The Canadian Security Information and Event Management initiative, which launched in 2019, has brought together security analysts from across the National Research and Education Network (NREN) to share information and best practices, and collaborate on new cybersecurity tools. One of the more interesting tools they recently implemented was from an idea that came out of the University of Alberta. The university’s security team created a “plaintext password sniffer” in 2017-18 to detect and secure their institution against phishing attempts, as well as insecure online passwords.
Andrew Klaus, Cybera’s security analyst, has now developed a portable, open source variation of the tool that can be used by anyone.
In this post, we talk to Andrew about SniffPass, and how other organizations can start using it.
So, what does SniffPass do?
The University of Alberta originally created a password “sniffing” plugin to address the phishing emails being sent to staff and students. In most cases of phishing, the user is sent a scam email that invites them to login to a common online platform, like Google or Facebook. But the actual link they are given goes to a false login page. So when the person logs in, the scammer gets their personal details.
The university’s plugin detects when and where login information is being entered on an unencrypted website over the campus network, and automatically double checks the credentials the user supplies against the university’s own database to see if they are valid credentials. If the website is deemed insecure, they automatically disable the account and reset the user's password. This is normally done after the user has entered their login information, but it can also automate the detection and analysis of the credentials before a bad actor uses a user’s personal login information.
SniffPass takes this same concept, but ties it in with Zeek (a popular open source Network Security Monitoring tool, formerly called Bro). What’s great about the revised tool is that it allows you to use other programming languages, such as Python, to automate an action when a credential is found. For example, you can write a script to check your internal authentication system to see if a phished username/password is valid, and if not, disable the account. This can all be done live without storing the password to disk (which SniffPass doesn’t do by default).
Are there any other tools that do this?
There’s no equivalent out there. In fact, the University of Alberta recently won a 2019 Canadian University Council of CIOs (CUCCIO) Award for Innovation for their password sniffing tool.
How did you get involved?
I suggested that Cybera could help rewrite the University’s version in a portable fashion, and make it more scalable. I realized that it could be written in Zeek, which would make it freely (and easily) accessible to other organizations around the world.
Because Zeek is so extendable, SniffPass actually scaled better than the University of Alberta’s tool (which could only run on a single server). They are now using this version across their whole environment.
And are others using it?
Yes, the software is used by some institutions under the Canadian Security Information and Event Management initiative. Because it’s open source, there’s no reliable way to know how many others outside of this project are also using it.
That said, we’ve had someone from Turkey reach out to us to ask about extending its functionality, so it definitely is getting global pickup!
What’s next for SniffPass?
Right now it only detects certain types of web traffic, specifically when someone logs on to a webpage. There are some other protocols it can’t look at right now, which we’re investigating for future inclusion. We’re also open to ideas, so if other contributors have a suggestion, we may look at adding that in.
Any calls to action for IT teams at education organizations?
Yes, I would encourage any organization or group that’s looking at preventative security issues to start using SniffPass!
Of course, I should point out that this won’t prevent phishing attacks — SniffPass just adds one layer of defense. Organizations should still take steps to train all staff to be cautious with incoming emails, and not go clicking on everything that comes into their inbox.
Ultimately, staff should be encouraged to stay curious and ask questions. If you think an email looks suspicious, and your “spidey sense” is tingling, don’t be afraid to ask your IT team for their advice!