Stealing social network passwords with MITM attacks


Stealing passwords on a LAN is trivial. This linked video (you can’t embed it anywhere, so you’ll have to actually visit the site to see it), which is something like a year old, shows how Windows users can get in on the fun using Cain & Abel.

I bring this up because if social networks are supposed to be the next big thing (which is what I learned at SXSW), they’re gonna need to take security more seriously. A few weeks ago I was screwing around with Biggs’ Facebook profile, exploiting a terribly written third-part app. Who’s to say Scrabulous or some other popular app doesn’t have some wicked security hole in there? Yes, a MITM attack and awful code are two different things, but practicing good security habits is an all-encompasing activity.

In fact, part of the reason why I was on that security panel at SXSW was because I told the story of how during my freshman year of college I used ettercap, aimsniff, ethereal, etc. to, let’s say, cruise my dorm building’s network. Facebook passwords, AIM conversations, you name it. Found a few interesting things, I did, such as my roommate “cybering” with someone. Scandalous!

Video: Man-in-the-Middle Attack on MySpace with Cain [The Ethical Hacker via Slashdot]