What Is A Man-In-The-Middle Attack? Security Jargon Explained

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.makeuseof.com/tag/man-middle-attack-security-jargon-explained/

A man-in-the-middle attack is difficult to identify and defend against.
MITM attacks generally don’t depend on infecting computers on either end of
the system. Instead, they depend on controlling the communications
equipment between two systems. For example, a malicious router offering
free Wi-Fi in a public location may perform a man-in-the-middle attack.

An Offline Man-in-the-Middle Attack

Man-in-the-middle attacks were around before computers. This type of attack
involves an attacker inserting themselves in between two parties
communicating with each other. Man-in-the-middle attacks are essentially
eavesdropping attacks.

For example, let’s say you’re communicating with someone over physical mail
— you’re writing letters to each other. If you had a crazy mailman, they
could intercept each letter you mail, open it, read it, and then repackage
the letter and send it to your original recipient. The original recipient
would then mail you a letter back, and the mailman would open the letter,
read it, repackage it, and give it to you. You wouldn’t know there’s a man
in the middle of your communications channel — properly performed, this
sort of attack is invisible to the participants.

This sort of eavesdropping — taking over a communications channel between
two participants and eavesdropping on traffic — is the core of a
man-in-the-middle attack. It could be worse than simply reading personal
correspondence. If you were sending letters back and forth with business
plans, the attacker could intercept that data without you knowing.

The attacker could also modify the messages in transit. Let’s say you send
a letter to someone. The man-in-the-middle could add a note to that letter,
asking for some sort of favor — maybe they ask the person on the other end
to include some cash because you really need money. Sure, the writing might
not look identical, but the man-in-the-middle could rewrite your letter
word-for-word, add their custom message, and mail the letter to the
recipient. As long as the man-in-the-middle was doing this the entire time,
the recipient wouldn’t notice that it wasn’t your handwriting. The
recipient might write a letter back and mention they included some money,
and the man-in-the-middle could keep the money, rewrite their letter —
omitting the reference to the money – and send the letter to you. This
takes a bit of work in an offline world, but it’s much easier to do this
sort of thing online where it can be automated by software.

Online Man-in-the-Middle Attacks

Online man-in-the-middle attacks work in the same way. For example, let’s
say you connect to a malicious wireless router — perhaps a router offering
free Wi-Fi in a public location. You then attempt to connect to your bank’s
website. In the most obvious attack scenario, you’d see a certificate error
informing you that the bank’s website doesn’t have the appropriate
encryption certificate. This would alert you to a man-in-the-middle attack,
but quite a few people might click through this error message. You sign
into your bank and perform transactions like you normally would. Everything
seems to be fine.

In reality, an attacker could have set up a fake server that appears to be
your bank. When you connect to it, it fetches the bank’s web page, modifies
it a bit, and presents it to you. You sign in with your account details and
those details are sent to the man-in-the-middle server. The server then
logs in for you, grabs your account details page, and sends you a copy.
Everything may look normal, but really there’s a server sitting in the
middle, forwarding data back and forth and eavesdropping on the sensitive
information. The certificate problem was the only warning – the
man-in-the-middle server wouldn’t have the appropriate security certificate
your real bank’s website would.

With typical unencrypted HTTP websites — not encrypted HTTPS websites —
you’d have no warning of a man-in-the-middle attack. This is why sensitive
web pages like account login pages, online banking systems, shopping sites,
and email services are usually offered over HTTPS.

The above attack doesn’t depend on you clicking through a certificate
warning. The SSLStrip attack tool can remove HTTPS encryption from a site,
so you’d visit your bank’s website, be redirected to an unencrypted HTTP
version, and be compromised if you attempted to log in. The only indication
there was a problem would be that your bank’s site was being offered over
HTTP instead of HTTPS — something very easy to miss.

Other man-in-the-middle attacks could depend on software infecting your
computer — for example, malware could hide in the background on your
computer, inserting itself between your web browser and the servers it
contacts to perform a man-in-the-middle attack on your browser. Such
malware should be detectable by good antivirus software, of course.

Defending Against MITM Attacks

MITM attacks are tough to defend against on your end. They generally
indicate that a communication channel itself — such as a Wi-Fi router — is
compromised. Noticing man-in-the-middle attacks is possible, but the remote
server will have to be using HTTPS encryption and you may need a sharp eye.
Here are a few tips:

- Don’t Ignore Certificate Warnings: A security certificate warning
indicates there’s a serious problem. The certificate doesn’t match the
server you’re seeing, so this could mean you’re communicating with a
phishing server or an imposter server performing a MITM attack. It could
also indicate a misconfigured server, which is why many people have been
trained to ignore it. Don’t just click through warning pages like this,
especially when accessing sensitive sites like your email or online banking.
- Check for HTTPS: When connecting to a sensitive site where you enter an
important password or credit card details, be sure the site is using HTTPS
encryption. Quickly glance at your address bar and ensure encryption is
in-place before logging in, especially on public Wi-Fi networks. The EFF’s
HTTPS Everywhere plug-in will help a bit here, forcing your browser to use
HTTPS where sites support it.
- Exercise Caution With Public Wi-Fi Networks: Be especially careful when
connecting to public Wi-Fi networks you don’t trust. Avoid doing
online-banking and other especially sensitive things on such networks. Be
especially suspicious if you see certificate error messages and sensitive
sites without HTTPS encryption on public Wi-Fi networks.
- Run Antivirus Software: Antivirus software and other basic Internet
security practices will help protect you against man-in-the-middle attacks
that require malware running on your computer.

Man-in-the-middle attacks depend on compromising a communications channel.
The communication channel will generally be out of your control, so you’ll
want to use a different communications channel if you encounter a potential
MITM attack. This may mean disconnecting from a suspicious public Wi-Fi
network and using a more secure Internet connection.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!