Man-in-the-Middle Attack on MySpace with Cain

Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."

Cain and Abel aren't new.

[Scytheford]

Hell, I remember scriptkiddying passwords out of .pwl files in '00. These apps have been around for a long time.

Re:Cain and Abel aren't new.

[Deanalator]

Ah yes, back in the day that was all cain could do :-) I remember using ftp in windows to bypass the restrictions on the windows explorer, and cracking all my friend's passwords. Fun times had by all.

Cain has actually progressed by ridiculous leaps and bounds since then. It can now parse and decode pretty much any password from any protocol off the network or out of a file. It can also do things like recording voip phone calls, and ssh2 sessions etc. It also has a pretty decent set of wireless cracking tools built in, far more than any wireless cracking tool that I have seen in Linux. It's almost enough to make me switch to windows :-)

Also, as a professional security researcher, I have to ask, who the fuck is Brian Wilson, what the fuck is ChicagoCon, and why the fuck is there a slashdot article about sniffing plain text http traffic in 2008?

Re:Yes, but...

[Wordsmith]

The point isn't that you'd get a pop-up when everything's going right - you'd get a pop-up when someone's attempting the man-in-the middle attack. And if the users aren't savvy, or assume as the OP said that the certificate has just expired, they're going to click through anyway.