|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] IP: Comcast man-in-the-middle attack (fwd)
|
Hi all,
Given the recent interest in Comcast, you might find the article below
relevent.
Notice the reported use the caching server to do everything but caching !!
P.S. Now, I __will__ wait a month for DSL
Jaiwant Mulik
-------------------------------------------------------------------------
Email : jmulik@temple.edu (preferred), jmulik@acm.org
Home page : http://unix.temple.edu/~jmulik
Location : Netlab, Room 1043/1044, Wachman Hall.
Phones : (215) 204-3197 (o), (215) 777-4828 (r), (215) 460-1125 (c)
-------------------------------------------------------------------------
Lekin woh zindagi he kya, jisme koi namumkin sapna na ho ?
I may climb perhaps to no great heights, but I will climb alone.
- Cyrano De Bergerac
---------- Forwarded message ----------
Date: Fri, 08 Feb 2002 10:02:04 -0500
From: David Farber <dave@farber.net>
Reply-To: farber@cis.upenn.edu
To: ip-sub-1@majordomo.pobox.com
Subject: IP: Comcast man-in-the-middle attack
>>Date: Thu, 7 Feb 2002 20:33:42 -0800 (PST)
>>From: J Edgar Hoover <zorch@totally.righteous.net>
>>To: <vuln-dev@securityfocus.com>
>>Cc: <bugtraq@securityfocus.com>
>>
>>
>>Comcast "transitioned" my city from @home about a month ago. In the past
>>week, they implimented what appears to be an Inktomi Traffic-Server
>>transparent cache at 68.34.76.99.
>>
>>This allows them to not only log all http requests, but to also log the
>>response. Maybe they want to profile their customer browsing history for
>>subsidiaries or resale to marketers. Maybe they want to do their part in
>>The War on Freedom. Maybe they just want passwords to porn sites.
>>Apparently they aren't using it to maximize bandwidth, because it's not
>>configured to serve cached data.
>>
>>And yes, they have purchased a lot of the specific, unique hardware that
>>is required to do all this logging.
>>
>>If a comcast victim/customer sends a packet to port 80 at any IP address,
>>it is intercepted by the Inktomi Traffic-Server, the contents of the
>>packet are examined for the GET url and the "Host:" field. The Inktomi
>>Traffic-Server then sends the http request on to your destination from
>>it's address with modified content and headers. It then caches the
>>returned data, changes both the header and the content, and sends the
>>packet to your machine with the spoofed IP of the server you had
>>requested.
>>
>>This allows them to monitor and change (or insert ads into) what
>>you read.
>>
>>Interestingly, regardless of what IP you address the packet to, the
>>Inktomi Traffic-Server reads the Host: field to determine where to send
>>the packet. I sent several packets from my home machine to one of my
>>office machines, inside the packet was "Host: www.comcast.net". Comcast
>>illegally intercepted, misinterpreted and altered this packet, and sent it
>>to www.comcast.com. So, you might say there's a bug in this evil Inktomi
>>Traffic-Server thing.
>>
>>Oh,
>>
>>
>>US Code TITLE 18, PART I, CHAPTER 119, Sec. 2511. (2) (a) (i)
>>
>>
>>"...a provider of wire communication service to the public shall not
>>utilize service observing or random monitoring except for mechanical or
>>service quality control checks."
>>
>>Does federal law only apply when a little guy snoops on a big corporation?
>>Where are the feds now?
>
>
For archives see:
http://www.interesting-people.org/archives/interesting-people/
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|