[Pauldotcom] MiTM Awareness....

[Brian H]

I just finished watching Adrian's "Hacker Con WiFi Hijinx Video:  
Protecting Yourself On Potentially Hostile Networks " which was fun,  
and I was happily surprised to see he had started development of an  
user end IPS "DecaffeinatID".  It reminded me of  the "Hot Spot  
Defense Kit" from the Shmoo group.  Ever since I saw it during a  
Defcon presentation, I loved it and I thought it should pretty much be  
a standard install with any wireless workstation.  Sadly no  
development seems to have gone past that proof of concept.  It was  
useful for Tiger installs, but nothing since.

With the advent of so many MiTM tools out there, it seems that there  
are so few defensive ones.  I'm not a programmer, but it just seems so  
surprising that more of these haven't been developed.  I realize that  
ARP is only one attack vector, and that DNS and DHCP spoofing can also  
be employed, but this just seems to be the easy, low hanging fruit  
that hasn't been picked off yet.

One's I know of:

- Windows - decaffeinatid - beta development - promising outlook
- Macintosh - Hot Spot Defense Kit (HSDK) - no development - Broken in  
Leopard (10.5)
- Macintosh - ArpSpyX - current development? - just found it, have yet  
to test
- Linux - Arpwatch - current development - basic command line, not  
widget/desktop friendly

What are your experiences on host based protection from MiTM attacks?

Also, speaking of hostile networks, how many people are heading to  
Defcon17?  Any possibilities for a meet up?

----
Brian H
binarynomad at gmail.com