Slashdot Mirror
Man-in-the-Middle Attack on MySpace with Cain
Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."
Of course they're not designed with security in mind. They're designed with data mining and ad-hits in mind.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
And if they used https instead, about .01% of their users would be computer savvy enough to check the certificate when the warning pops up. People just click through. Even technical users simply assume that that the certificate was allowed to lapse or something. https is not a panacea for man in the middle attacks.
This is a local ARP poisoning attack.
What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site?
If he did this in my office he'd get a tireiron to the head because I could walk over to him and do it.
FLR
He has two systems on his local network. He's using a "man in the middle" attack to use System A to sniff the traffic of System B. Then he's pointing out that you can get passwords from systems like MySpace because it's not encrypted.
How is this a big deal? This does not allow someone to get anyone's password that isn't on their same network. There are easier ways to get someone's password if you're on the same network as them, starting with slapping them until they give you their password. But it all comes back to - if the site matters, it's using HTTPs.
I'm a big tall mofo.
MySpace is notoriously insecure and a hacker or spammer's playground. The first thing I noticed when I created an account 10 months ago is that there was no HTTPS logon. Even Facebook has that!
:) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmate's MySpace pages). They just don't understand how easily I could get their password (or whoevers running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything...
But even if they were to use HTTPS, that still wouldn't solve MySpace's issues. A lot of the people on my Friends List were not very tech savvy (like a lot of users), and, since most of them were teens, they easily fell for phishing scams and hacks. And then I get punished for their poor security practices by having my message board filled with ads for the "free, HoTtEsT ringtones!!!!" and "see girls naked!!!!" (btw all of those sites had viruses or malware on them). I stopped using MySpace after 2 months, I got tired of all the insecurity.
If I were to run this attack on the computers at my high school, I could cripple a lot of kid's social lives (and get expelled when the admins see
Kids these days are just not educated enough on good security practices, or show a lack of common sense with this stuff...
Honestly? Social sites and security? Why should they be interested in it??
The point is they would agree to the warnings on a false certificate during a man-in-the-middle attack.
We had always worried about this on University housing networks. You're pretty much guaranteed that every user is a Myspace user. Better yet once you main in the middle the myspace login / pw chances are it just gave away their e-mail login too. Login: bob@gmail.com PW: bob420 probably goes to that gmail account too. From there you can reset any account you see in his Gmail account. Myspace really turns into a giant weakness of the Internet.
Tim Smith - Ramblings from Nerd Land