There’s a short article on optical fiber eavesdropping over at TechRepublic. While not impossible (as the article clearly points out), it is a very difficult feat to accomplish for a number of reasons.

Accessibility

First, most installations use fiber in a cabling plant’s backbone (cables between floors or buildings). These cables are multi-fiber affairs, usually consisting of at least six, but sometimes up to one hundred forty four (or more) fibers. The bigger the user base of the network, the more fibers you’ll find in the backbone. On these types of networks, you’d have to know exactly which fiber(s) you’re looking for in order to tap. As the article states the average cost of the tap device is under $1000, but I doubt you’d want to install over a hundred of them to get to one particular fiber.

As I stated earlier, the fiber backbone runs between buildings or floors. When run between buildings, the optical fiber cables are usually strung through underground conduits (usually between one and 6 inches in diameter) or hung on building-to-building, aerial messenger strands (fancy way to say metal lines or cables). Conduits between buildings can sometimes be pressurized to prevent moisture from entering and degrading the cable jacketing. Aerial fiber runs are sometimes reinforced by an interlocking armor which is built into the jacketing of the bundled fiber cable. When installing the tapping device, these would be the areas in which you would want to focus your efforts for installation. Due to the difficulty of accessing these areas, your best alternative would be to install the device close to the entry or exit points for these locations.

There are some cabling installations where fiber is run all the way from the backbone to the workstation or network host. These installations are usually termed Fiber to the Desk (FttD). In such these cases an attacker would find it much easier to install the device in a location where visual detection would be difficult.

Detection

While visual detection is one way of finding these devices, it certainly isn’t the only way. As the article eludes, “intrusion detection devices” can detect tap devices. What I believe they may be referring to here is a set of devices which measures a fiber’s signal characteristics by transmitting a signal in one end of the fiber and measuring it on the other. This is not too far removed from an initial certification test.

When any network transition media is installed, whether it be twisted-pair cable, optical fiber cable or even wireless devices, a certification test is performed on the medium to verify that signals will travel across it with no problems and in a manner which is consistent with the applicable standards. This is another way, however that the tap devices can be detected.

Regular network certification is a way to detect these types of devices on not only optical fiber cables, but twisted-pair as well. NOTE: This is an effective method to use on twisted-pair cables, unless they are being tapped with an induction device. However, this too can be guarded against by using a shielded or foiled cables.

One of the tools used to certify a fiber network is called an OTDR or Optical Time Domain Reflectometer (there are versions available for copper/twisted-pair cables as well which are called simply TDRs, these are what can be used by the cable company to make sure there are no more tv’s hooked up in your home than you say there are - wow, when did I get that paranoid?). OTDRs use lasers of different frequencies to create detectable reflections. These reflections only occur at points in the cable where bends, twists or breaks exist. Since a fiber tap would require a bend which would be detectable to tap the fiber, it would be easy to detect on a cable which had no bends before. The only drawback to regular testing is cost of equipment, but this cost can be defrayed by hiring contractors to do the testing.

Encryption?

Another point is that of data encryption. While this is always an option, encryption being used internally on a network as opposed to entry and exit points on a network should be considered overkill. Mainly because of the logistics and systems involved in getting such a system to operate (won’t someone think of the overhead!).

A better option in this case would be to check for a high occurrence of data errors. Anytime you introduce a bend into a fiber which would be great enough to allow light through the cladding of the fiber, as used in a fiber tap, you also introduce data errors. This is because the light reflected back toward the source of the signal means that less light is available to travel to the receiving end of the fiber. These data errors will only increase with distance, so for longer cable runs you may also completely loose your signal.

Costs

Finally, when you use a fiber tap, you also have to know what type of network application is being used. Some applications use multiple frequencies of light, not just a single frequency to transmit more data using a single fiber. These types of multi-frequency transmissions are used for applications like Ten Gigabit Ethernet. Ten Gigabit Ethernet equipment is more complex than Gigabit Ethernet and therefore more costly. I’m not sure I believe that $1000 quote for the fiber tap, unless it’s the total for the tap only, not the actual fiber equipment used to decode the signals.

Conclusions

While the article brings up good points about no transmission medium being a silver bullet against eavesdropping, it also has many week points on ease of implementation, and seems to exaggerate these. As I tend to tell those people who are new to the web, you have to take everything with a grain of salt, The technology described in the article is really cool, so it’s worth a look - but keep in mind that not everything you read can be taken at face value.

Links:
Article: Protect your network against fiber hack
Via: Schneier on Security

A covert channel is a means of communication that is non-standard. In other words, messages sent by other than normal means (more here). One method (vector) used as a covert channel is steganography. Steganography is a means to hide messages, usually within images like JPEGs, as opposed to cryptography where messages are encrypted. Over at Daily Cup of Tech (great site by the way, worth a good dig through the articles) they’ve posted a video which details how to use a compression tool and a built in Windows command line utility (FINALLY, a real use for cmd and it should work with GNU/Linux tools too) actually embed files into JPEG or other image files. While not strictly speaking steganography (which only deals with messages, not entire files), this is just too cool! Can’t wait to try this one out on my own!!!

link

Over the weekend (between yard projects) I managed to download and do a little playing with Microsoft’s Network Monitor 3.0. While I prefer Wireshark, Microsoft’s price seems to be right for this product (free download here). While clean and efficient, I’ve found the fields a bit congested (always a problem when trying to display a lot of information - screen real estate becomes a premium).

Overall, this seems to be a good “quick-and-dirty” analyzer. I’ll have to dig into it a little further (like to try and find out what that “frame buffer manager” is), but filtering seems to be simple enough and it does a nice job of breaking out the packet information and you’re able to display individual packets in a separate window. I also like the multi-tabbed approach (something MS doesn’t always seem to do well) to displaying captures.

Pluses:

Check box selection of capture interfaces (including loopback)
Tabbed navigation
Plug-in compatible
Easy colorization filters
Clean and efficient overall appearance

Minuses:

As I mentioned, you can quickly become overwhelmed when looking at all that data and it doesn’t seem to have the greatest default layout
No automatic lookup of protocols (as in Wireshark)
Good program documentation, but it seems to be missing any protocol/traffic information of any kind
The first load is always a bit long, I has to load all the parsers into memory, subsequent loads are faster, however

Overall, a good addition to any network monitoring toolkit.