We help IT Professionals succeed at work.

TCP Sniffer - Can they monitor/break HTTPS

Medium Priority
1,415 Views
Last Modified: 2013-11-16
I'm a bit paranoid if people can monitor my passwords from my desktop.  I try to make sure no spyware or key loggers are installed (i wish there was a way to detect something like this more reliably)  but now I'm wondering if someone connected to the same router / gateway could be sniffing all outgoing TCP requests.

I am logging into HTTPS websites.  Is it possible, even though SSL is active, for a foreign person not on my PC though possibly in the same workgroup to monitor my outgoing requests and view my passwords?  For example Gmail log in?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Is it possible?  Yes.
Is it probable?  No.

If the network devices haven't been secured then it is possible that a third-party could route all of your traffic through themselves.  As you pointed out however the traffic is encrypted.  As with all encryption it is possible to break it eventually but this is far beyond the means of most people (who would get bored after a year or two!)  More likely they'd get themselves a certificate and impersonate the site then proxy your traffic to the actual site (your credentials included) - some of the trusted certificate authorities built into your OS/browser are not too careful who they give certificates to.

Commented:
Technically speaking anything IS possible but the probability of it happening of you are so cautious is low.  You cannot garuntee your computer info is safe...only mitigate the risk of it being comprimised. The only 'safe' computer is the one left in its packaging.

Is this a home network setup or are we talking a business or another private/public organization's network?

If it is a wireless home network, yes, they technically can sniff your information out with the right wireless monitoring equipment.  It would take great skill to turn that sniffed data into viable information such as passwords from your computer.  If you have enabled encryption like wep, that can make it more difficult.  WEP is crackable. Someone can crack it if given enough time.  

As for keyloggers...a very real threat. If you have other computers on your network they can access your computer if it is shared out. They will need admin priveledges to install it still.  Spyware detection programs are out there and are pretty effective. As long as you know who has physical access to your computer it seems like you are doing enough to mitigate risk.  The chances of a 'hacker' devoting so much time and effort to someone's home computer is relatively low unless you have a real good reason for someone to hate you that bad :P

If you are still worried by keyloggers, frequently look at the add/remove programs.  look for newly installed software. run virus scans and spyware scans.  Unless the keyloggers are staying in

If it is an organization/business network, you are at the mercy of the IT staff. It is their responsibility to keep the systems safe.  Just make sure you exercise the same caution you have already with accessing websites. If you really dont want people to know the things you are doing on websites then I'd merely suggest not doing it on the work computers to stay safe.
CERTIFIED EXPERT

Commented:
You are also at risk if the implementations are poor or based on weak algorithms.  

I found the example I was thinking of too:  http://www.insidetech.com/news/articles/3669-hackers-break-ssl-certificates-impersonate-ca
CERTIFIED EXPERT
Commented:
I would agree with L3370:  you are at far more risk from poor physical security - if your PC is left unattended at any time there is the danger of hardware/software keyloggers being installed.  That said I am sure I read an article recently regarding how to 'sniff' keystrokes remotely as they're typed - most keyboards do not have shielded cables!

It is worth noting that WPA is quite easily crackable if running as WPA-PSK.  Look to WPA2 instead.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT

Commented:

Author

Commented:
Yes i am within a home network.  Actually i am sharing my internet connection with a friend but we've been having a bit of a outting and he is the type to retaliate. In fact i know he was able to log into my GMail account (i checked gmail's logs and saw his ip address).  Originally he did have my local PC's login name and password, so he does have admin access to my PC.  

I'm just wondering how the heck did he get my password into Gmail.  I was thinking key logger but a quick scan shows nothing unless he removed it after he got the password.  And it doesnt sound likely that he can scan the outgoing tcp packets while i am connected to the HTTPS gmail login page.

Is he able to install the keylogger remotely once he has my login/password t my destop?  We are using Windows Vista.

CERTIFIED EXPERT

Commented:
Is he able to install the keylogger remotely once he has my login/password t my destop?
Yes.
If in doubt I would back up your files and clean install your PC (assuming you are comfortable doing that). If your PC has been compromised you cannot trust any software to correctly report if there is a problem - take a quick look at the dangers of rootkits.

Commented:
piggybacking off lamaslany's last comment.

I've even read on some keylogging done by phone!  Some security agency developed a system that was able to determine keystrokes by the sound of the user typing on the keyboard while they were on the telephone.  They made a database of recorded keystroke noises from various models of keyboards.

If that isn't enough to get you paranoid, I don't know what is!

Author

Commented:
Once my PC has been reinstalled with a fresh cop of Windows, what is the best way to keep my system from getting key loggers?  Is there any way i can easily detect them?  Of course i wont give out my password but i would like a tool to help check things out.  Again this could be a home made keylogger rather than a popular one off the net therefore not detectable.  I dont have faith in those heuristic scans.

I was surfing and came across System Mechanic.  It appears to have a feature that can snapshot and compare changes to your registry.  I figure i could use that to detect anomalies?  Granted the person in question knows much about DLL injection (piggy backing with safe .EXE files).  

Author

Commented:
I should also mention we both use Firefox.  I'm wondering if he was able to obtain any relevant security key information from my firefox browser in order to make decoding a sniffed packet easier on his end.
Commented:
if your gmail password is similar in any way to your computer login pw then he could have gotten into your gmail with brute force.  

If a keylogger was installed and he no longer has physical access to your computer, it would have to send that data out for it to be usefull...

If you open command prompt and type 'netstat' it will report all active connections. For the sake of drowning out the static, close all webpages, instant messengers, and any known programs that access the internet first.

 Afterwards, if you some connections...like an IP address to his computer, or another computer with an IP address on your home network, I would be a bit worried.



CERTIFIED EXPERT

Commented:
1.  Ensure that your PC is fully patched.  This means the latest patches and service packs for your OS, applications and even drivers.
2.  Ensure you have a firewall installed.  If you are careful about what you run and don't blindly allow everything that wants to be given access even the Windows Firewall will do a decent job of protecting you.
3.  Ensure you are running good quality antivirus/antimalware software.
4.  Do not run as an administrator.  Have a seperate account for your day-to-day use.  If you need to install additional hardware/software or run updates simply log on as the admin, perform the tasks and log off again.
5.  Be cautious about your network security.  If your router is compromised it is a potential gateway into your system (see site impersonation in a previous post).  If an attacker can impersonate a site you trust, for example one you might download patches and updates from, you may well run infected code.


Personally I'd shy away from System Mechanic.
CERTIFIED EXPERT

Commented:
If you open command prompt and type 'netstat' it will report all active connections. For the sake of drowning out the static, close all webpages, instant messengers, and any known programs that access the internet first.
If your machine has been properly compromised you cannot trust it to correctly report it's status.  It is trivial, relatively speaking, to ommit an attackers' backdoor from a netstat result.
CERTIFIED EXPERT

Commented:
I should also mention we both use Firefox. I'm wondering if he was able to obtain any relevant security key information from my firefox browser in order to make decoding a sniffed packet easier on his end.
Unlikely - but I don't know that much about the innards of Firefox I am afraid.  And as I said there are easier ways to compromise your PC. Decoding encrypted traffic without the key is far more difficult than breaking in.

Author

Commented:
I think the program "Activity Monitor" by SoftActivity was installed.  Everything was perfect to be a very quiet install.

Thank you guys for the great info!!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.