Comments on: sslstrip, hijacking SSL in network

By: nobann

nobann — Wed, 05 Jan 2011 01:31:21 +0000

Lol
all of you dunno anything
it’s not phishing lol
It’s arp poisoning + redirection through hacker computer then sslstrip do some makup…
if u understand how internet works, you will never feel secure since the lower level isnt secure …

By: eric fajardo

eric fajardo — Mon, 02 Nov 2009 08:23:44 +0000

Moxie made a good presentation with defeating SSL over HTTPS. Cheating the traffic to be redirected to solely HTTP is very crafty in deed. This is basically true for public / not-so secured websites like Yahoo and Google and the rest, but I guess finding way to smash in for some corporate traffic would be hard if:

1. Force-all traffic as HTTPS in the infrastructure side.
2. Using a 2FA for all standard, remote access.
3. Combining 2FA with OTP for all logins.

I believe that Two-Factor-Authentication is not fool-proof though, but it can definitely make a pain in the ass for a guy listening on your wire to gain access.

By: web user

web user — Sun, 11 Oct 2009 08:08:41 +0000

I just read about 8 comments of absolute drivel. I hereby declare half of you (at least) to be crap headed. If you were in binary form (a file) I would rm -rf every trace of you.

Respectfully sincere,
Web User

By: Aaron Andrusko

Aaron Andrusko — Thu, 30 Jul 2009 04:26:51 +0000

Also, the laser map key capture feels a bit off because:

A: if it’s a laptop (where the screen is bolted on to the keyboard) it might be more simple to get a logger onto the machine via it’s weak wireless transfers.

B: who is using a laptop outside doing anything worth capture?

C: if someone is using a laptop outside while doing anything of sensitivity, and he or she is behind glass, how does that attenuate the signal’s strength? Window treatments? Polarization? At what point would proximity be hindered to a point of futility?

D: the carrier laser would have to be in the non visible spectra to convey the data without detection of the target. That entails using a camera instead of a simple sensor to see the IR scatter from the laser on the “laptop”s screen or some area for alignment, greatly complicating things as the sample rate of the ccd would have to be very high, and thats contra indicative of using the on-board sound as an ADC. Sure, you could build some sort of alignment mechanics to compensate for a simple 3d index of the screen, with a reduction in return power over the angle of observation, but by then, the camera implementation would be cheaper. I would rather socially engineer my way into the cookie and boogie. Still, a nice paper though!

By: Aaron Andrusko

Aaron Andrusko — Thu, 30 Jul 2009 04:13:01 +0000

The key capture window is predicated on using a PS2 keyboard. Try again.

By: smyd

smyd — Wed, 29 Jul 2009 23:45:25 +0000

pffft it is just phishing. Move along.

By: IceBrain

IceBrain — Sat, 07 Mar 2009 13:03:14 +0000

a.b.z.: You’re right, I didn’t read the part where they “redirect” the user to the real webserver. AFAIK most phishing pages don’t do that.

Is there any tips on how to avoid this? If we type the url by hand using “https” it should be safe, no?
But my bank redirects me to http to login :facepalm:

By: A.B.Z

A.B.Z — Sat, 07 Mar 2009 02:07:43 +0000

icebrain you should be called nobrain. Ive tested this on firefox and even if you type in the wrong pssword it wont log you in.

By: DarkFader

DarkFader — Thu, 26 Feb 2009 20:39:34 +0000

This calls for some IDS to be installed. Anyone know some good one for OS X with not too much overhead and in a nice .dmg/.app package?

By: IceBrain

IceBrain — Wed, 25 Feb 2009 15:14:53 +0000

Hey, this doesn’t hijack https! Hijacking would mean tack over a established connection. This redirects the user “before” a ssl connection is made, to a similar site. If you’re already loggen in to the bank, they can’t hijack you, the connection is encrypted.

And there’s a simple way to tell if you’re on the right website before logging in: Just try to login with false data first. The fake website won’t know it’s false and will let you “login”, but the real website will give you “wrong password”.

By: ex-parrot

ex-parrot — Wed, 25 Feb 2009 11:59:34 +0000

atrain: even for TLD’s such as .cn, they have a filter in place for blocking fraudulent characters.

check the list of links to policies I linked :)

By: supershwa

supershwa — Tue, 24 Feb 2009 23:10:01 +0000

heh crap — i read this article after completing a payment card industy self-assesment questionnaire for a client’s merchant account.

i’ll pretend i never saw this.

By: ejonesss

ejonesss — Tue, 24 Feb 2009 18:24:51 +0000

that is an extremely dangerous program.

for those who care about the security of their online transactions needs to be careful

By: steaky

steaky — Tue, 24 Feb 2009 16:29:40 +0000

question:

As opposed to just bank, ISP and user PC, couldnt this be done on a dns server or someones router?
or, as he said, on a Tor node.
it would seem that the people that could get burned with this use the tor network and so, stereotypically dont want ppl seeing what they are doing.

By: atrain

atrain — Tue, 24 Feb 2009 14:16:30 +0000

ex-parrot:
So you just use an international tld. That’s exactly what he does in his his lecture, uses a .cn site. You get you own cert for it, etc.

Even that isn’t really necessary since 99% of people wouldn’t be able to notice the difference between http and https.