Experiment Demonstrates the Power of Simple Network Intercepts

Ars Technica with NPR recently demonstrated just how much information can be easily captured off the wire. The experiment was done by placing a PwnPlug on the network of NPR reporter Steve Henn (with his permission and cooperation). This is actually a fairly realistic model of the kind of data intercept that could be conducted by national intelligence services, law enforcement, ISPs, and hackers. Hackers would do so by surreptitiously placing a device like the PwnPlug within the target network, while the other groups would capture the information directly off the Internet Backbone.

While many of the key cloud services are encrypted, this may actually give a false sense of security. Often information that was protected on one page is revealed when following a link to another page, or by the providers of embedded content within a page. In many sites, only the purchase pages are secure, while a great deal of personal information is revealed through interactions with the rest of the website. At a minimum, the attacker can see all of the websites you have visited and all of the services you use.

Because many less sensitive services and websites are not encrypted, attackers can often intercept authentication tokens and even usernames/passwords from these sites. Because so many of us re-use passwords, that may then give attackers access to the more sensitive sites they saw you visit.

While this is not news to security professionals, it is a fantastic illustration of the amount of information an attacker can collect, how easy it is to do, and how vulnerable we all are.