Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man-in-the-Middle Attack on MySpace with Cain

Posted by CmdrTaco on from the caught-with-yer-pants-down dept.

Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."

45 comments

  1. Brian Wilson by Hatta · · Score: 2, Funny

    Wow, musically talented and a computer hacker. I guess myspace isn't giving him good vibrations now though.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Brian Wilson by The+Truthiness+Hurts · · Score: 1

      Brian Wilson the influential 1960 music icon, or Brian Wilson the Scottish MP? I'm glad the submitter clarified it for us.

    2. Re:Brian Wilson by Anonymous Coward · · Score: 0

      Haven't you heard? Brian Wilson is the new John Smith.

  2. Security? by rbochan · · Score: 4, Insightful

    Of course they're not designed with security in mind. They're designed with data mining and ad-hits in mind.

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  3. Duh.... by Anonymous Coward · · Score: 1

    HTTP and other plain text protocols vulnerable to MITM, film at 11.

  4. And if they used https? by Henry+V+.009 · · Score: 4, Insightful

    And if they used https instead, about .01% of their users would be computer savvy enough to check the certificate when the warning pops up. People just click through. Even technical users simply assume that that the certificate was allowed to lapse or something. https is not a panacea for man in the middle attacks.

    1. Re:And if they used https? by SanityInAnarchy · · Score: 1

      Actually, no, as a technical user, it's incredibly easy to see the reason that the certificate isn't valid -- and if there were shenanigans going on, it wouldn't be because it was expired.

      Also, https means it is actually possible to be secure -- you check that https is in the URL, and you refuse to connect if the certificate isn't valid.

      Some sites default to http, but allow https. But no https means that option isn't even there -- you are going to be vulnerable, period. That's one of the many reasons I don't use MySpace.

      --
      Don't thank God, thank a doctor!
  5. Securing against Can and Abel by Zombie+Ryushu · · Score: 0

    I'm a little more concerned about script kiddies getting access to this Cain and Abel utility and doing a bunch of damage. I myself use metasploit to test my network for weaknesses, and sluethkit for forensics.

  6. This is not new by Cytlid · · Score: 4, Insightful

    This is a local ARP poisoning attack.

      What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site?

      If he did this in my office he'd get a tireiron to the head because I could walk over to him and do it.

    --
    FLR
    1. Re:This is not new by call-me-kenneth · · Score: 2, Interesting

      What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site? Well, yes.

      The point is that, as you observe, it's trivial on many switched LANs to ARP poison and steal session credentials. (It's all about the session, dummy, not the data.) Pinch a Gmail password from a co-worker and you probably own their domain password, brokerage, online banking,... passwords as well.

      You're right that this is nothing new, but the fix is really trivial. Use SSL or TLS. Gmail does support this; browse to https://mail.google.com/, bookmark that and you're done. It's not like the cost of the extra cycles is that great compared with ten years ago.

    2. Re:This is not new by Cytlid · · Score: 1

      Or heighten up the layer 2 security. If I only allow one mac address per switchport, this wouldn't work. Why fix the remote side when the problem is local? Add some 802.1x authentication, and you're not even getting on my LAN unless you're authenticated.

      --
      FLR
    3. Re:This is not new by SanityInAnarchy · · Score: 1

      I can break things on my local LAN, so fix your site?

      When "my local LAN" is some random wifi hotspot, it would be nice to have it not be broken there.

      And "fix your site" is as simple as sticking https in front of it. Google has this as an option, anyway.

      --
      Don't thank God, thank a doctor!
  7. Do I understand this correctly? by bigtallmofo · · Score: 4, Insightful

    He has two systems on his local network. He's using a "man in the middle" attack to use System A to sniff the traffic of System B. Then he's pointing out that you can get passwords from systems like MySpace because it's not encrypted.

    How is this a big deal? This does not allow someone to get anyone's password that isn't on their same network. There are easier ways to get someone's password if you're on the same network as them, starting with slapping them until they give you their password. But it all comes back to - if the site matters, it's using HTTPs.

    --
    I'm a big tall mofo.
    1. Re:Do I understand this correctly? by aredubya74 · · Score: 1

      Yeah, it's less man-in-the-middle than man-on-the-same-subnet, so it's a particularly easy attack. The tool is quite slick about automating it though, so some definite kudos are deserved. Besides, slapping them repeatedly might reveal your intentions, while ARP cache poisoning is a little more subtle.

      However, he shouldn't be contacting MySpace with "fix your website's security" - he should be contacting the router vendor(s) whose gear is so easily poisoned.

      --

      RW

    2. Re:Do I understand this correctly? by cjb658 · · Score: 1

      It's a bigger threat in places like schools, where students (sometimes) have access to the staff wired networks.

      And of course, if you use wireless that's unencrypted or barely encrypted (ie, with WEP), you're susceptible to this too. Even if you plug your computer in, if there is a wireless access point on the same subnet, you can be ARP poisoned.

  8. Cain and Abel aren't new. by Scytheford · · Score: 4, Informative

    Hell, I remember scriptkiddying passwords out of .pwl files in '00. These apps have been around for a long time.

    1. Re:Cain and Abel aren't new. by Deanalator · · Score: 2, Informative

      Ah yes, back in the day that was all cain could do :-) I remember using ftp in windows to bypass the restrictions on the windows explorer, and cracking all my friend's passwords. Fun times had by all.

      Cain has actually progressed by ridiculous leaps and bounds since then. It can now parse and decode pretty much any password from any protocol off the network or out of a file. It can also do things like recording voip phone calls, and ssh2 sessions etc. It also has a pretty decent set of wireless cracking tools built in, far more than any wireless cracking tool that I have seen in Linux. It's almost enough to make me switch to windows :-)

      Also, as a professional security researcher, I have to ask, who the fuck is Brian Wilson, what the fuck is ChicagoCon, and why the fuck is there a slashdot article about sniffing plain text http traffic in 2008?

  9. Don't use MySpace! by Doug52392 · · Score: 5, Insightful

    MySpace is notoriously insecure and a hacker or spammer's playground. The first thing I noticed when I created an account 10 months ago is that there was no HTTPS logon. Even Facebook has that!

    But even if they were to use HTTPS, that still wouldn't solve MySpace's issues. A lot of the people on my Friends List were not very tech savvy (like a lot of users), and, since most of them were teens, they easily fell for phishing scams and hacks. And then I get punished for their poor security practices by having my message board filled with ads for the "free, HoTtEsT ringtones!!!!" and "see girls naked!!!!" (btw all of those sites had viruses or malware on them). I stopped using MySpace after 2 months, I got tired of all the insecurity.

    If I were to run this attack on the computers at my high school, I could cripple a lot of kid's social lives (and get expelled when the admins see :) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmate's MySpace pages). They just don't understand how easily I could get their password (or whoevers running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything...

    Kids these days are just not educated enough on good security practices, or show a lack of common sense with this stuff...

    1. Re:Don't use MySpace! by insertwackynamehere · · Score: 1

      I set up my own http proxy on my own webserver (well okay it was remotely hosted webspace but w/e) and pw protected it. Too bad it didn't work 100% being HTTP based and not a real proxy but its all good. This was like 10th or 11th grade so I could get onto Sconex, a pre-Facebook now dying high school networking site. At one point however, websense classified my website as Adult content so I had to write to them and angrily question how they had arrived at that conclusion. They apologized and fixed it.

    2. Re:Don't use MySpace! by Anonymous Coward · · Score: 0

      If you ran that yourself and hid your tracks on your machine your school admins are not in any chance in hell savvy enough to catch you.

      Highschool IT departments are very low paid, therefore they either are never on site, or low skilled.

      Unless you are hacking the Schools servers or trying to disable or get around the transparent proxy the It admins dont give a rats ass. we're busy trying to deal with the spanish teacher that cant understand computers.

      One of my side jobs is I am the IT admin for 3 Charter highschools, I am there 1 day every 2 weeks for 2 hours (I'm in the never there catagory). try and crack the servers or grade software and I'm on your butt like glue. Screw up a few hundred dweebs myspace pages? dont care.
      Good luck getting to myspace though. My transparent proxy wont let you do it, and no your proxy trick dont work and you cant open a ssh tunnel to home either. port 80 outgoing only and all traffic is filtered incredibly hard.

      So if you can get to myspace from school, then your local admins are drooling idiots. feel free to do an advanced attack, you are way more advanced than they are. Just keep your F'ing mouth shut. You idiots go bragging when you do something, only posers brag. not even your best friend is to know.

  10. Ettercap has been there for ages now by LiquidNitrogen · · Score: 1

    This sound similar to Ettercap and how is this useful on internet unless you are on some intranet gateway?

    1. Re:Ettercap has been there for ages now by temugen · · Score: 1

      It's not different. They were merely showing that there were tools available to perform the same attacks on Windows (although I think even the majority of linux hackers have already heard of Cain and Abel).

  11. Totally hyped news by prxp · · Score: 1

    For starters it's a local arp poisoning attack, no big deal. Ok, myspace doesn't encrypt the login session, but let's assume it was Google's Gmail instead (they do encrypt the login session). With the same attack, it would be as easily to capture Gmail's session cookies and then be granted access to the victim's email account. I'll propably make a video and post it to /. under the title: "Man-in-the-Middle Attack on Gmail with Cain". That would get a lot more attention!

  12. Surprised?? by fluch · · Score: 3, Insightful

    Honestly? Social sites and security? Why should they be interested in it??

    1. Re:Surprised?? by plover · · Score: 1
      Because people do stupid things repeatedly.

      Let's say I discovered you had logged on to Facebook with the username of "fluch" and a password of "blather". The next thing I'm going to try is to log on to gmail and try signing on as "fluch@gmail.com" with a password of "blather". After that, I'm going to try the same attack on paypal.com, amazon.com, bankofamerica.com and a thousand other places that you might be foolish enough to use the same ID and password and have the authority to spend money.

      For over 50% of the people out there, this is going to work.

      And if you're not one of those 50%, I'm simply going to try my attack again on someone else because the chances are good that they're one of the stupid people. There are a lot of fish in the ocean.

      --
      John
  13. Yes, but... by Shuntros · · Score: 1

    You would hope that a site like MySpace would get a properly signed certificate from a CA. That way, no pop-up... When was the last time you got a pop-up visiting your bank, or PayPal etc? Answer, never. Reason being that the big boys (Versign etc) are pre-populated in browser CA stores as trusted. Self-signed certificate will of course always pop a warning up, but only because the browser can't verify the authenticity of the cert as it's not from a trusted CA.

    1. Re:Yes, but... by Wordsmith · · Score: 2, Informative

      The point isn't that you'd get a pop-up when everything's going right - you'd get a pop-up when someone's attempting the man-in-the middle attack. And if the users aren't savvy, or assume as the OP said that the certificate has just expired, they're going to click through anyway.

    2. Re:Yes, but... by Anonymous Coward · · Score: 1, Insightful

      The point is they would agree to the warnings on a false certificate during a man-in-the-middle attack.

    3. Re:Yes, but... by Captain+DaFt · · Score: 1

      "When was the last time you got a pop-up visiting your bank, or PayPal etc?"

      Last week: http://www.theregister.co.uk/2008/03/10/hsbc_cert_glitch/
      Fortunately, it was not a problem, as people would recognize the site as legitimate anyway. (Well, that's what the bank said.)

      "Answer, never."

      Never say never.

      --
      The U.S. really needs an English to Wisdom dictionary.
    4. Re:Yes, but... by Burz · · Score: 1

      Exactly. I've trained everyone I know to reject https connections that have cert warnings, based on the reasoning that there is no excuse whatsoever for a med-large site operator to have a lapsed cert.

      And you know what, they HEED my advice. They now have a priceless tool to protect themselves online where no one had ever mentioned it to them before.

      IMO, we can't blame users where they've been kept ignorant, and in the case of https most techies write users off as click-through morons instead of taking 5 min with them. And most of the techies don't even know how to use https properly, thinking that the lock symbol is all you have to look for (the proper way is to check the domain name at the same moment you check for the lock).

      Three criteria of https: 1) No cert warnings appear, 2) lock is present in address bar, 3) domain name is correct. Very simple, but if any one criteria is overlooked then you're not verifying link security.

  14. If your not on someone's LAN by myspace-cn · · Score: 1, Informative


    If your not on someone's LAN how is this useful?

    I can see it could be used on some insecure wireless access point, but unless you got root to my box your not GOING to run CAIN and ABLE.
    So yes, for some people with insecure "convenience wireless networks" or "Convenience lan party" this could be a problem. But those same idiots are a good target for attacking other targets with TOR.

    For JOE 6-PACK with the 10/100 lan and TRUSTED family this is a non-issue.
    For JANE 6-PACK with the direct dialup, this is a non-issue.

    The problem as I see it is that myspace made their passwords too small.
    The rest of the scripting shit can be cured by SQUID and a complex URL filter. No ad's. No bad script.

  15. It gets better by York+the+Mysterious · · Score: 4, Insightful

    We had always worried about this on University housing networks. You're pretty much guaranteed that every user is a Myspace user. Better yet once you main in the middle the myspace login / pw chances are it just gave away their e-mail login too. Login: bob@gmail.com PW: bob420 probably goes to that gmail account too. From there you can reset any account you see in his Gmail account. Myspace really turns into a giant weakness of the Internet.

    --

    Tim Smith - Ramblings from Nerd Land
    1. Re:It gets better by freaker_TuC · · Score: 1

      I'd say the users are the weakness! PEBKAC!

      --
      --- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
    2. Re:It gets better by Anonymous Coward · · Score: 0

      That's my email and password, you insensitive clod! -Bob

  16. banks. by slashkitty · · Score: 1
    The not so funny thing about man in the middle attacks is that most non https sites are vulnerable to them.

    Take the Chase.com homepage. It's got a login form right there (it doesn't matter if it's secure or not). If you were a victim of a man in the middle attack, the attacker could have rewritten the page to link to a different secure login server. Or, for example, could put in a different phone number to contact them.

    Luckly some banks are FINALLY switching to all https, bankofamerica.com for example.

    --
    -- these are only opinions and they might not be mine.
  17. ARP cache posioning can work even with SSL by mrbah · · Score: 1

    HTTPS is great, but let's not portray it as the holy grail of privacy. There was a vulnerability in Windows that allowed attackers to remotely install arbitrary CA certificates in the operating system's certificate store without users' knowledge. If an attacker could get on your LAN (a very big if) he could eavesdrop on every SSL connection through a combination of cache poisoning and replacing legitimate certificates with those signed by his bogus CA.

    1. Re:ARP cache posioning can work even with SSL by Burz · · Score: 1

      There was a vulnerability in Windows that allowed attackers to remotely install arbitrary CA certificates in the operating system's certificate store without users' knowledge. That was an implementation problem with Windows, not with the design of https.
  18. slow news day? by hav0x · · Score: 1

    cain & abel? srsly? OMGWTFBBQ!

    what's happening to /.?
    Are all these 'caturday!1!' pics i see around the web numbing my /.?