Man-in-the-Middle Attack on MySpace with Cain

Slimjim100 writes "Last year at ChicagoCon 2007, Brian Wilson gave a great talk entitled "Cain & Abel: Windows Can Hack, Too!" Although the presentation and audio recording of the talk can be downloaded from the ChicagoCon site at Library, I had totally forgotten to publish his videos. Just in case things didn't go as planned during the live event or his laptop crapped out on him, Brian made a video of the MITM attack he demonstrated using Cain. You get to see how Myspace and other social networking sites are not designed with security in mind."

Brian Wilson

[Hatta]

Wow, musically talented and a computer hacker. I guess myspace isn't giving him good vibrations now though.

Re:

[The Truthiness Hurts]

Brian Wilson the influential 1960 music icon, or Brian Wilson the Scottish MP? I'm glad the submitter clarified it for us.

Security?

[rbochan]

Of course they're not designed with security in mind. They're designed with data mining and ad-hits in mind.

Duh....

[Anonymous Coward]

HTTP and other plain text protocols vulnerable to MITM, film at 11.

And if they used https?

[Henry V .009]

And if they used https instead, about .01% of their users would be computer savvy enough to check the certificate when the warning pops up. People just click through. Even technical users simply assume that that the certificate was allowed to lapse or something. https is not a panacea for man in the middle attacks.

Yes, but...

[Shuntros]

You would hope that a site like MySpace would get a properly signed certificate from a CA. That way, no pop-up... When was the last time you got a pop-up visiting your bank, or PayPal etc? Answer, never. Reason being that the big boys (Versign etc) are pre-populated in browser CA stores as trusted. Self-signed certificate will of course always pop a warning up, but only because the browser can't verify the authenticity of the cert as it's not from a trusted CA.

Re:

[Wordsmith]

The point isn't that you'd get a pop-up when everything's going right - you'd get a pop-up when someone's attempting the man-in-the middle attack. And if the users aren't savvy, or assume as the OP said that the certificate has just expired, they're going to click through anyway.

Re:

[Anonymous Coward]

The point is they would agree to the warnings on a false certificate during a man-in-the-middle attack.

Re:

[Captain DaFt]

"When was the last time you got a pop-up visiting your bank, or PayPal etc?"

Last week: http://www.theregister.co.uk/2008/03/10/hsbc_cert_glitch/ [theregister.co.uk]
Fortunately, it was not a problem, as people would recognize the site as legitimate anyway. (Well, that's what the bank said.)

"Answer, never."

Never say never.

Re:

[Burz]

Exactly. I've trained everyone I know to reject https connections that have cert warnings, based on the reasoning that there is no excuse whatsoever for a med-large site operator to have a lapsed cert.

And you know what, they HEED my advice. They now have a priceless tool to protect themselves online where no one had ever mentioned it to them before.

IMO, we can't blame users where they've been kept ignorant, and in the case of https most techies write users off as click-through morons instead of taking 5 min

Re:

[SanityInAnarchy]

Actually, no, as a technical user, it's incredibly easy to see the reason that the certificate isn't valid -- and if there were shenanigans going on, it wouldn't be because it was expired.

Also, https means it is actually possible to be secure -- you check that https is in the URL, and you refuse to connect if the certificate isn't valid.

Some sites default to http, but allow https. But no https means that option isn't even there -- you are going to be vulnerable, period. That's one of the many reasons I don'

This is not new

[Cytlid]

This is a local ARP poisoning attack.

  What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site?

  If he did this in my office he'd get a tireiron to the head because I could walk over to him and do it.

Re:

[call-me-kenneth]

What did the notice to Myspace/google etc consist of? I can break things on my local LAN, so fix your site?

Well, yes.

The point is that, as you observe, it's trivial on many switched LANs to ARP poison and steal session credentials. (It's all about the session, dummy, not the data.) Pinch a Gmail password from a co-worker and you probably own their domain password, brokerage, online banking,... passwords as well.

You're right that this is nothing new, but the fix is really trivial. Use SSL or TLS. Gmail does support this; browse to https://mail.google.com/ [google.com], bookmark that and you're done. It's not like the co

Re:

[Cytlid]

Or heighten up the layer 2 security. If I only allow one mac address per switchport, this wouldn't work. Why fix the remote side when the problem is local? Add some 802.1x authentication, and you're not even getting on my LAN unless you're authenticated.

Re:

[SanityInAnarchy]

I can break things on my local LAN, so fix your site?

When "my local LAN" is some random wifi hotspot, it would be nice to have it not be broken there.

And "fix your site" is as simple as sticking https in front of it. Google has this as an option, anyway.

Do I understand this correctly?

[bigtallmofo]

He has two systems on his local network. He's using a "man in the middle" attack to use System A to sniff the traffic of System B. Then he's pointing out that you can get passwords from systems like MySpace because it's not encrypted.

How is this a big deal? This does not allow someone to get anyone's password that isn't on their same network. There are easier ways to get someone's password if you're on the same network as them, starting with slapping them until they give you their password. But it all comes back to - if the site matters, it's using HTTPs.

Re:

[aredubya74]

Yeah, it's less man-in-the-middle than man-on-the-same-subnet, so it's a particularly easy attack. The tool is quite slick about automating it though, so some definite kudos are deserved. Besides, slapping them repeatedly might reveal your intentions, while ARP cache poisoning is a little more subtle.

However, he shouldn't be contacting MySpace with "fix your website's security" - he should be contacting the router vendor(s) whose gear is so easily poisoned.

Re:

[cjb658]

It's a bigger threat in places like schools, where students (sometimes) have access to the staff wired networks.

And of course, if you use wireless that's unencrypted or barely encrypted (ie, with WEP), you're susceptible to this too. Even if you plug your computer in, if there is a wireless access point on the same subnet, you can be ARP poisoned.

Cain and Abel aren't new.

[Scytheford]

Hell, I remember scriptkiddying passwords out of .pwl files in '00. These apps have been around for a long time.

Re:

[Deanalator]

Ah yes, back in the day that was all cain could do :-) I remember using ftp in windows to bypass the restrictions on the windows explorer, and cracking all my friend's passwords. Fun times had by all.

Cain has actually progressed by ridiculous leaps and bounds since then. It can now parse and decode pretty much any password from any protocol off the network or out of a file. It can also do things like recording voip phone calls, and ssh2 sessions etc. It also has a pretty decent set of wireless cracking

Don't use MySpace!

[Doug52392]

MySpace is notoriously insecure and a hacker or spammer's playground. The first thing I noticed when I created an account 10 months ago is that there was no HTTPS logon. Even Facebook has that!

But even if they were to use HTTPS, that still wouldn't solve MySpace's issues. A lot of the people on my Friends List were not very tech savvy (like a lot of users), and, since most of them were teens, they easily fell for phishing scams and hacks. And then I get punished for their poor security practices by having my message board filled with ads for the "free, HoTtEsT ringtones!!!!" and "see girls naked!!!!" (btw all of those sites had viruses or malware on them). I stopped using MySpace after 2 months, I got tired of all the insecurity.

If I were to run this attack on the computers at my high school, I could cripple a lot of kid's social lives (and get expelled when the admins see :) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmate's MySpace pages). They just don't understand how easily I could get their password (or whoevers running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything...

Kids these days are just not educated enough on good security practices, or show a lack of common sense with this stuff...

Re:

[insertwackynamehere]

I set up my own http proxy on my own webserver (well okay it was remotely hosted webspace but w/e) and pw protected it. Too bad it didn't work 100% being HTTP based and not a real proxy but its all good. This was like 10th or 11th grade so I could get onto Sconex, a pre-Facebook now dying high school networking site. At one point however, websense classified my website as Adult content so I had to write to them and angrily question how they had arrived at that conclusion. They apologized and fixed it.

Ettercap has been there for ages now

[LiquidNitrogen]

This sound similar to Ettercap and how is this useful on internet unless you are on some intranet gateway?

Re:

[temugen]

It's not different. They were merely showing that there were tools available to perform the same attacks on Windows (although I think even the majority of linux hackers have already heard of Cain and Abel).

Totally hyped news

[prxp]

For starters it's a local arp poisoning attack, no big deal. Ok, myspace doesn't encrypt the login session, but let's assume it was Google's Gmail instead (they do encrypt the login session). With the same attack, it would be as easily to capture Gmail's session cookies and then be granted access to the victim's email account. I'll propably make a video and post it to /. under the title: "Man-in-the-Middle Attack on Gmail with Cain". That would get a lot more attention!

Surprised??

[fluch]

Honestly? Social sites and security? Why should they be interested in it??

Re:

[plover]

Because people do stupid things repeatedly.

Let's say I discovered you had logged on to Facebook with the username of "fluch" and a password of "blather". The next thing I'm going to try is to log on to gmail and try signing on as "fluch@gmail.com" with a password of "blather". After that, I'm going to try the same attack on paypal.com, amazon.com, bankofamerica.com and a thousand other places that you might be foolish enough to use the same ID and password and have the authority to spend money.

For ove

If your not on someone's LAN

[myspace-cn]

If your not on someone's LAN how is this useful?

I can see it could be used on some insecure wireless access point, but unless you got root to my box your not GOING to run CAIN and ABLE.
So yes, for some people with insecure "convenience wireless networks" or "Convenience lan party" this could be a problem. But those same idiots are a good target for attacking other targets with TOR.

For JOE 6-PACK with the 10/100 lan and TRUSTED family this is a non-issue.
For JANE 6-PACK with the direct dialup, this is a non

It gets better

[York the Mysterious]

We had always worried about this on University housing networks. You're pretty much guaranteed that every user is a Myspace user. Better yet once you main in the middle the myspace login / pw chances are it just gave away their e-mail login too. Login: bob@gmail.com PW: bob420 probably goes to that gmail account too. From there you can reset any account you see in his Gmail account. Myspace really turns into a giant weakness of the Internet.

Re:

[freaker_TuC]

I'd say the users are the weakness! PEBKAC [wikipedia.org]!

banks.

[slashkitty]

The not so funny thing about man in the middle attacks is that most non https sites are vulnerable to them.

Take the Chase.com [chase.com] homepage. It's got a login form right there (it doesn't matter if it's secure or not). If you were a victim of a man in the middle attack, the attacker could have rewritten the page to link to a different secure login server. Or, for example, could put in a different phone number to contact them.

Luckly some banks are FINALLY switching to all https, bankofamerica.com for exampl

ARP cache posioning can work even with SSL

[mrbah]

HTTPS is great, but let's not portray it as the holy grail of privacy. There was a vulnerability in Windows that allowed attackers to remotely install arbitrary CA certificates in the operating system's certificate store without users' knowledge. If an attacker could get on your LAN (a very big if) he could eavesdrop on every SSL connection through a combination of cache poisoning and replacing legitimate certificates with those signed by his bogus CA.

Re:

[Burz]

There was a vulnerability in Windows that allowed attackers to remotely install arbitrary CA certificates in the operating system's certificate store without users' knowledge.

That was an implementation problem with Windows, not with the design of https.

slow news day?

[hav0x]

cain & abel? srsly? OMGWTFBBQ!

what's happening to /.?
Are all these 'caturday!1!' pics i see around the web numbing my /.?