Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man-in-the-Middle Attack on MySpace with Cain

Posted by CmdrTaco on from the caught-with-yer-pants-down dept.

Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."

4 of 45 comments (clear)

  1. Cain and Abel aren't new. by Scytheford · · Score: 4, Informative

    Hell, I remember scriptkiddying passwords out of .pwl files in '00. These apps have been around for a long time.

    1. Re:Cain and Abel aren't new. by Deanalator · · Score: 2, Informative

      Ah yes, back in the day that was all cain could do :-) I remember using ftp in windows to bypass the restrictions on the windows explorer, and cracking all my friend's passwords. Fun times had by all.

      Cain has actually progressed by ridiculous leaps and bounds since then. It can now parse and decode pretty much any password from any protocol off the network or out of a file. It can also do things like recording voip phone calls, and ssh2 sessions etc. It also has a pretty decent set of wireless cracking tools built in, far more than any wireless cracking tool that I have seen in Linux. It's almost enough to make me switch to windows :-)

      Also, as a professional security researcher, I have to ask, who the fuck is Brian Wilson, what the fuck is ChicagoCon, and why the fuck is there a slashdot article about sniffing plain text http traffic in 2008?

  2. Re:Yes, but... by Wordsmith · · Score: 2, Informative

    The point isn't that you'd get a pop-up when everything's going right - you'd get a pop-up when someone's attempting the man-in-the middle attack. And if the users aren't savvy, or assume as the OP said that the certificate has just expired, they're going to click through anyway.

  3. If your not on someone's LAN by myspace-cn · · Score: 1, Informative


    If your not on someone's LAN how is this useful?

    I can see it could be used on some insecure wireless access point, but unless you got root to my box your not GOING to run CAIN and ABLE.
    So yes, for some people with insecure "convenience wireless networks" or "Convenience lan party" this could be a problem. But those same idiots are a good target for attacking other targets with TOR.

    For JOE 6-PACK with the 10/100 lan and TRUSTED family this is a non-issue.
    For JANE 6-PACK with the direct dialup, this is a non-issue.

    The problem as I see it is that myspace made their passwords too small.
    The rest of the scripting shit can be cured by SQUID and a complex URL filter. No ad's. No bad script.