is defined as a group of computers or devices that are interconnected such that any device can communicate with any other device (see Figure 4.2). In keeping with our housing analogy, imagine a large apartment building in a complex with many other apartment buildings all connected by walkways. Many corporations run their own LANs. A person’s home setup that is comprised of multiple computers connected together is also considered a LAN. A LAN may be, but is not necessarily, connected to the Internet.

Figure 4.2 A LAN with a Shared Printer

Internet

The Internet is made up of thousands of interconnected networks. There are all kinds of services and communications taking place on the Internet, including Web services (browsing), e-mail, and instant messaging. Voice over IP (VoIP) technology allows people to make telephone calls while using the Internet. The number of uses for the Internet is huge, and will continue growing as people discover innovative ways to take advantage of its size and power.

Tips and Tricks …

Measuring Bandwidth

Like memory and hard disks, bandwidth data is sent to a computer network in streams of 1s and 0s. Modems can use multiple voltages and represent more than two values, however, all of the theory and naming is designed to assume 1s and 0s. Bits are grouped together once again to describe bandwidth of certain networks.

 A bit is a 1 or a 0

 Bytes are largely ignored

 A kilobit or Kb is a collection of 1,000 bits

 A megabit or MB is a collection of 1,000 Kbs

 A gigabit or GB is 1,000 MBs

Instead of staying with powers of 2, in networking we go back to powers of 10. The bandwidth of modems is often measured in Kb per second (Kbps), while faster Ethernet networks are measured in megabits per second (Mbps) and gigabits per second (Gbps).

If you find the difference between megabytes and megabits confusing, don’t worry about it. Most people, including a lot of computer professionals, gloss over the differences. There are not very many places, except maybe on computer science exams, where knowing the difference matters.

Packets

When two computers attempt to communicate with each other they send the information in packets. Packets are like letters sent using the mail system. A packet is the simplest form of communication between two computers. It is comprised of a string of 1s and 0s formatted so that the group of binary data can find its way across the Internet to its specific destination machine. All higher forms of communication are built upon the packet system. There are many different protocols that use packets, but all packets are fundamentally the same.

A packet has a header section and a data section. Once again, this is like a letter, which has an envelope (the header) and correspondence (data). The header of the packet contains the information needed to send it to the correct computer, including the sending computer’s IP address and the destination computer’s IP address. Also included in the header is the port that the packet is intended to go to. The data portion of the packet contains the data that is to be sent. If the data is too large it will be broken into many smaller packets, similar to sending a very long correspondence in multiple letters to a friend.

Understanding what a packet is and its role in communications is fundamental in being able to determine a computer’s use.

Explore More …

The Traveling Packet

The network traffic created by a single Web page Hypertext Transfer Protocol (HTTP) request travels farther across the globe than most people travel in a lifetime. For example, take a visit to the Web site www.newzealand.com. The request begins in Alexandria, VA, USA and takes the following path (depending on network congestion):

1 ge-4-4-rr01.alexandria.va.dc02.comcast.net

2 srp-8-1-ar01.arlington.va.dc02.comcast.net

3 pos-6-0-cr01.ritchieroad.md.core.comcast.net

4 12.126.168.9

6 tbr1-p012201.wswdc.ip.att.net

7 tbr1-cl4.sl9mo.ip.att.net

8 tbr1-cl2.sffca.ip.att.net

9 gbr1-p10.sffca.ip.att.net

10 gar1-p360.sffca.ip.att.net

11 sffca201lr1-pos21.ip.att.net

12 ausydn1102cr1-5-1-1.au.ip.att.net

13 ausydn1101cr1-3-0.au.ip.att.net

14 nzacld1101er2-11-0-0-4.nz.ip.att.net

15 auck1br1-3-0-0.au.nz.ip.att.

16 nzlapak1.nz.ip.att.net

17 www.newzealand.com

After leaving the local network, the packet travels to Arlington, Virginia, Maryland, and Washington, D.C., shoots over to St. Lewis, Missouri, bounces around in San Francisco, California, and then zips across the Pacific Ocean to Sydney, Australia. Following the short layover in Australia, it finally ends up at its destination in New Zealand. That is quite an amazing voyage for one small packet.

Home Networks

Many people have multiple computers set up at home as a home network. They may have a desktop system, a kid’s computer, and a laptop from work all connected to the Internet. Each home user must have a way to access the Internet, including dial-up access, cable modem, or DSL. Sometimes people have several computers sharing an Internet connection; these computers form a home network. Some home networks are connected and held together by wireless protocols. Over the past couple of years there has been an explosion in the number of wireless networks. Most new laptops include built-in wireless connectivity. Some very enthusiastic home users incorporate technologies into their homes that are usually reserved for corporate networks. Regardless of its individual components, a home network is comprised of the computers and other devices such as printers that the owner wishes to connect together.

Dial-Up

Approximately 61 million people connect to the Internet through dial-up access. Home users connect through a modem to a dial-up provider. A modem is a device that allows a computer to transmit data over analog phone lines. The modem takes the digital data and converts it into analog data that it passes through the phone line. Likewise, it receives an analog signal from the other computer and converts it back to a digital signal for the computer to interpret.

Historically, dialing up using services such as Prodigy and CompuServe was the only way that home users could connect to the Internet. AOL is currently the most popular dial-up provider in the U.S., but there are also many local dial-up providers that people use.

While relatively cheap and pervasive (all you need is a normal phone line), dial-up Internet access is not without its drawbacks. Originally, people connected through at a 14.4Kbps maximum speed. As technology has progressed, the design of modems has allowed for increasing speeds. Currently, there are 56.6Kbps modems available for purchase. However, the actual speed at which people receive data depends on a variety of factors. Because modems use copper phone lines, the quality of the phone line impacts the speed of the connection. Even the fastest modems at 56K would, in an ideal world, take about one minute to transmit 1MB of data (1MB is about the size of a normal photo taken with a medium quality digital camera).

Dial-up is slowly being surpassed by higher speed connection mechanisms in part due to the ever-increasing amount of information that a Web page displays. The pictures and graphics that are imbedded in many Web pages increase the download time, making it difficult to surf via dial-up. Despite dial-up’s popularity loss, there will always be a segment of the population that prefers its lower cost.

Cable Modems and Digital Subscriber Line

Many people have given up dial-up access in favor of a broadband connection such as cable and DSL. Broadband offers higher bandwidth than dial up and, as a result, changes the Internet experience for many people. Using a broadband service transforms accessing the Internet from a time-consuming task to a task requiring no effort. It also allows people to download at high speed, enabling them to use file-sharing tools such as Kazaa. It has also become more common for Web sites to have specific broadband content such as streaming video that help enrich the Internet experience.

DSL technology allows for the high-speed transfer of data over normal phone lines. Most DSL subscribers have an asynchronous connection, which means they can download from their Internet Service Provider (ISP) faster than they can upload (send) information. A user’s DSL speed depends on their distance from their ISP. While speeds may vary, DSL connections are usually capable of about 1.5 Mbps.

A cable modem is another popular type of broadband access. The home user is provided with a cable modem, which is similar to a telephone modem. The difference is that the signal is broadcast over the cable line and the cable modem is always connected. A cable modem is capable of 1 Mbps or greater speed. Cable modem connections have become increasingly popular.

Hubs and Switches

Hubs and switches are devices used to connect computers together. With few exceptions, computers must be connected at a hub or a switch (see Figure 4.2). Networks need a common device to transmit and receive all of the packets from one location to another, and hubs and switches do just that. They are the hardware that moves the packets from one machine to another.

While hubs and switches appear to be structurally similar and have the same end result, they are functionally different. Both devices are usually small plastic or metal boxes with several network ports in them. (When using ports in the context of switches, hubs, and routers, we mean physical ports, not the data ports referred to earlier). They both usually need power from an external supply and both of them allow connected computers to “see” and communicate with each other. Hubs, however, use the “broadcast” mechanism for transmitting data to all of their connected computers; switches learn the location and route packets from one port to another.

When a computer connected to a hub wants to send data to another computer, it transmits the data onto the network. The hub sees that a computer on one port is transmitting a data packet, takes the packet, and broadcasts it out to every other port. As a result, all of the traffic on a network connected by a hub goes to each computer. Figure 4.3 demonstrates this concept.

Figure 4.3 A Hub Broadcasting Packet

While the broadcast method is effective for transmitting data, more efficient and more secure methods of network connectivity have emerged. Switches are very similar to hubs and appear to function pretty much the same. Internally, though, switches behave very differently. When two computers “talk,” one of the first steps is for a computer to make a special packet called an Address Resolution Protocol (ARP) request. This packet is sent out asking any computer that sees it if it is the computer that is about to receive data. The purpose of this ARP packet is to find the first place the packet needs to be sent (in a LAN this is the same as the destination computer) and get the low-level information that the sender needs to build future packets correctly. Switches look for these ARP requests, and when they see one, they record the port number and the low-level address of the sending computer in a table. They then broadcast the ARP request out to every port with a computer on it. When a response comes back from the destination computer, the switch also records its port number and low-level address in the table. Now, all future communication between the two computers is sent directly through the switch without being broadcast on every port. As more computers talk, the switch learns where they are and can build a table describing the network. As a result of this perceived direct connectivity, each port only has packets on it that are destined for computers connected to it. Figure 4.4 illustrates this concept.

Figure 4.4 How a Switch Works

Broadband Routers

One of the great things about broadband is that it usually offers enough bandwidth for multiple computers. As a result, many people share their broadband connection with multiple computers in their homes. Some operating systems such as Microsoft Windows 2000 allow for Internet connection sharing; however, many people opt to use specialized hardware for the task since it is easier to set up. Electronics stores such as BestBuy sell broadband routers that take the connection from the Internet and allow the user to plug into multiple computers. The broadband router splits the Internet connection among many computers, which allows those computers to talk to each other.

A broadband router consists of two parts: a hub or switch that the internal network devices are plugged into, and a router. Both of these parts are usually housed within the same case. The router connects the external network (from the ISP via the cable or DSL modem) to the internal network. It is responsible for passing traffic to and from the Internet, thus allowing the user to split their broadband connection. In this way, a user can have multiple devices connected to the Internet at the same time. This is the primary method that many people use to set up their home network.

Wireless Routers

In the past several years there has been an explosion in the amount of wireless Internet traffic. Previously, computers were connected to each other via Ethernet cable (wired); wireless technology transmits packets through the air. Wireless Internet, referred to as Wi-Fi or by its formal name 802.11(a, b, or g), allows computers to be on a network without a physical connection. Most new laptops come with Wi-Fi built in, and adaptors are available for older computers. Wireless routers provide access within a limited range from the access point. As the distance increases from the router, the signal strength and connection speed decrease. The typical distance at which service can be used is 150 feet indoors and 300 feet outdoors[2], which is usually enough for most homes. Many new broadband routers also have wireless capability built in, allowing the wireless router to function as three separate pieces of hardware: a router, an Ethernet hub, and a wireless access point. Figure 4.5 shows two example wireless routers, which can usually be identified by their antennas.

Figure 4.5 Two Different Wireless Routers

Wi-Fi routers are generally insecure by default; they allow anyone to access and connect through them. While this makes it easy for individuals to plug in and use their routers, it also allows other people to use their Internet connectivity. The people on their network can now access their resources as if they’re wired directly into their house. This is usually not a good idea. While it is not covered in this book, there are many resources available on securing a wireless network.

Typical Home Network Setups

Now that the all of the main components of a typical home network are known, they can be put together to enable users to fully harness their computers. Although many people have their own unique home network configured to their exact needs, a typical home network is used as an example throughout this book. A typical home network connects the ISP through a cable modem or DSL connection. Dial-up access can be, but is generally not, used to share a connection. The ISP connection is run into a broadband router. This broadband router also has the functionality of a wireless router. Most home desktops are connected to the broadband router via Ethernet cable. The printers and other peripherals are connected to the main family computer for them to share. All members of the family share this main computer. The wireless router will allow members of the family to use laptops at home to connect out. Figure 4.6 shows a typical home network setup.

Figure 4.6 Diagram of a Typical Home Network

Network Traffic

Computer hardware and software are very useful and powerful when connected together. Now that we know what the pieces are and their functions, we can delve deeper into networks and how they function. The following sections explore the different types of packets and ways of capturing and examining them. They also investigate the mechanisms used to prevent people from examining your network traffic and determining what information you are passing.

Types of Traffic

At any given time, most networks have many different packets residing on them. The packets on a network, referred to as “traffic,” come in many different varieties. The distinct packet types provide different functionality that is used to transmit the information. One class of packets, referred to as low-level packets, are special packets that are usually broadcast to everyone and used primarily for network setup and maintenance. The ARP requests and replies mentioned in the section on switches are a good example of low-level packets. IP packets are another class of packets, ones that are usually part of machine-to-machine communication and very likely to contain data that a spy would love to have. The majority of traffic that captured and examined in this book is IP traffic. Web browsers, e-mail clients, Instant Messaging, and chat rooms transmit their data through different IP packet types.

IP traffic can then be broken down into two main classes of packet: user datagram protocol (UDP) and transmission control protocol (TCP). UDP is a connectionless protocol, which means that UDP packets are sent from one machine to the next without confirmation or guaranteed reliability. In addition, there is no promise that packets sent via UDP will arrive at their destination in the same order they were transmitted. When a UDP packet is sent to a target address there is no guarantee it will every reach the target, and there is no automatic confirmation that it ever got there. Because there is very little overhead, UDP is generally faster than TCP, and is used by a lot of games as the protocol of choice. Outside the gaming world, the only other service that relies on UDP is DNS.

TCP is the other popular means of transmitting data through IP packets. Unlike UDP, TCP is a connection-oriented protocol, which means that when two machines want to communicate using TCP they must first initiate a sequence of packets to establish the connection, which is called a three-way handshake. After the connection is established, the receiving computer acknowledges every packet that is sent. As a result, TCP guarantees an in-order delivery of packets. This reliability comes at a cost, as both machines are required to do more work for each connection versus the relative ease of a UDP transmission. However, it seems that most applications desire this reliability. Many popular protocols and applications such as Web browsing, email, and most Instant Messenger clients use TCP as their preferred method of data transmission.

TCP and UDP packets may appear to be more confusing and complicated than they actually are. Imagine that you want to send a copy of a book to a friend. They agree that, since it would be too expensive to mail all at once, you can break it up and send each chapter individually. This book also does not have individual chapter markings, so if they get out of order your friend would not read the entire book the way it was intended. You and your friend decide to send the chapters through the mail with a return receipt. The first chapter is sent to your friend, who signs for the package, and a couple of days later the return receipt arrives. You now know that your friend has the first chapter. The second chapter is sent the exact same way, and you wait for the return receipt. After receiving the second receipt, you send the third chapter, but no return receipt arrives. After a period of time, you assume that the chapter is lost and try to send a copy of the third chapter again. This chapter arrives successfully, as does every subsequent chapter. This is the equivalent of using TCP for transferring your data. TCP is used when data must be guaranteed to arrive.

UDP is used for many streaming media applications. Imagine you own a small mail order company with your own catalog. Every week you send a new catalog to your customers. It would be prohibitively expensive to send the catalog via First Class mail with registered receipt. After all, you are sending one catalog a week to the customer, so if one or two get lost, it is not a big deal. It is also not important to you if they aren’t delivered promptly; a couple of days delay is not a big deal as long as they arrive close to the original due date. As a business owner, you decide to send your catalog via Fourth Class mail, which allows you to send the catalog to your customers with as little cost to you as possible. UDP is that Fourth Class mail. Figure 4.7 graphically illustrates the differences between TCP and UDP. In TCP, every packet is received in order and acknowledged. With UDP, most packets get there, although there is nothing to keep some from getting lost or arriving out of order.

Figure 4.7 The Top Session Is Done via a TCP Connection with Guaranteed and In-order Delivery

Sniffing

Sniffing is the act of collecting packets from a network connection using either a special application or a piece of hardware called a sniffer. A sniffer takes a copy of and displays all of the traffic a network card sees. When implemented correctly, a sniffer is completely passive, having no effect on the traffic. Except for the fact that it takes processing time and memory, a sniffer should have no effect on its host computer. Ethereal, Ettercap, and Packetyzer (discussed further in Chapter 5) are some popular sniffers that allow for traffic collection, analysis, and TCP stream reconstruction. Traffic collection refers to the sniffer’s ability to receive a copy of network traffic. Traffic analysis is the sniffer’s ability to break out relevant fields (such as IP address) from the captured packets. A sniffer with good traffic analysis capabilities can easily be display specified fields within the packet. It will also be able to recognize many different types of packets. Some even have the capability to analyze proprietary packet types. TCP stream reconstruction is the process by which a sniffer captures and reconstructs an entire TCP stream so that the user can see and analyze the traffic in an easy-to-understand manner. Some sniffers allow for almost complete stream reconstruction. They can pull out the data that is being passed within the traffic. This allows reconstruction of the sequence of mail commands that is passed between a mail host and a client, thus enabling debugging of the higher level protocols. For instance, SMTP could be debugged with the help of a sniffer. Sniffing is done for many reasons, with two of the most common being network performance analysis (boring) and spying. Sniffing will be used as a tool to further our spying capability.

By 1999, most LANs were held together by hubs. As explained earlier, hubs are broadcast devices. Any traffic that goes through one port of a hub is broadcast to all of them. Every computer connected to a hub receives all of the traffic on the network. It is up to the network card to discard traffic not meant for it. The network card is responsible for picking the traffic sent to it. Most network cards have a special mode called promiscuous mode. When placed in this mode, a network card accepts all traffic it receives. As a result, when sniffing on a network held together by a hub, one user can see the traffic destined for everyone. Most network connections and the data in them are in plaintext, which has significant security implications. Lots of data today still flies across the network in plain sight. For example, e-mail (unless you explicitly encrypt it) is completely viewable if the packets containing it are captured (see Figure 4.8).

Figure 4.8 E-mail Captured with a Packet Sniffer

The prevalence of switches over hubs makes sniffing an entire network much more difficult. Sniffing will still yield a lot of information about what is going in and out of your computer, but it is no longer the “grab everything around” capability that it once was. This is both good and bad. Good because it offers more security, and bad because it will make spying more difficult. No longer can you merely sniff from another machine; you have to install your sniffers on the target machine. There are certain advanced attacks that allow you to coerce switches into acting like hubs, but these attacks are generally more difficult to perform and easy to catch. Finally, there are certain broadband routers that while advertising a switched network actually broadcast all of their traffic as if they were hubs. We won’t mention the offending vendors; rather, we leave it up to you to always test and see what you can get on your network.

Encryption

Encryption is a daunting and complex topic to many people and some readers may think that they won’t be able to understand it. In fact, encryption constantly used in the world, and many people use it without even realizing it. Encryption mechanisms have been around for centuries; the ancient Romans used a form of it to protect their messages. It is not necessary to understand the inner workings of an encryption algorithm, merely to know what is happening and why.

Encryption is used to provide a variety of assurances to a communications medium. There are many different types of encryption that are used for distinct purposes. It can be used to guarantee that only the intended individuals can read a message and it can also be used to assure someone that the sender really did send the message. Differing methods of encryption can provide the following:

 Confidentially Assuring that only the person sending the message and the intended recipients can read the message.

 Integrity Assuring that the message that was sent was not altered, added to, or changed.

 Authentication Determining that the sender of the message was indeed the sender, not someone posing as that individual.

 Nonrepudiation Allows the recipient of the message to prove that it was the sender who sent the message; the sender will not be able claim that they did not send the message.

Encryption is the process of transforming data so that it is unreadable and no longer resembles its original form. It takes plaintext (the original data) and converts it into ciphertext, which is what is sent to the recipient. The encryption process usually starts with data and an encryption key. The data and key are then placed into a mathematical function that produces encrypted data (ciphertext). Except for possibly size, the encrypted data no longer resembles the original data. The mathematic functions are carefully chosen so that they cannot easily be reversed without having the key. The current American Encryption Standard (AES) algorithm, Rjindall, uses a very long key and is believed to be strong enough such that it would take all of the computers in the world thousands of years to break.

Explore More …

Encryption Strength

A common method of comparing encryption strength is in the key length. Data encryption standard (DES) originally used a 40-bit key. That is 240 possible key combinations. The current AES can use up to a 256-bit key, which produces 2256 distinct combinations. This makes it much harder to break the encryption via brute force. To break encryption using brute force, all possible key combinations are tried until the correct key is found. As shown, using AES makes it much more difficult to brute-force a key. This is important due to the ever-increasing speed of modern computers that are reaching speeds that were once thought unreachable. An encryption mechanism with a small key that was safe five years ago might not be safe now.

Data is generally most vulnerable at two distinct times: in transit, and in storage. Data in storage is usually data that is sitting on a CD, a USB drive, a floppy, hard disk, or other storage medium. If it is non-encrypted, anyone can copy the data and view it at a later time. Data in transit is data that is being sent between two locations such as between storage and a CPU or between two different computers on a network. Transitional data is vulnerable to being collected (by a sniffer) and analyzed. If the data is encrypted either when it is stored or in transit, it is significantly more difficult to analyze. Unless the person capturing the encrypted data has the key, they will not be able study, view, or otherwise make sense of it. Figure 4.9 demonstrates encryption at work.

Figure 4.9 Encryption at Work

One example of a popular encryption package is Secure Socket Layer (SSL), which has become a standard for encryption. While initially designed to secure Web browsing, it is now used with several popular protocols to provide a layer of encryption and enhanced security. For example, both SMTP (outgoing e-mail) and POP (incoming e-mail) can be wrapped in SSL. When that is done, any e-mail that passes between the e-mail client and the server is encrypted. This makes it extremely difficult for someone sniffing the line between the client and the server to determine the contents of the e-mail.

Many Web sites use encryption when logging in or in e-commerce. Internet Explorer displays a lock icon on the bottom of the screen if the connection is using SSL. Mozilla Firefox, another Web browser, also displays a lock in the bottom left of the application when SSL is being used. They use encryption to prevent third parties from intercepting passwords and account numbers.

SSL is a means of encrypting an entire connection. While its useful, it has several drawbacks. For one, both sites communicating must have SSL enabled, which is not always the case. However, there exists a method of encrypting data called public key cryptography (commonly referred to as PGP), which can be used in almost every online transaction. (Pretty Good Privacy or PGP is actually a product, but it has become so strongly associated with public key cryptography that the terms are often interchanged.) PGP, or its free cousin GPG, are commonly used to encrypt e-mail and other types of data. PGP is also useful for protecting stored data. Figure 4.10 shows a packet captured while encrypted with PGP.

Figure 4.10 Packet Capture of E-mail Encrypted with PGP

Encryption is a powerful technology. Used correctly it can make data extremely secure. If you encounter encrypted data in your sleuthing, do not waste time trying to break it; if it was done right you won’t be able to. Instead, think of what encryption is for: to protect data that may be discovered in transit or storage. Remember that the encrypted data was at one time unencrypted, and in order to be used, will have to be decrypted. Don’t give up, but shift your focus to when and where you can get what you need. Instead of attacking the encryption, try to get the data when it’s vulnerable, and unencrypted.

How Network Technology Is Used

Most people use computer networks and the Internet for one of three main purposes: communication, transactions, and entertainment. We view communication as all of the processes by which a person actively communicates with another. Examples of this are e-mail and instant messaging, which are the modern equivalents of letters and walkie-talkies and are very pervasive, and very powerful. These applications are two of the foundations of the Internet and the most popular uses for it. They have become so popular that in some demographics they are replacing traditional methods of communication.

Transactions are another common use for networks. When we refer to transactions we are describing primarily e-commerce and online banking. Once again, these are information-age twists on two very traditional areas. Both of these are significant parts of people’s lives; knowing what goes on regarding a person and their transactions can give a good idea of what a person is going through at any given time.

Finally, many people use the Internet as a source of entertainment. This can be casual Web browsing, reading the news online, downloading movies, listening to Internet radio, or watching Web casts of interesting events. High-speed Internet access and fast computers have combined many normally disjointed aspects of a person’s life into one unified location—their computer.

As a spy, it is very important for you to grasp the depth of the Internet’s penetration into most people’s lives. Since so much is done through the Internet, you have a location where you can look for many clues about a person’s life. Complete access to a person’s Internet activity can give you a thorough picture of them. You will know with whom and about what they communicate. You will know some of what they buy, and you may learn about their financial situation by looking at their bank and retirement accounts. You can learn what they are interested in, what they read about, what they are researching, and what they are looking to buy. You will get a glimpse of what they enjoy by the images, music, and movies they look at.

Taking all that into account, it is very easy to see how total information awareness for an individual can be extremely useful. All that passes through a computer can build a complete picture of a person, and may help uncover any mysteries you are concerned with. In most cases, even in the best of situations you will not have complete and total access to everything a person does online. It is important to maximize what you can obtain, study it carefully, and treat it like one piece of a very complex puzzle.

Summary

This chapter gave a very brief yet broad overview of computer networks. As shown, a home network comprises many different components that allow for a multitude of configurations and options. It included the following key points:

 Networks are like neighborhoods, but instead of houses they are computers that are grouped together to communicate.

 Many people connect their home network to the Internet via dial-up services, DSLs, or cable modems. Cable modems and DSLs are considered to be broadband access; that is, they offer higher bandwidth than the traditional dial-up capability.

 An IP address is what identifies a computer on a network. There are both public and private IP addresses.

 A port identifies an application so that the computer can tell which program to send data to.

 Packets are the building blocks upon which communication protocols are based.

 Hubs and switches hold most home networks together. Hubs broadcast data to all connected machines and switches transmit data only to the destination computer.

 Users with broadband connections often use broadband routers to enable multiple computers to access the Internet. Some broadband routers have Wi-Fi built in. While Wi-Fi is a very convenient way of connecting, it is often not the most secure.

 There are two primary types of IP traffic: UDP and TCP. UDP is connectionless and unreliable and TCP is connection oriented and reliable. Most interesting network applications use TCP.

 Sniffing is the process of collecting and analyzing traffic from the network.

 Encryption allows people to protect their data in transit and storage.

 Network technology has enabled many new trends such as e-mail, Web browsing, and e-commerce that have affected our lives and the economy.

 Total information awareness gives you a good picture of someone’s life. However, you will probably never have total awareness, so treat everything you discover like a piece of a puzzle.