The Jay Beale talk entitled “Man in the Middling: Everything with the Middler” was a session not to be missed. As usual, most attendees were forced to stand because all of the seats were taken long before the talk actually began. While Beale’s talks are usually packed anyways, the rumblings on the web that he would be releasing the Middler while at ShmooCon definitely upped the ante.

Prior to Beale’s talk, the audience demanded that the Middler be released. Unexpectedly, Beale started tossing out USB sticks with the first released versions. Thankfully, those lucky recipients uploaded the program to the web within a few minutes.

The first part of Beale’s talk focused on shared networks as an attack vector. Whether wired or wireless, most of us use shared networks in some way, shape, or form. While most of us pay close attention to what happens on our home and work networks, it’s sometimes easy to forget that in-between these networks we use additional networks at coffee shops, bookstores, and anywhere else that has a wireless connection.

While it’s a subject that has been nearly beaten to death (hence why Beale didn’t spend too much time on it), Beale did remind his audience that using shared networks opens them up to proxy and DNS attacks, and that it’s DHCP and ARP spoofing attacks that make proxying possible. It is through using these methods that an attacker can tunnel all traffic through his machine fairly easily.

Building on the problems brought about by shared networks, Beale then discussed additional issues caused by sites that use mixed HTTP and HTTPS protocols. For the most part, many popular sites only use HTTPS during user login. After the user is logged in, all traffic is typically transferred in the clear. An attacker can easily grab the session ID to take over the user’s session.

After considering the weaknesses caused by shared networks and mixed HTTP/HTTPS, Beale came up with the simple attack scenario that the Middler is based on. From slide 8 of his talk, the detailed steps include directing a client to the attacker’s host with DNS, DHCP, or ARP spoofing and passing the HTTPS traffic through unmodified. (Note that there are a few exceptions to the HTTPS communication to make this work, as noted in the bullets below).

• Inject Javascript into a clear text response
• Store session keys and send attacker’s own requests in parallel
• Intercept any logout requests
• Replace HTTPS links in any proxied pages with HTTP links

Due to the initial barrage of ShmooBalls, Beale and his team skipped a few sections of his talk and jumped right into presenting the demo of the Middler. While the software is still in its beta phase, most of it works just fine.

As I mentioned before, the program is now available on the web after being uploaded by individuals who received a copy of it at the talk. It is also available on the InGuardians web site.

Overall, Beale’s talk was a very fun and entertaining session. He’s an excellent public speaker and really knows how to play the crowed. Oh, and did I mention that he released the Middler…

Did any of you attend the talk? If so, what did you think of it?

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

Tags: conference, event, infosec, middler, nova, saturday, shmoocon, the shmoo group, update

This entry was posted on February 8, 2009 at 10:20 pm and is filed under Infosec Conferences. You can follow any responses to this entry through the RSS 2.0 feed.