instant messenger eavesdropping question

Need some help understanding...

Person A and Person B are both on an internal private network (either
directly on the LAN or VPNed into the LAN from an outside network)

A and B are chatting via MSN or Yahoo messenger via IM (not going thru
a chat server etc)

Is it possible for person C who is on the same internal network to see
the contents of the IM traffic between A and B?

Is it any way possible for person D who is NOT on the same internal
network (external / internet user) to see the contents of the IM
traffic between A and B?

-M-

Re: instant messenger eavesdropping question

funluvinmax@yahoo.com wrote:
> Need some help understanding...
>
> Person A and Person B are both on an internal private network (either
> directly on the LAN or VPNed into the LAN from an outside network)
>
> A and B are chatting via MSN or Yahoo messenger via IM (not going thru
> a chat server etc)
>
> Is it possible for person C who is on the same internal network to see
> the contents of the IM traffic between A and B?
>
> Is it any way possible for person D who is NOT on the same internal
> network (external / internet user) to see the contents of the IM
> traffic between A and B?
>
> -M-

If they are chatting through MSN or some similar messenger, then yes,
eavesdropping is possible in scenarios C and D because all traffic has
to be routed to the service's servers (in the case of MSN, it has to
run through MSN servers before your mesage is delivered to Person B).
However, if you are VPNed as you suggested, the encryption would deter
any would-be eavesdrop attempts.

Re: instant messenger eavesdropping question

thanks for your reply.

I thought A and B would be chatting purely P2P in this case - not thru
msn or yahoo servers?

With VPN, is there *no* chance that person C (inside the network) can
eavesdrop? If not - are there possibly other ways that person C (or D)
- in the vpn scenario - is able to eavesdrop?

Re: instant messenger eavesdropping question

funluvinmax@yahoo.com wrote:
> thanks for your reply.
>
> I thought A and B would be chatting purely P2P in this case - not thru
> msn or yahoo servers?
>
> With VPN, is there *no* chance that person C (inside the network) can
> eavesdrop? If not - are there possibly other ways that person C (or D)
> - in the vpn scenario - is able to eavesdrop?

No, according to the Oscar protocol for AIM there is no P2P
transmissions (unless you are direct connecting but I haven't read into
the semantics of that). I would assume that other Instant Message
protocols follow suit. In regards to your VPN question, while C would
be able to eavesdrop, the packets intercepted would be encrypted by the
VPN, proving useless to whoever is reading them.

Re: instant messenger eavesdropping question

funluvinmax@yahoo.com writes:

> Need some help understanding...
>
> Person A and Person B are both on an internal private network (either
> directly on the LAN or VPNed into the LAN from an outside network)
>
> A and B are chatting via MSN or Yahoo messenger via IM (not going thru
> a chat server etc)

Actually MSN and Yahoo do talk to a central server, and the
communication typically isn't just peer to peer. It's internet
destined traffic.

> Is it possible for person C who is on the same internal network to see
> the contents of the IM traffic between A and B?

Absolutely. If it's a switched network, arp spoofing/mac flooding
techniques are required as implemented by tools like ettercap and
Cain, if it's a hub or wireless network, just a plain ole sniffer will
do.

The only way around that for careful im users would be to run a socks
proxy to an external machine using ssh and set the im clients to use
socks to that server, but very very few folks do that.

> Is it any way possible for person D who is NOT on the same internal
> network (external / internet user) to see the contents of the IM
> traffic between A and B?

D would have to compromise a box on that internal net to do so, but
that's not as hard as one might think for a sufficiently motivated
attacker.


--
Todd H.
http://www.toddh.net/

Re: instant messenger eavesdropping question

funluvinmax@yahoo.com writes:
> thanks for your reply.
>
> I thought A and B would be chatting purely P2P in this case - not thru
> msn or yahoo servers?

Nope. Unless something's changed i their protocols very recently,
they rely on communicating with a central server.

There is a notion of direct connection in some im protocols, but it's
not commonly used.

> With VPN, is there *no* chance that person C (inside the network)
> can eavesdrop? If not - are there possibly other ways that person C
> (or D) - in the vpn scenario - is able to eavesdrop?

If person C or D has compromised either user A or B's machine in some
way, all bets are off.

But from a network perspective, if the traffic is encrypted inside an
ssh or vpn tunnel and the im is using that tunnel, eavesdropping does
become pretty darned difficult. It's usually folly to say anything's
impossible in security though. :-)

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: instant messenger eavesdropping question

You say "if" traffic is encrypted... I assume that large corporations
do encrypt vpn connections.

so from what I read below - if person A is on such an encrypted vpn
connection, person B is either directly on the LAN or also on an
encrypted vpn, then *chances* of eavesdropping are generally small?

I take it then that if this occurs, its more likely that person A or
B's PcC has been compromised. If so - sounds like someone capturing
keystrokes or screens?...


> But from a network perspective, if the traffic is encrypted inside an
> ssh or vpn tunnel and the im is using that tunnel, eavesdropping does
> become pretty darned difficult. It's usually folly to say anything's
> impossible in security though. :-)
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

Re: instant messenger eavesdropping question

funluvinmax@yahoo.com writes:

> You say "if" traffic is encrypted... I assume that large corporations
> do encrypt vpn connections.

Nearly all do encrypt their VPN, but that's not why I hedge the bet
there... the sticky wicket is "Is the IM traffic going through the
VPN?" Depending on the VPN client, and policy put forth by the
company who hosts the VPN, if you run an IM client that talks to the
internet, that traffic in many cases won't go throught he VPN tunnel.


> so from what I read below - if person A is on such an encrypted vpn
> connection, person B is either directly on the LAN or also on an
> encrypted vpn, then *chances* of eavesdropping are generally small?

Yes, i would say so, since person A's IM client would be talking to
the MSN or AOL central server's over a clear connection between their
home network and the AOL server, while person B's traffic would be
visible to the LAN, on its way out hte company's firewall off to the
internet, to the central IM servers.

--
Todd H.
http://www.toddh.net/

Re: instant messenger eavesdropping question

In article <1150547769.420494.241410@y41g2000cwy.googlegroups.com>, "computergeek6933@gmail.com" writes:
>
>funluvinmax@yahoo.com wrote:
>> thanks for your reply.
>>
>> I thought A and B would be chatting purely P2P in this case - not thru
>> msn or yahoo servers?
>>
>> With VPN, is there *no* chance that person C (inside the network) can
>> eavesdrop? If not - are there possibly other ways that person C (or D)
>> - in the vpn scenario - is able to eavesdrop?
>
>No, according to the Oscar protocol for AIM there is no P2P
>transmissions (unless you are direct connecting but I haven't read into
>the semantics of that). I would assume that other Instant Message
>protocols follow suit. In regards to your VPN question, while C would
>be able to eavesdrop, the packets intercepted would be encrypted by the
>VPN, proving useless to whoever is reading them.
>

"
Person A and Person B are both on an internal private network (either
directly on the LAN or VPNed into the LAN from an outside network)
"

To me that says the VPN is terminated on the internal network hence the traffic
on the internal network would be in the clear.


David Webb
Security team leader
CCSS
Middlesex University

Re: instant messenger eavesdropping question

In article <1150633822.718428.159680@h76g2000cwa.googlegroups.com>, funluvinmax@yahoo.com writes:
>You say "if" traffic is encrypted... I assume that large corporations
>do encrypt vpn connections.
>
>so from what I read below - if person A is on such an encrypted vpn
>connection, person B is either directly on the LAN or also on an
>encrypted vpn, then *chances* of eavesdropping are generally small?
>
The chances of eavesdropping on traffic actually in the tunnel and cracking
it's encryption is small but the VPN tunnel generally terminates at a
VPN concentrator, firewall or other network appliance. It isn't generally
end-to-end between clients. Once you exit the tunnel then there is no VPN
encryption.
So if a user is using VPN from their PC at home to the corporate network
and the VPN is terminated on that network and is talking to someone on the
internal LAN then someone else who is on the internal corporate network can
eavesdrop.

David Webb
Security team leader
CCSS
Middlesex University


>I take it then that if this occurs, its more likely that person A or
>B's PcC has been compromised. If so - sounds like someone capturing
>keystrokes or screens?...
>
>
>> But from a network perspective, if the traffic is encrypted inside an
>> ssh or vpn tunnel and the im is using that tunnel, eavesdropping does
>> become pretty darned difficult. It's usually folly to say anything's
>> impossible in security though. :-)
>>
>> Best Regards,
>> --
>> Todd H.
>> http://www.toddh.net/
>