Tophography

A rather long time ago, I started doing some research into a network attack technique called “arpspoofing.” My proof-of-concept attack consisted of my laptop attacking my lab workstation. As my workstation requested the BYU home page, my laptop would drop the request before it ever left the lab, and send an altered version of the webpage back to my workstation. Instead of sending my username and password to BYU, they would just be sent to my laptop.

This took me a very long time. Instead of looking for some high-level way to do this, I got down and dirty with pcap. It was very interesting to implement, and I learned quite a bit about Ethernet, ARP, IP, and TCP. Unfortunately, it was mostly one big dirty hack that was locked into attacking my workstation, and only serving up a bad BYU home page.

Months later, as I was working on a poster to inform people about how to avoid such attacks, I came up with a way to do the same thing with Squid. It only took me a few hours, and I had similar attacks set up for BYU, Washington Mutual, and Hotmail. Later, I was even able to produce an attack on BYU’s old “Secure Sign-In” page by subverting one of the javascript files that it referenced (this is why we don’t mix secure and insecure content on our webpages, children).

So, I later finished my poster (after a copy was sent to BYU’s IT dept.), and it stayed up for about a week. If you look at it, you’ll notice that it lists a few vulnerable websites at the bottom of the poster. A curious student happened to read the poster, and then call up his bank (most likely WaMu) and tell them that their website is insecure (it still is). Of course, the tech at WaMu told the student that there was nothing to be concerned about. Somewhere in the conversation, the student said that he had seen a poster at BYU that said this and that about their website. Eventually somebody at WaMu called somebody at BYU, and that somebody called the CS department, and then my poster was no more.

But, some good did come out of it. This morning, one of my lab-mates emailed me this link. BYU as locked down their “Secure Sign-In” link, and now they’re going to get rid of the completely insecure login form that’s been on their home page for years. Yea-ah.

So there you go. That was a rather long rant. Also, if you’re curious about WaMu’s website, yes, it’s insecure. It’s not a HUGE problem, but here’s what can happen: When I’m plugged into a network, I can point my attacking program against any other machine on the local network, and if that person logs into WaMu’s homepage, I’ll get their password, and they’ll have no way of knowing. The victim logs in just fine without any hiccups. I’ve also be told that this attack can work over wireless too. If you want to be sure that you’re not being attacked, just submit an empty form, and it will take you to a secure page.

This entry was posted on Monday, October 15th, 2007 at 9:20 pm and is filed under School, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.