Wow, major https/http hole revealed at blackhat.....

[Codewiz]

I would have posted this on the networking or security forum but I think it needs some wide distribution.

Just wanted to give a heads up that people need to be EXTRA vigilant in the near future. There is no easy fix for this. The only fix is paying attention to what you are logging into. This will not affect your ISP connections unless an employee is doing the attack but you definitely have to watch out when you are sitting at wireless hotspots or if you use the TOR network. For wireless hotspots I would recommend always using an SSL tunnel to your home network.



<a target=_blank class=ftalternatingbarlinklarge href="https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov">https://media.blackhat.com/......linspike-slide.mov</a>


http://www.forbes.com/2009/02/...ity_0218_blackhat.html

 

[mchammer187]

any article link?

 

[Codewiz]

Originally posted by: mchammer187
any article link?

Updated with forbes article. I don't like the fact that it says "look alike site". This isn't phishing. The user is seeing the real site just over HTTP instead of HTTPS(or a passthru faked HTTPS site with the real site's page). So unless you always look to make sure it is https at all times, you are screwed. Even then, he provides a little way to trick users on that too.

 

[razor2025]

Nothing really new to me. It just highlights how easily hackers can exploit the "human" factor more so than system itself.

 

[Codewiz]

Originally posted by: razor2025
Nothing really new to me. It just highlights how easily hackers can exploit the "human" factor more so than system itself.

Big difference here. 99.999999999999999% of people would fall for this trick as of today. Especially banking sites that run off http but use a https post form. You would NEVER know this attack was happening.

So banks like wachovia, you would NEVER know this attack was taking place.

 

[wyvrn]

watching the video. Wow, that is screwed up stuff.

 

[bsobel]

Originally posted by: Codewiz
I would have posted this on the networking or security forum but I think it needs some wide distribution.

Just wanted to give a heads up that people need to be EXTRA vigilant in the near future. There is no easy fix for this. The only fix is paying attention to what you are logging into. This will not affect your ISP connections unless an employee is doing the attack but you definitely have to watch out when you are sitting at wireless hotspots or if you use the TOR network. For wireless hotspots I would recommend always using an SSL tunnel to your home network.



<a target=_blank class=ftalternatingbarlinklarge href="https://media.blackhat.com/bh-...-marlinspike-slide.mov"><a target=_blank class=ftalternatingbarlinklarge href="https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov">https://media.blackhat.c.........pike-slide.mov</a></a>


http://www.forbes.com/2009/02/...ity_0218_blackhat.html

There is nothing new here. Same as TheMiddler and dozens of other MiTM attacks.

 

[spidey07]

That just sounds like the other man in the middle tools/attacks.

You should NEVER trust anything you do on a public hotspot even if it's encrypted. To easy for somebody to steal your stuff.

 

[mxyzptlk]

Whatever idiot tries to steal my identity deserves the crushing load of debt he or she then stands to inherit.

 

[txrandom]

Can this still work over encrypted wireless?

 

[Codewiz]

Originally posted by: bsobel

Originally posted by: Codewiz
I would have posted this on the networking or security forum but I think it needs some wide distribution.

Just wanted to give a heads up that people need to be EXTRA vigilant in the near future. There is no easy fix for this. The only fix is paying attention to what you are logging into. This will not affect your ISP connections unless an employee is doing the attack but you definitely have to watch out when you are sitting at wireless hotspots or if you use the TOR network. For wireless hotspots I would recommend always using an SSL tunnel to your home network.



<a target=_blank class=ftalternatingbarlinklarge href="https://media.blackhat.com/......linspike-slide.mov"><a target=_blank class=ftalternatingbarlinklarge href="https://media.blackhat.com/bh-...-marlinspike-slide.mov"><a target=_blank class=ftalternatingbarlinklarge href="https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov">https://media.blackha............-slide.mov</a></a></a>


http://www.forbes.com/2009/02/...ity_0218_blackhat.html

There is nothing new here. Same as TheMiddler and dozens of other MiTM attacks.

There are very few MITM attacks on SSL/https. I can't find any information on TheMiddler so I can't comment. Do you mind posting information on the other MITM attacks that are the same as this.

 

[SphinxnihpS]

Originally posted by: Codewiz

Originally posted by: razor2025
Nothing really new to me. It just highlights how easily hackers can exploit the "human" factor more so than system itself.

Big difference here. 99.999999999999999% of people would fall for this trick as of today. Especially banking sites that run off http but use a https post form. You would NEVER know this attack was happening.

So banks like wachovia, you would NEVER know this attack was taking place.

So you mean to say everyone will fall for this since 99.999999999999999% of 6.7 billion is 6699999999.999999933?

 

[Codewiz]

Originally posted by: txrandom
Can this still work over encrypted wireless?

If the attacker is sitting on your wireless network, yes. He will do arp poisoning. Then all the traffic will flow through a man in the middle. Then it can happen.

However if you are running WPA then you have very little to worry about.

 

[bsobel]

There are very few MITM attacks on SSL/https. I can't find any information on TheMiddler so I can't comment. Do you mind posting information on the other MITM attacks that are the same as this.

This isn't a MiTM attack on SSL, this is intercepting traffic and routing it to HTTP so the user ISNT ON AN SSL connection.

As for TheMiddler, google for it. It as shown at Blackhat/Defcon last year. There is absolutely nothing knew about this attack. Its simply a proxy that ensures any HTTPS addresses in a page are replaced with HTTP links. Since most sites support both, the user never gets directed to SSL and since their info in plaintext. Its not rocket science the only 'interesting' thing here is that there is one more 'off the shelf' tool for the script kiddies to use. Prior to TheMiddler these attacks were more custom and not shared...

 

[Codewiz]

Actually his final attack, the entire connection uses SSL(just SSL on each side of the MITM). It just happens to exploit the fact you can use fake characters and a wild card domain certificate to trick browsers into not alerts the user.

 

[bsobel]

Originally posted by: Codewiz
Actually his final attack, the entire connection uses SSL(just SSL on each side of the MITM). It just happens to exploit the fact you can use fake characters and a wild card domain certificate to trick browsers into not alerts the user.

SSLstripping is ancient, and unless you can get a bogus CA root onto the users machine, it really doesnt matter too much.

 

[Oyeve]

I just love working at Black Hat.

 

[Codewiz]

Originally posted by: bsobel

Originally posted by: Codewiz
Actually his final attack, the entire connection uses SSL(just SSL on each side of the MITM). It just happens to exploit the fact you can use fake characters and a wild card domain certificate to trick browsers into not alerts the user.

SSLstripping is ancient, and unless you can get a bogus CA root onto the users machine, it really doesnt matter too much.

Did you not watch the presentation??

It uses a REAL cert from a REAL CA in an inventive way. Seriously, watch what he does. It isn't using a bogus CA root.

 

[darkxshade]

How big is the .mov file?

 

[Codewiz]

Originally posted by: darkxshade
How big is the .mov file?

Over 100MB.

I will break out his final attack from his slide.

Using his tool in combination with this.

-Register a domain like ijjk.cn
-Get a domain-validated SSL wildcard cert for *.ijjk.cn
-Use IDN-valid characters that look very similar to '/'and '?' to create false urls.
-MITM http and swap out the https links.
-This time, instead of just stripping https links, we swap them out for our own look alikes.

Basically you end up with your address basically looking exactly like the target site with the real contents of the website. All over "SSL" and passes all the certificate checks. Unless you look at every cert at every page or look at the end of very long URLs, you would notice nothing out of the ordinary.

To give you and idea. He ran his software on the exit node of the TOR network. He got TONS of username and passwords. He then ran the same test to see how many people got his pages and decided not to enter their information. No one got suspicious. Everyone logged in.

 

[Crusty]

How is a MITM attack new?

 

[Codewiz]

Originally posted by: Crusty
How is a MITM attack new?

So everytime a buffer overflow security issue arises, we shouldn't mention the new issue because buffer overflow is old hat?

This is a new attack put together that will fool most people.

 

[TallBill]

Here Be Dragons

 

[Crusty]

Originally posted by: Codewiz

Originally posted by: Crusty
How is a MITM attack new?

So everytime a buffer overflow security issue arises, we shouldn't mention the new issue because buffer overflow is old hat?

This is a new attack put together that will fool most people.

Same attack, different tools. It's not like everybody is anymore at risk today then they were yesterday.

 

[Codewiz]

Originally posted by: Crusty

Originally posted by: Codewiz

Originally posted by: Crusty
How is a MITM attack new?

So everytime a buffer overflow security issue arises, we shouldn't mention the new issue because buffer overflow is old hat?

This is a new attack put together that will fool most people.

Same attack, different tools. It's not like everybody is anymore at risk today then they were yesterday.

So after this tool is released today, would you go on a TOR network and use an SSL enabled website? How about going to a wireless hotspot and use an SSL enabled website?

I sure wouldn't. Of course I always use my ssh tunnel when away from home but I sure wouldn't use TOR now.

The same could have been said when the MD5 collision issue for CAs was announced. And that is a huge deal also.