Don Burns - Blogspot: SSL

Saturday, July 23, 2016

Beware the man in the middle attack

Image courtesy of Charis Tsevis at Flickr.com

MITMA is an attack where a user gets between the sender and receiver of information and sniffs any information being sent. In some cases, users may be sending unencrypted data, which means the man-in-the-middle (MITM) can obtain any unencrypted information. The attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. The attack is a type of eavesdropping in which the entire conversation is controlled by the attacker. Sometimes referred to as a session hijacking attack, MITM has a strong chance of success when the attacker can impersonate each party to the satisfaction of the other. Man-in-the-middle attack is also known as a bucket brigade attack, or sometimes Janus attack in cryptography. One way that an attacker can pull-off a MITM attack in a place where public Wi-Fi is available is to create a fake Wi-Fi hotspot, which uplinks to the public place´s Wi-Fi. Then, the attacker can use a tool to intercept SSL connections. To protect against a MITM attack, the client should check that the server's certificate. This can be done by way of certificate pinning.

MITM attack could involve distributing malware that provides the attacker with access to a user’s Web browser and the data it sends and receives during transactions and conversations. Once the attacker has control, he can redirect users to a fake site that looks like the site the user is expecting to reach. Online banking and e-commerce sites are frequently the target of MITM attacks so that the attacker can capture login credentials and other sensitive data.

Don Burns found this clear illustration of a MITM attack:

There are 3 characters in this story: Mike, Rob, and Alex. Mike wants to communicate with Rob. Meanwhile, Alex (attacker) inhibit the conversation to eavesdrop and carry on a false conversation with Rob, behalf on Mike. First, Mike asks Rob for his public key. If Rob provides his key to Mike, Alex intercepts, and this is how “man-in-the-middle attack” begins. Alex then sends a forged message to Mike that claims to be from Rob, but including Alex’s public key. Mike easily believes that the received key does belong to Rob, when actually that’s not true. Mike innocently encrypts his message with Alex’s key and sends the converted message back to Rob.

In another common MITM attack, the attacker uses a Wi-Fi router to intercept user’s communication. This technique can be work out by exploiting a router with some malicious programs to intercept user’s sessions on the router. Here, the attacker first configures his laptop as a Wi-Fi hotspot, choosing a name commonly used in a public area, such as an airport or coffee shop. Once user connects to that malicious router to reach websites such as online banking sites or commerce sites, attacker then logs user’s credentials for later use.

An attacker can also exploit vulnerabilities in a wireless router’s security configuration caused by weak or default passwords. For example, a malicious router, also called an evil twin, can be setup in a public place like a café or hotel to intercept information traveling through the router. Other ways that attackers often carry out man-in-the-middle attacks include Address Resolution Protocol (ARP) spoofing, domain name system (DNS) spoofing, Spanning Tree Protocol (STP) mangling, port stealing, Dynamic Host Configuration Protocol (DHCP) spoofing, traffic tunneling and route mangling. When we need to pass information along to someone, different things help us verify with whom we’re speaking. To verify the identity, you can follow some of this precautions:

Image courtesy of Sarah at Flickr.com

SSL creates this virtual trust and establish a secure communication between devices. The idea behind SSL is to protect the communication between the sender and receiver in order to prevent eavesdropping. To achieve this, the parties must be able to validate that the remote party to which they are connected is the intended party. After this validation, the parties create a key that’s used to encrypt all data between them for the session.

Web and non-web applications use certificate validation to establish trust. Unfortunately, some applications skip validation and end up as easy targets for MITM attacks. The primary reason validation is skipped is that the host does not have a signed certificate from a trusted CA. These service credentials are typically used to authenticate the user but could also be used to validate the service. We can use the certificate to create a fingerprint and package this along with both a random and fixed magic number and then encrypt this package with the user’s password. The encrypted file is sent to the server, which can use the stored password to decrypt the file, validate the magic number and check the fingerprint against its certificate. If the fingerprint matches, the server increments the random number and sends that to the client along with the peer certificate’s fingerprint.

Thursday, January 28, 2016

Complex Security Problems Solved by Technology Experts

For decades, Secure Sockets Layer (SSL) has been the primary means of data protection across the Internet. SSL is still one of the main ways data is encrypted and, in most cases, it generally works as it should. However, when problems arise, it may be more difficult to troubleshoot. Users may have issues in trying to verify the SSL certificate, receive error messages, or experience time-outs.

Encryption is extremely important to business and government agencies that require a high level of data security. In the last decade, more companies and agencies have integrated the use of smartphones into their operations, increasing the need for more sophisticated technology to keep their data safe.

Mobile devices present unique challenges for corporations. Their portability inevitably increases the risk of loss, damage and theft. If any of these occur, it can spell disaster for your business. On company-issued devices, it may be easier to monitor installed applications and security settings. However, for employees who use their personal device to access company email or to collaborate on projects, a lack of authoritative security is a real concern. Initially, it is cost-effective to allow employees to use their personal devices for work purposes. However, if this approach is taken, security needs to be a top priority.

Email Encryption

Email is arguably one the most vulnerable applications in general, and emails accessed from a mobile device may be even more at risk. Businesses need to be extremely vigilant about the possibility of proprietary information landing in the wrong hands. Software companies have long realized the need for better cell phone encryption and have developed some excellent tools to protect your data.

Sophos Ltd. has developed a line of security software products designed to help businesses in developing a secure ecosystem. Sophos Mobile Control is designed to make the process of securing business applications easier to implement from behind the scenes.

Mobile Email Management (MEM) is a way to manage user access to business emails while maintaining a higher level of monitoring than standard email applications are able to offer. MEM is able to deploy your requested security protocol over the air and acts as an added layer of security for gateway access. Mobile Email Management is also extremely valuable for controlling data after an employee leaves a company. Once employees move on, they are not able to take corporate emails with them. This feature alone could help businesses to avoid costly and potentially damaging data leaks.

Smartphone Device Security

Mobile Device Management (MDM) allows administrators to implement over-the-air security protocols. MDM is able to be to encrypt data on iPhones, iPads, Android, and Windows devices, and there is virtually no device that cannot be configured. The use of the MDM technology ensures a higher level of encryption that surpasses the current security of these devices out of the box. Once MDM is in place, it makes it considerably more difficult for users to sidestep pre-defined security protocols and lessens the risk of data breaches.

Android devices present more vulnerabilities than iOS and Windows devices due to their open API policies. Sophos provides exclusive anti-virus safeguards for Android devices to effectively reduce the risk of catastrophic data loss. In addition to the aforementioned benefits of MEM, the Android-specific Mobile Control integration also detects malware and other outside vulnerabilities that could compromise these devices. All new apps are automatically scanned, infected devices are isolated and websites that are known to be harmful are automatically restricted.

Secure Network Compliance

With the many types of mobile devices accessing company networks at once, maintaining a secure way to access the network is high priority. Sophos’ Mobile Control provides a way to continuously monitor the devices that connect to your network and polls for common vulnerabilities like jailbroken or hacked devices, unauthorized apps, and vulnerable mobile settings. Depending on these settings, a user may be restricted from accessing your company’s secure VPN or Wi-Fi.

The beauty of the software and technology solutions offered by Sophos is that they are all designed to work together to create a cohesive and seamless experience for IT departments and end users. The result is a solution that works as it's intended without the hassle of forcing applications to play nice with each other and users experiencing frustration when they do not.

Encryption solutions are important for companies of any size, but are especially beneficial for larger businesses that are required keep tabs on hundreds or even thousands of devices. Having strong team of IT professionals dedicated to protecting corporate information is critical, and making good use of available software solutions can only enhance protocols that are already in place. The peace of mind provided by having proper mobile data security solutions cannot be stressed enough.

About Don Burns

An accomplished telecommunications professional with executive experience at such noteworthy firms as Mid-Atlantic Telecom and YMax Corp., Don Burns emerged as a leader in the telecom industry shortly after co-founding Telco Communications Group, Inc., in 1993. As president, CEO, and vice chairman of the long distance service provider, Don Burns helped to revolutionize the long distance market with innovative offerings such as Dial & Save and Long Distance Wholesale Club. With its uniquely structured service plans, Telco offered rates between 15 and 50 percent lower than the industry standard at the time. Mr. Burns led the company to become one of the nation’s largest long distance service providers in less than three years. Following a $77 million IPO in 1997, he sold the firm to Excel Telecommunications for $1 billion.

Since 2010, Don Burns has drawn on his extensive telecom experience to serve as chairman of the board of directors at magicJack, the innovative firm behind VoIP technology. The company’s products allow customers to make long distance calls throughout the U.S. and Canada via a typical Internet connection. As the winner of Frost & Sullivan’s 2013 Award for Best Consumer VoIP Service, magicJack has sold more than 10 million units and provided downloadable VoIP software for millions of computer, smartphone, and tablet owners worldwide. Outside of the telecom sector, Don Burns leads an LLC with investments in La Jolla, California’s Razor House, as well oversees luxury yacht charter company Motor Yacht Chasseur.

Throughout his career, Don Burns has also dedicated himself to various philanthropic causes. In leading his own nonprofit foundation headquartered in Palm Beach, Florida, he has supported both local and national initiatives ranging from athletic programs for urban youth to the Gay and Lesbian Leadership Institute.