430 likes | 566 Views
How to Steal Passwords: SSLstrip , LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne. No Need to Take Notes. This Powerpoint and other materials are at http://samsclass.info/HI-TEC Feel free to use all this material for your own classes, talks, etc. Contact. Sam Bowne
E N D
How to Steal Passwords:SSLstrip,LNK Attack,Cross-Site Request Forgery& Scary SSL AttacksSam Bowne
No Need to Take Notes • This Powerpoint and other materials are at • http://samsclass.info/HI-TEC • Feel free to use all this material for your own classes, talks, etc.
Contact • Sam Bowne • Computer Networking and Information Technology • City College San Francisco • Email: sbowne@ccsf.edu • Web: samsclass.info
Topics sslstrip – Steals passwords from mixed-mode Web login pages LNK Attack: takes over any Windows machine (0day) Cross-Site Request Forgery: Replays cookies to break into Gmai Scary SSL Attacks--ways to completely fool browsers
HTTPS is More Secure than HTTP Facebook HTTPS Encrypted Server authenticated HTTP Unencrypted data No server authentication User Logging In
The 15 Most Popular Web 2.0 Sites 1. YouTube HTTPS 2. Wikipedia HTTP 3. Craigslist HTTPS 4. Photobucket HTTP 5. Flickr HTTPS 6. WordPress MIXED 7. Twitter MIXED 8. IMDB HTTPS
The 15 Most Popular Web 2.0 Sites • 9. Digg HTTP • 10. eHow HTTPS • 11. TypePad HTTPS • 12. topix HTTP • 13. LiveJournal Obfuscated HTTP • 14. deviantART MIXED • 15. Technorati HTTPS • From http://www.ebizmba.com/articles/user-generated-content
Password Stealing Mediumssltrip EasyWall of Sheep Hard Spoofing Certificates
Mixed Mode HTTP Page with an HTTPS Logon Button
sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS Attacker: sslstrip Proxyin the Middle HTTP TargetUsingFacebook
Physical Insertion in a Wired Network To Internet Attacker Target
ARP Poisoning • Redirects Traffic at Layer 2 • Sends a lot of false ARP packets on the LAN • Can be easily detected • DeCaffienateID by IronGeek • http://k78.sl.pt
ARP Request and Reply • Client wants to find Gateway • ARP Request: Who has 192.168.2.1? • ARP Reply: • MAC: 00-30-bd-02-ed-7b has 192.168.2.1 ARP Request ARP Reply Client Gateway Facebook.com
ARP Poisoning Attacker ARP Replies: I am the Gateway Forwarded & Altered Traffic Traffic to Facebook Client Gateway Facebook.com
SCADA Attacks • In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants • See https://www.cert.be/pro/attacks-scada-systems
LNK File Attack • The SCADA attack used a vulnerability in all versions of Windows • Merely viewing amalicious Shortcut(LNK file) gives theattacker control of your computer • See http://samsclass.info/123/proj10/LNK-exploit.htm
LNK Attack Countermeasure • Sophos provided a free tool on July 26, 2010 to protect your system • See http://tinyurl.com/2f2nvy8
Cookies • Thousands of people are using Gmail all the time • How can the server know who you are? • It puts a cookie on your machine that identifies you
Gmail's Cookies • Gmail identifies you with these cookies • In Firefox, Tools, Options, Privacy, Show Cookies
Web-based Email To Internet Router AttackerSniffingTraffic TargetUsingEmail
Cross-Site Request Forgery (XSRF) • Gmail sends the password through a secure HTTPS connection • That cannot be captured by the attacker • But the cookie identifying the user is sent in the clear—with HTTP • That can easily be captured by the attacker • The attacker gets into your account without learning your password
CSRF Countermeasure • Adust Gmail settings to "Always use https"
Man in the Middle To Internet HTTPS Attacker: Cain: Fake SSL Certificate HTTPS TargetUsinghttps://gmail.com
Certificate Errors • The message indicates that the Certificate Authority did not validate the certificate • BUT a lot of innocent problems cause those messages • Incorrect date settings • Name changes as companies are acquired
Most Users Ignore Certificate Errors Link SSL-1 on my CNIT 125 page
Fake SSL With No Warning Impersonate a real Certificate Authority Use a Certificate Authority in an untrustworthy nation Trick browser maker into adding a fraudulent CA to the trusted list Use a zero byte to change the effective domain name Wildcard certificate
Impersonating Verisign • Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions • Using more than 200 PlayStation 3 game consoles • Link SSL-2
Countermeasures • Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 • Earlier, vulnerable certificates would be replaced only if the customer requested it • Link SSL-4 • FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government work • Links SSL-5, SSL-6, SSL-7
CA in an Untrustworthy Nation Link SSL-8
Unknown Trusted CAs An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9
Zero Byte Terminates Domain Name • Just buy a certificate for Paypal.com\0.evil.com • Browser will see that as matching paypal.com • Link SSL-10