Stealing Data from the Internal Network
As depicted in Figure 9, Hannibal installed a sniffing tool on the internal DNS server. Sniffers, also known as network monitors, grab all data passing across a local area network. Because the DNS server was located in a data center on the same network segment as many other systems, Hannibal was able to steal sensitive customer information flowing on the internal network. Many sniffers do not work well on a switched network, such as the one employed by Clarice Commerce. However, a technique known as ARP cache poisoning allows an attacker to redirect traffic on a switched network and sniff data even in a switched environment. Hannibal used a sniffer tool that included ARP cache poisoning, such as the popular Dsniff tool, to grab information from the internal network.
Hannibal's sniffer grabbed all kinds of sensitive information on the internal network. In addition to sensitive corporate e-mail messages and passwords, Hannibal also sniffed customer names, accounts, and credit card information from the internal network. This information is the mother lode Hannibal desired!
Figure 9 The attacker sniffs sensitive customer data, including personal information and credit card numbers.
Mistake #7: Clarice Commerce sent sensitive data across its internal network without any encryption. With no cryptographic protection, an attacker or malicious employee on the internal network could intercept any sensitive communication. For critical servers exchanging sensitive information, all data should be encrypted as it moves across the network, even across an internal network.