• Getting Your Password – Is your Facebook password the same password that you use for other websites? Your email account? Your bank or credit card? If somebody stole your Facebook password, what else would they be able to access?
• Installing Viruses – Some attackers don’t want anything to do with your Facebook account. They just want to make you think you’re logging in to Facebook in order to gain your trust. This way they can more easily persuade you to install viruses on your computer. They could fool you into installing a program that records everything you type (including passwords as you log in to your bank), or other programs to control your computer.
• Annoying Advertisements – Have you ever seen one of your Facebook friends posting a link to some strange website (Find Your Crush! etc.) and think that it was a little out of character for them? Their account was probably broken in to. Advertisements can also be used to trap other unsuspecting users and steal their passwords.

Of course, now you’re wondering how to protect yourself. The best line of defense on the Web has always been to understand what a URL is and what it does. URL stands for Uniform Resource Locator. It’s the thing in your address bar that determines which website you go to. Things like “http://www.google.com” or “http://en.wikipedia.org/wiki/URL” are two different examples of URLs. The most important part of the URL is the domain name. The domain name is the last part of the URL before the slashes (‘/’) start, but after the http://. For an example evilmonkey.com is the domain in this URL: http://www.facebook.com.friends.profiles.evilmonkey.com/other/distracting/stuff/. At first glance, you might think this would lead you to a facebook page, but if you look for the domain name, you’ll see that it’s really going to take you to some website controlled by evilmonkey.com. This is the most popular trick used to steal people’s information on the Internet. If more people would look at the real domain name before clicking on a link then the evil computer monkeys would have a lot less success with their nefarious, little attacks.

To complicate things even more, evil monkeys can even make a link look like one thing, but have it take you somewhere completely different. For example, this URL: http://www.facebook.com will also take you to evilmonkey.com. To see the real URL for that link, just hold your mouse cursor over the top of it, and the real URL that it will take you to will appear on your status bar (should be on the bottom-left corner of your window). As a rule, you should always check the domain name in your address bar before you give any sensitive information to a website.

I’m sorry to say that there are more complicated attacks that can make the URL appear one way, but redirect you to an evil monkey’s server anyway. Although possible, you are very unlikely to be the victim of such an attack. I just had to mention it so my tech-savvy friends won’t bug me after reading this article. Just remember to check your URLs!

I’m sure that I had a lot more to say about this when I stuck this in my draft section almost 3 months ago, but it’s been so long that I think I’ll just be done with it.

This took me a very long time. Instead of looking for some high-level way to do this, I got down and dirty with pcap. It was very interesting to implement, and I learned quite a bit about Ethernet, ARP, IP, and TCP. Unfortunately, it was mostly one big dirty hack that was locked into attacking my workstation, and only serving up a bad BYU home page.

Months later, as I was working on a poster to inform people about how to avoid such attacks, I came up with a way to do the same thing with Squid. It only took me a few hours, and I had similar attacks set up for BYU, Washington Mutual, and Hotmail. Later, I was even able to produce an attack on BYU’s old “Secure Sign-In” page by subverting one of the javascript files that it referenced (this is why we don’t mix secure and insecure content on our webpages, children).

So, I later finished my poster (after a copy was sent to BYU’s IT dept.), and it stayed up for about a week. If you look at it, you’ll notice that it lists a few vulnerable websites at the bottom of the poster. A curious student happened to read the poster, and then call up his bank (most likely WaMu) and tell them that their website is insecure (it still is). Of course, the tech at WaMu told the student that there was nothing to be concerned about. Somewhere in the conversation, the student said that he had seen a poster at BYU that said this and that about their website. Eventually somebody at WaMu called somebody at BYU, and that somebody called the CS department, and then my poster was no more.

But, some good did come out of it. This morning, one of my lab-mates emailed me this link. BYU as locked down their “Secure Sign-In” link, and now they’re going to get rid of the completely insecure login form that’s been on their home page for years. Yea-ah.

So there you go. That was a rather long rant. Also, if you’re curious about WaMu’s website, yes, it’s insecure. It’s not a HUGE problem, but here’s what can happen: When I’m plugged into a network, I can point my attacking program against any other machine on the local network, and if that person logs into WaMu’s homepage, I’ll get their password, and they’ll have no way of knowing. The victim logs in just fine without any hiccups. I’ve also be told that this attack can work over wireless too. If you want to be sure that you’re not being attacked, just submit an empty form, and it will take you to a secure page.

Now for the next cool tool! Ever wanted to do some testing on a server that uses TLS/SSL? Telnet obviously isn’t the answer. OpenSSL to the rescue!  s_client lets you have the simple power of telnet, but it takes care of all the overhead of TLS/SSL.  You can use s_client to test a server to find out if it will allow SSL2 sessions, or find out what happens if the client only requests certain ciphers.  s_server gives you similar control from the server side.