Desperate call for help - how to detect if somone is sniffing MSN conversations

[vogs]

I suspect that one of my house guests is "sniffing" my MSN conversations, and this is having a devastating effect on me.

I use regular Windowx XP, aand he has Debian Gnu installed.

I know that he has an application that can sort of achieve this (I think). It's an add on to the debian OS called Wired... something.

My question to all you experts is:

Can he easily read/keep my msn conversations with this software?

How can I know for sure if this is happening?

p.s. this person has access to my network.

[Juan Pablo]

I suspect the program is Wireshark, I don't really know hot to properly use Wireshark but from what I understand, it can only analyze network traffic in the same computer.

Please be aware this is not a cracker forum, and Linux is not a cracker tool

[cyberinstru]

If the Debian box is at the gateway, all ur chat traffic can be easily screened and most of the chat applns use plain traffic (e.g. XML, etc) with no encryption. So any sniifers on the way can easily see all ur traffic.

You can make sure that the box is running a sniifer (by checking if itz card is set up on promiscous mode or not) but u cannot say if the box is sniifing ur MSN traffic or anything

[mangel12321]

Yup, Juan Pablo is right, it sounds like wireshark if he has access to the same network it is very likely that he is doing a man in the middle attack (probably using ettercap)

However, to find out just do t traceroute to your gateway, anf if he's doing the mim attack he should appear betwen you and the gateway.

Another way is to get a sniffer as wireshark and check if somebody is spoofing your arp tables.

Either way, to solve it you can do two things:
Try to use encryption on msn, but in the case he's doing a man in the middle he's probably creating false certificates as well. So dont accept any pop ups with unknows certificates even if they say they are from microsoft
Another way is hardcore include the gateway's mac address on your arp table.

And for last..., bad news for you. If you have been acceptiing unknow ssl certificates (which is something you should never do), he's probably got your passwords. So before selling him out..., be smart and change them!

Best luck for you, and I hope it all turn out well.

[anomie]

How can I know for sure if this is happening?

You can't know for sure. Any hop from you to the recipient can potentially be sniffed for packets. That's why you should treat IM traffic as any other plain-text traffic: it is not necessarily free from prying eyes.

As was mentioned, if the debian box is a gateway, run rkhunter on it. That will check for promiscuous interfaces.

If you want your communications to be secure, you're going to need to encrypt them, period. That is the reality today.