Re: SSL MITM fun.

[Richard Bejtlich <taosecurity () gmail com>]

On Thu, Feb 19, 2009 at 6:36 PM, Fyodor <fyodor () insecure org> wrote:

> The slides give numbers for how many people he apparently fooled with
> the MITM attacks (e.g. 16 credit card numbers and 7 PayPal logins and
> 300 other https logins in 24 hours), but it isn't clear from the
> slides alone where he performed the attacks.  Maybe a coffee shop?
> I'm hoping it was on the Black Hat DC network before his presentation
> :).

I may have missed it in this thread, but Moxie said he ran a Tor exit
node and ran his attack against those using the node.  He said during
the talk that he scripted a process to count the users, so he didn't
directly inspect data he captured.

One aside -- several people in Moxie's talk discussed the need to MITM
traffic by ARP spoofing, etc., on local LANs.  Moxie's tricks are much
more interesting if you combine them with the BGP hijacking
demonstrated at Def Con last year and expanded upon at BH DC this
year:

http://www.renesys.com/blog/2009/02/stealing-the-internet-back-1.shtml#more

With BGP hijacking you can apply Moxie's tricks without having a
foothold on the target's network.

Sincerely,

Richard
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave