Sergey Nivens - Fotolia
One thing that's interesting about network security is how old attacks are recycled as technology changes. This is what's happening with man-in-the-middle (MiTM) attacks. The goal of these attacks is simple: Place an attacker in the middle of a wired or wireless connection. As networking technology continues to grow and change with cloud computing, the Internet of Things (IoT) and bring your own technology (BYOT), attackers are finding ways to make these attacks current again. Here are a few takes on MiTM attacks that every network professional should be aware of.
Cloud computing has become increasingly popular over the last few years, and one common cloud service that more and more companies are using is cloud-based storage. These cloud services offer an easy way to transfer and store large amounts of data. Players in this market include Dropbox, OneDrive and Google Drive, among others. Typically, these services won't require you to log in each time you use the service because many of these services save a session token on your local system after authentication. MiTC exploits session management. If an attacker can access the token, they would have full access to the account. The attacker may steal your data, alter your files, or upload malware and wait for you to access it in order to infect your computer.
When was the last time you wrote a check? My point is that most people rely on online banking. MiTB attacks occur when the attacker tricks the user into downloading a Trojan. Once installed, the Trojan waits for you to visit a specific financial or banking site. If the victim visits any targeted sites, the malware injects HTML code into the original page, which may trick the user into providing an SSN, an ATM PIN or bank routing code. Since MiTB integrates itself directly into the webpage, it has the look and feel of "the real" site and maintains the original domain name and Secure Sockets Layer settings.
Attackers are not just focused on desktops and laptops. Many users perform more financial transactions on their smartphones than laptops or desktops. This is why MiTMO is a growing concern. These attacks are focused on mobile transaction authentication numbers (mTANs) and various types of transaction authentication codes. This category of MiTM attack intercepts SMS traffic and captures these codes and then forwards them to attackers. MiTMO presents a real challenge for out-of-band-authentication systems.
If you are like me and remember life before smartphones, you probably have some idea of the huge amount of physical devices that smartphone apps have replaced. MiTA is possible if an application does not perform proper certificate validation. MiTA allows an attacker to insert a self-signed certificate and start communicating with the application. It works by exploiting the means by which the applications handle trust, expanding on the model of MiTM attacks.
As more and more consumers and organizations start to adopt IoT, MiTM attacks are going to become a much bigger concern. One type of MiT-IoT that has already been seen exploits transitive trust and poor validation of certificates. As an example, IoT refrigerators that display a user's Google calendar were found to not validate SSL certificates. The result would be that an attacker could mount a MiTM attack and steal the user's Google credentials.
While each of these attacks presents challenges to network security professionals, there are things that can be done to mitigate such attacks. These include:
- Hardening the network infrastructure by implementing controls, such as dynamic ARP inspection and DHCP snooping.
- Implementing transport encryption: SSL and TLS make it harder for attackers to use and analyze network traffic. Companies such as Google now give higher SEO to sites that offer HTTPS by default over sites that don't.
- Using cloud access security brokers (CASBs): CASBs can offer a range of capabilities, such as encryption, access control, anomaly protection and data loss prevention.
- Building runtime application self-protection (RASP): A concept that is built into applications and designed to execute at runtime to prevent attacks in real time.
- Discontinuing self-signed certificates: Self-signed certificates offer little trust and can be easily faked. There is no mechanism in place for revocation. Using certificates from a valid certificate authority allows the user to prove the certificate is valid and from whom we believe it is.
- Enforcing SSL pinning: This is another technique that offers extra protection against MiTM attacks. Using valid certificates from a certificate authority is a start, but this only verifies that the server's certificate has a verifiable chain of trust back to a trusted -- root -- certificate, and that it matches the requested hostname. SSL pinning verifies that the client checks the server's certificate against a known copy of that certificate.
- Installing database activity monitoring (DAM): DAM monitors database activity and can detect tampering.
MiTM attacks are a real concern, as they exploit the trust between users and the services to which they are connected. They are dangerous, as the victim believes there is a secure connection and that transitive trust exists. Only when we start to realize the true danger of these attacks and spend more time building in the proper controls -- among them encryption, proper validation, strong application controls and systems to detect tampering -- can MiTM attacks be defeated.
Reducing storage man-in-the-middle attacks
Attacking one-time password token authentication