I agree with Trevor, it was wrong for Dan, from Aten Labs (http://www.atenlabs.com), to not publicly disclose his Man In the Middle (MITM) attacks on the group. It was an even bigger issue for me when he said his intended targets were non LUG members in the coffee shop.
It would be interesting to discuss the different methods for these attacks. Using Ettercap for MITM is no secret, however, there is more then one way to skin a cat. We could talk about some of the different combinations, with full disclosure, for all that are unfamiliar. I do not know everything about security and think there is a ton to learn. In the spirit of sharing ::grin::, and with the release of a new version(v0.3), I would like to point out SSLStrip. By now, many of you have probably heard of this tool, or methods for getting similar results. SSLStrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. This tool has been out since Black Hat DC 2009 (http://www.thoughtcrime.org/software/sslstrip) and is very easy to test out. The Readme file is very straightforward. SSLStrip can also be integrated with ettercap. Check the website for a video. Chris... On Mon, Jul 20, 2009 at 10:53 PM, Trevor Benedict<[email protected]> wrote: > I was not there at that meeting. > And now as the person in charge, I must say something. > > Not publicly disclosing that your about to do a hack on the group is just > wrong. > > And this forum is open for anyone to talk about what goes on at a meeting. > If only one person knew about what you did, and never disclosed it, it would > have ended there. > And from what I understand is that the issue was brought up AT the meeting > with everyone. > That leaves it open to discussion here in this forum. > That thread was a good thread about ethical discloses and hacking. > Was the discussion slander towards Dan? no. From what I understand, it was > all true. > > Thats my 2c. > -- Trevor Benedict > > > > On Mon, Jul 20, 2009 at 12:02 AM, David Kaiser <[email protected]> wrote: >> >> To members of the "linuxusers" list... >> >> I feel obligated to explain the e-mail that I am replying to. Several of >> you were in attendance at the SRCLE meeting on December 27, 2008, and >> witnessed first-hand the events which transpired. Most of you read the >> discussion that started on December 28, 2008 where nearly all of us >> participated in an open discussion about the legality and ethics of >> someone who had attended that meeting. We are now being accused of >> libel for because of statements made in these discussions on that e-mail >> thread. >> >> Our discussion on the mailing list starting December 28, 2008 has already >> helped many of our members understand the issues around MITM attacks, >> and I know several of you have talked to me at LUG meetings about things >> related to DNS security, and also many of you at SCALE this year went >> through the process of understanding SSL certificates and how they work. >> >> We encourage each of you to continue to ask questions about matters >> related to security and to continue to keep our forum and mailing list >> open and transparent as we have since we started. >> >> If you have questions related to this matter, please feel free to discuss >> or ask Roger or I. >> >> Thanks, >> >> David >> >> >> --- Original Message --- >> Date: 7/20/2009 >> From: "Roger E. Rustad, Jr." <[email protected]> >> Subject: Re: SocalLinux.org public forum messages >> >> >> Dan, >> >> On 7/13/09, you accused David and me of libel and threatened legal action >> if >> we did not remove specific verbiage from the email thread "Dan Tentler's >> script kiddie antics last night" beginning 12/27/08. >> >> In response to your email, David and I would like to confirm the following >> set of events and remind you of what went on on the evening of 12/27/08 at >> It's a Grind coffee shop in Murrieta, CA. >> >> On 12/27/08, >> >> --you attended a SoCal Linux user group ("LUG") meeting at It's a Grind >> Coffee in Murrieta, CA. >> --you interfered with the regular and expected usage of the wireless >> router >> provided by It's A Grind Coffee with full knowledge that LUG members (and >> other It's A Grind patrons who were not LUG members) were connected to >> and >> using the wireless router. >> --you issued false ARP update statements, for the purpose of spoofing all >> users of the router to use your Macbook as the router, and you did not >> disclose to the users of the wireless network that you were doing this >> spoofing >> --since your Macbook was the proverbial "man in the middle" of all >> communications at that point, you used a program, such as ettercap plus >> additional tools, to capture TCP packets which were passing through the >> spoofed network, and you did not disclose to the users of the wireless >> network that you were capturing their information contained in the TCP >> packets. >> --you ran a program, such as ettercap plus additional tools which were >> designed to intercept connections on the spoofed network and interfered >> with >> the operation of secure socket layer (SSL) communications by issuing fake >> SSL certificates to the requester, and you did not inform the users of the >> wireless network that you were issuing fake SSL certificates to them. >> --you used these software programs and tools to issue a LUG member a fake >> SSL certificate for talk.google.com, and you did not inform this LUG >> member >> that you were responsible for issuing a false SSL certificate for >> talk.google.com. >> --by impersonating the secure site 'talk.google.com' (by issuing a >> false SSL >> certificate for talk.google.com), you obtained and stored information, >> including a password from a person whose system was signing on to >> talk.google.com, and you did not immediately disclose to this person that >> you had intercepted his personal information >> --you ran a program, Nessus, which is designed to find exploitable >> openings >> in a remote system, and targeted this Nessus program against customers in >> It's A Grind coffee shop, including LUG members, and you did not inform >> anyone that you were running Nessus scans against their laptops. >> >> --From 12/28/08 until 7/13/09 (the date you emailed David Kaiser and me >> and >> threatened legal action), you did not publicly address the LUG's >> collective >> concerns about capturing members' (and possibly nonmembers') private and >> personal information. >> >> Please be advised that... >> >> --we discuss many issues publicly on the Socallinux.org listserv. This is >> typical for a LUG to do, as one of the purposes of a LUG is to provide >> educational value for its members, and to communicate with openness and >> transparency. >> --listserv discussions may be searchable via search engines, such as >> Google, >> as we do not block search engines with robots.txt >> --discussions regarding security are often done online. LUG members use >> the >> listserv to exchange information and learn about all issues regarding >> their >> computers, including discussions in areas of security. >> --SoCal Linux has freely discussed the events which happened when you >> visited It's A Grind Coffee on the night of 12/27/08. >> --SoCal Linux has freely discussed the ethics of your actions on the night >> of 12/27/08. >> --SoCal Linux members, in general, have not considered your actions on the >> night of 12/27/08 a joke. >> >> Once again, we invite you to respond publicly to what several of us >> consider >> (at best) rude and (at worst) illegal. You are, in your words, a security >> expert, and as a security expert, we fully expect openness and >> transparency >> when dealing with our group (something many of us do not feel that you did >> on the evening of 12/27/08). >> >> You claim that we have committed libel, yet you have failed to demonstrate >> the untruthfulness of our claims or explain how you are justified to seize >> someone else's password without their permission and not expect us to >> talk >> about it openly. Talking openly about this, we believe, helps others in >> our >> group understand the mechanics of your MITM attack (as what you did was >> not >> for the edification of the group), as well as the legal and ethical >> implications of performing this procedure without the express permission >> of >> your target. >> >> Regards, >> Roger and David >> >> On Mon, Jul 13, 2009 at 12:54 PM, Dan Tentler <[email protected]> wrote: >> >> > Hi David, Roger, >> > >> > It's been 3 days and I haven't heard from you at all. >> > >> > I wanted to inform you that portions of whats posted on >> > socallinux.orglegally qualify as libel: >> > >> > Rogers comments: >> > >> > (a) Not formally and publicly disclosing that he was using Backtrack to >> > sniff other members' traffic. >> > (b) Not immediately getting rid of another member's gmail password once >> > he handed out a fake certificate and sniffed it with Ethereal. >> > (c) Doing what he was doing secretly, rather than for the edification of >> > the group >> > >> > >> > >> > And your comments: >> > >> > When Dan set out to steal people's passwords... >> > >> > >> > Both of these blocks of text contain statements made by yourself and >> > Roger >> > which are both untrue, and at best are speculation. >> > This libel has come up in my day-to-day business. It has already cost me >> > one client. >> > >> > As such I am giving you one week from today to remove the libel from >> > your >> > site. >> > >> > If after one week I am still able to access these threads publically >> > I'll >> > be coming back with with an attourney and taking this as far as the law >> > will >> > let me. >> > >> > If this matter is not resolved by 7/20, my next communication will be to >> > the both of you, via registered mail. >> > >> > -Dan Tentler >> > CEO, AtenLabs >> > >> > >> _______________________________________________ >> LinuxUsers mailing list >> [email protected] >> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > > > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > > -- "As we open our newspapers or watch our television screens, we seem to be continually assaulted by the fruits of Mankind's stupidity." -Roger Penrose
