Beware the man in the middle attack

Image courtesy of Charis Tsevis at Flickr.com

MITMA is an attack where a user gets between the sender and receiver of information and sniffs any information being sent. In some cases, users may be sending unencrypted data, which means the man-in-the-middle (MITM) can obtain any unencrypted information. The attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. The attack is a type of eavesdropping in which the entire conversation is controlled by the attacker. Sometimes referred to as a session hijacking attack, MITM has a strong chance of success when the attacker can impersonate each party to the satisfaction of the other. Man-in-the-middle attack is also known as a bucket brigade attack, or sometimes Janus attack in cryptography. One way that an attacker can pull-off a MITM attack in a place where public Wi-Fi is available is to create a fake Wi-Fi hotspot, which uplinks to the public place´s Wi-Fi. Then, the attacker can use a tool to intercept SSL connections. To protect against a MITM attack, the client should check that the server's certificate. This can be done by way of certificate pinning.

MITM attack could involve distributing malware that provides the attacker with access to a user’s Web browser and the data it sends and receives during transactions and conversations. Once the attacker has control, he can redirect users to a fake site that looks like the site the user is expecting to reach. Online banking and e-commerce sites are frequently the target of MITM attacks so that the attacker can capture login credentials and other sensitive data.

Don Burns found this clear illustration of a MITM attack:

There are 3 characters in this story: Mike, Rob, and Alex. Mike wants to communicate with Rob. Meanwhile, Alex (attacker) inhibit the conversation to eavesdrop and carry on a false conversation with Rob, behalf on Mike. First, Mike asks Rob for his public key. If Rob provides his key to Mike, Alex intercepts, and this is how “man-in-the-middle attack” begins. Alex then sends a forged message to Mike that claims to be from Rob, but including Alex’s public key. Mike easily believes that the received key does belong to Rob, when actually that’s not true. Mike innocently encrypts his message with Alex’s key and sends the converted message back to Rob.

In another common MITM attack, the attacker uses a Wi-Fi router to intercept user’s communication. This technique can be work out by exploiting a router with some malicious programs to intercept user’s sessions on the router. Here, the attacker first configures his laptop as a Wi-Fi hotspot, choosing a name commonly used in a public area, such as an airport or coffee shop. Once user connects to that malicious router to reach websites such as online banking sites or commerce sites, attacker then logs user’s credentials for later use.

An attacker can also exploit vulnerabilities in a wireless router’s security configuration caused by weak or default passwords. For example, a malicious router, also called an evil twin, can be setup in a public place like a café or hotel to intercept information traveling through the router. Other ways that attackers often carry out man-in-the-middle attacks include Address Resolution Protocol (ARP) spoofing, domain name system (DNS) spoofing, Spanning Tree Protocol (STP) mangling, port stealing, Dynamic Host Configuration Protocol (DHCP) spoofing, traffic tunneling and route mangling. When we need to pass information along to someone, different things help us verify with whom we’re speaking. To verify the identity, you can follow some of this precautions:

Image courtesy of Sarah at Flickr.com

SSL creates this virtual trust and establish a secure communication between devices. The idea behind SSL is to protect the communication between the sender and receiver in order to prevent eavesdropping. To achieve this, the parties must be able to validate that the remote party to which they are connected is the intended party. After this validation, the parties create a key that’s used to encrypt all data between them for the session.

Web and non-web applications use certificate validation to establish trust. Unfortunately, some applications skip validation and end up as easy targets for MITM attacks. The primary reason validation is skipped is that the host does not have a signed certificate from a trusted CA. These service credentials are typically used to authenticate the user but could also be used to validate the service. We can use the certificate to create a fingerprint and package this along with both a random and fixed magic number and then encrypt this package with the user’s password. The encrypted file is sent to the server, which can use the stored password to decrypt the file, validate the magic number and check the fingerprint against its certificate. If the fingerprint matches, the server increments the random number and sends that to the client along with the peer certificate’s fingerprint.