Who's afraid of Mallory Wolf?
Steven M. Bellovin
smb at research.att.com
Mon Mar 24 13:02:37 EST 2003
In message <200303232310.22334.iang at systemics.com>, Ian Grigg writes:
>Who's afraid of Mallory Wolf?
>
>
>Even worse, there's not been any known MITM of
>any aggresive form. The only cases known are
>a bunch of demos, under laboratory conditions.
>They don't count, and MITM remains a theoretical
>attack, more the subject of learnings and design
>exercises than the domain of business or crypto
>engineering.
Sorry, that's flat-out false. If nothing else, there was a large-scale
MITM attack on the conference 802.11 net at the 2001 Usenix Security
Symposium.
Spammers are hijacking BGP prefixes; see
http://www.merit.edu/mail.archives/nanog/2002-10/msg00068.html
for one such incident.
Eugene Kashpureff was pleaded guilty to domain-name hijacking; used
very slightly differently, that's a MITM attack. See
http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm for
details.
I warned of the possibility of hijacking via routing attacks in 1989,
and via DNS attacks in 1995. (See the 'papers' directory on my Web
site.) Given that the attacks were demonstrably feasible, Netscape
would have been negligent not to design for it. Given that such attacks
or their near cousins have actually occurred, I'd say they were right.
And yes, you're probably right that no one has stolen credit card numbers
that way. Of course, since the defense was in place before people
had an opportunity to try, one can quite plausibly argue that Netscape
prevented the attack....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list